Security or Compliance? Business risk should guide you.

Security professionals sometimes debate if security or compliance should be the focus of the overall security program.  I think it should be both, but maybe not 100% of either.  Let me explain...

I've been in organizations where compliance was the focus.  The Payment Card Industry Data Security Standards (PCI DSS) for example at a company I worked for many years ago.  After we put that program in place, security never took a front seat.  We were able to implement additional security controls that reduced risk (or addressed issues that surfaced), but it was difficult to get too proactive.

Performing an annual risk assessment, and then having a mind for continual risk management through the year, helps keep the important compliance and/or security controls in front of management.  If management knows, then they can decide the risk they want to accept, or that which they want to fix.

Where do you focus with your program? Security, compliance, both, or none?  I would love to get your feedback and perspective.