It's "a lot nerdier, but that's what's really going to make all the difference in the long-run," he said. "We're focusing on the roadmap of compliance."

Enforcement is now a "fact of life," said Rodriguez. "It is having a beneficial effect on compliance." As such, "The number of monetary enforcement cases will continue to grow."

Still, he said, "We are not missing opportunities to get out and educate the industry."

OCR is cognizant that "bad things will happen, breaches will happen," he said.

That's why, "You will not hear me, except in quotations, use the phrase the Wall of Shame," said Rodriguez, referring to OCR's infamous list of large-scaled breaches.

Shaming "is not the purpose of the breach notification program," he said. Fostering a culture of privacy and security is. "At the end of the day it comes down to leadership: Owning compliance issues and doing so consistently."

In other words: Don't do risk assessments. Assess risk.