Such a tough spot to be in. Reality is, you're not going to have a lot of luck presenting a come to Jesus moment with a CISO who doesn't support a robust program. More than likely, this person will just vomit out the old "Our organization's security culture is just so great" nonsense, because people tell them, as the CISO, that they care about security lol.
Potential solution: Go around them. GRC leads are often big advocates for development and advocacy.
Additionally, make a case to the relevant SOC leaders where you can reduce alert flows. (DLP, IAM, EDR, Insider, CTIC) Make a business case how security behaviors are causing unnecessary alerts in the SOC and the recognition and value-add perception will flow.