@hal_pomeranz I worked at a company whose products are security dashboard & ticketing tools, mostly around release management.

We had little view into the security of our own infrastructure.

We had DevSecOps teams, a CISO, every ISO and related certification that existed, regular audits. Every trend and buzzword.

We still lied to our customers about data access, literally violating contracts and international sanctions. I imagine the entire industry is this way.