@gaysteve @donaldball @calamari
Counterpoint: compliance auditors are usually more interested in ticked boxes than meaningful security measures, and we must give them what they want. Every organization has a limited amount of time, staff, and resources. After two SOC2 Type 2 audits we have spent more time adjusting our existing infrastructure to document compliance than doing the very real, time-consuming work of increasing our monitoring/logging capability, and eliminating "edge cases".