Don't be confused. Just because you have checked off all the boxes or answered "yes" to an online assessment questionnaire for PCI or SOX, it doesn't mean that you can hang your hat up.
You can be compliant to a regulation but still lack mature controls, policies and processes to protect your data. Compliance and security support each other. But it's risk management that helps define when and how each is fulfilled. Many companies over-emphasize compliance, without making sure the compliant environment is actually secure. For example, both Hannaford Brothers and TJX were PCI DSS compliant, but were not secure.
The good practice to meet your regulatory requirements along with a risk management program. Doing risk assessment and mitigation is also not a one-time deal. It's got to become standard practice, done multiple times a year. Also, consider technology and services that integrate risk management with compliance processes. Work towards maturing security policies. Enable them to be implemented, instead of having everyone wrapped up in preparation for the next compliance assessment.
It's tempting to argue that compliance is the only thing that gets priority when budgets are tightly controlled. But the role of good management is to meet compliance requirements and also strengthen security on the ground. Again, what may be compliant may not be secure - don't fall into that trap.