Achieving a state of regulatory compliance and reducing vulnerability risks to the organization are not the necessarily the same thing as managing your organisations attack surface, but those two endeavors certainly provide some achievable goals that materially reduce the overall risk profile.
