Often, technologies that need to be implemented anyway are being described as compliance-related to get executive buy-in, Hession said. "It's not like all of a sudden there's a whole bunch of products that I need to implement because of compliance," he said.

Bellevue, Wash.-based Charter Bank has implemented several new security technologies over the past few years as part of a continuing bid to secure its networks against emerging threats, said Tom Robertson, senior vice president of IT at the bank. While the investments allow the bank to comply with regulations, that has not been the primary driver, he said.

He agreed with Hession. "Many [firms] are using the regulatory hammer to get executive buy-in" for security investments, Robertson said.

In a sense, regulatory compliance is increasingly being wielded by information security organizations in the same way companies used the Y2k crisis to justify IT spending, said John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc. As a result, investments that are earmarked as being compliance-related "are often being used to buy the same things that were bought before," he said.

The two areas where compliance-related efforts have resulted in increased spending are security event management tools and identity management and password management technologies, he said. "But in general, the increased investments in these areas comes at the expense of spending in other areas," he said.