Security is a tactical, real-world cybersecurity, risk-reduction mentality. Compliance is an auditing, paperwork, checklist mentality. Security is figuring out which patches to apply and when, applying those critical patches. Compliance doesn’t allow a lot of room for outside-the-box thinking or stronger, better security. Social engineering and phishing are responsible for 70% to 90% of all malicious compromises, yet you would be hard pressed to find more than a sentence about security awareness training in any of the regulatory guides.”]
Source: https://www.csoonline.com/article/3398698/5-ways-compliance-hurts-security.html