Explore the intricacies of security program management in this 44-minute conference talk from AIDE 2016. Delve into the world of Governance, Risk, and Compliance (GRC) with a focus on the Payment Card Industry Data Security Standard (PCI DSS). Learn why blaming checklists for security program failures is misguided and gain insights into effective implementation strategies. Examine the realities of security frameworks, standards, and information supplements. Discover valuable lessons on avoiding common pitfalls and misconceptions in security program development. Engage with thought-provoking questions that challenge conventional wisdom in the field of cybersecurity.