I was asked this question while sitting on a panel at RSA, and I think the answer depends on your perspective. I’ll answer this from a security industry perspective.

If nothing else, you have to credit PCI with forcing the issue. Security among retail enterprises was generally limited to loss prevention and physical security until recently. Information security usually existed as a small and buried team within the Information Technology group, and did not have board level attention. If someone at the board was savvy enough to realize that security reporting to IT is an example of the fox guarding the hen house, then maybe they moved security into Internal Audit.

Now we are seeing a massive amount of development in security and compliance programs. Where companies had a staff of two or three to handle this, they now have large, global teams to deal with this. PCI forced the issue, then higher ups started asking questions about HIPAA, GLBA, and others.

Security teams now report into the office of the CFO, or Legal, and in many cases have their own seat on the board. Budgets are opening up, and money is being spent. Without fail, more issues are found while every stone is turned over to see what bugs lie beneath.

Poetic, don’t you think?

The next test is to see if the strategy component has been handled such that you can sustain the support to the organization, and avoid bureaucratic bloat. PCI can’t get you there, only good old security process will.

This post originally appeared on BrandenWilliams.com.