I've noticed a trend recently where compliance is being vilified for taking focus and priority away from Information Security for managers and executives. These decision makers see C level executives with personal criminal liability outlined clearly in the 2002 United States Sarbanes-Oxley Act, and suddenly complying to the regulations becomes very important.

So the question of the poll is, does compliance (to any regulatory or industry standard) take a precedence over _actual_ information security, or does compliance actually drive a broader understanding and support of security in your organization?