Tripwire: Achieving a state of regulatory compliance and reducing vulnerability risks to the organization are not the necessarily the same thing as managing your organization’s attack surface, but those two endeavors certainly provide some achievable goals that materially reduce the overall risk profile.
While mitigating all possible vectors for preventing all attacks is of course unachievable, there are numerous efforts an organization can make to reduce the probability of being targeted by raising the threshold for network penetration to a level that it becomes a more daunting task for the assailants.