I recently watched a webinar with a panel of very smart people discussing the "battle" between security and compliance. One of the main points was the struggle teams have justifying additional control investments beyond the compliance checklist. Justifying security is a challenge but the answer is straight forward. I outlined an approach in the Security Spending post. However I didn't focus specifically on the security vs. compliance topic.
An approach that's worked for me to is to articulate the concept of mandatory vs. discretionary security spending to decision makers. Obviously the CISO is accountable for defining a compliant control environment. Everything else is optional. The CISO's job is to facilitate the right level of investment with business owners. When risks and control costs are well articulated, I'll sleep well at night no matter the decision.
Here's a visual you may find useful (it's an updated view from the security strategy template):
To really bring home the message, try organizing your team budget into the three buckets:
Compliance: the minimum level
Due Care: a security program where a jury with expert witnesses agrees is appropriate. If the legal approach doesn't resonate, try Security Investments or another term indicating you really should invest here to reduce risk or improve efficiency.
Business Drivers: my old CISO called this Business Enablement. Spending to assist the business in making informed decisions and reducing risk in a revenue generating initiative e.g. internal consulting services, line of business security risk assessments, new controls or services due to M&A, new projects, etc.
I know teams executing on the above, whether or not they use our tools to make it easier.
Another thread on the panel was the concept that an ROI is required to justify security. In my experience, if a CFO demands an ROI calculation, you're not presenting your risk posture effectively. Lots of posts here on that topic but let me know if you have specific questions.
So please don't frame spending prioritization as compliance vs. security. It's an incorrect approach and makes your job harder than it needs to be. And hey, if you're shot down on every spending request outside of compliance, at least that's good evidence to increase spending in your response capability.