I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.
I believe the take-away quote is this:
"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."
I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.
Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.