Make no mistake: more regulatory compliance is coming (ie ISO27001, NERC 5). As more compliancy regimes come into existence, with more aggressive targets and tactics (ie fines are starting to be implemented), it is becoming more costly for organizations to fail an audit/be considered non-compliant.
Security and risk management systems are becoming Board-level discussions while government and industry regulations are also requiring better risk monitoring and controls.