If your organization meets requirements so that you are compliant with HIPAA, PCI DSS, SOC 2, or any other standard it does not mean you are secure. In fact, many organizations that are compliant are some of the least secure. Some executives, understandably, believe that meeting standards indicates that the organization’s network is secure. One does not guarantee the other.
Being compliant: Might help you if you get sued for a breach
Being secure: You may not have a breach
Do both, but choose which one to do first.
If your customers or prospects want you to be compliant in order to do business with you, then compliance probably needs to be top priority. Otherwise, make your systems secure first.