I might go with access reviews.
It's one of those controls that feels boring until you find an account that should've been removed six months ago
Not "bad."
Just something that gets a lot more attention and budget than the actual risk reduction it provides.
Interested to hear answers from people working in security operations, GRC, cloud security, and engineering.
I have a feeling this could get controversial.
For years, most organizations seemed focused on collecting data securely. Now it feels like the bigger question is whether that data should still be there at all.
I've been involved in a few privacy reviews recently, and retention schedules, deletion processes, and "why are we keeping this?" conversations seem to come up constantly.
The challenge is that businesses want data for analytics, support, and product improvements, while privacy teams are pushing for minimization and deletion.
For those working with GDPR, are regulators, auditors, or customers paying more attention to retention practices than they did a few years ago?
How are you balancing business needs with data minimization requirements?
In a lot of the audits and customer reviews I've seen recently, the discussion seems to spend way more time on access controls than before.
It's not just "Do you have MFA?" anymore.
The questions are getting into privileged accounts, access reviews, service accounts, joiner/mover/leaver processes, admin access, and how quickly access gets removed when someone leaves.
I've even had customers ask more detailed questions about Zero Trust than some auditors.
Maybe this is a reaction to all the breaches we've seen over the last few years where compromised credentials were the starting point.
For those who have gone through SOC 2 recently, are you seeing the same thing?
What's getting the most scrutiny for you: MFA, PAM, access reviews, or identity governance?
A few years back, getting a SOC 2 felt like a big milestone for most SaaS companies. Now whenever I see a vendor assessment or security review, SOC 2 seems to be just the starting point.
The conversation often goes something like:
"Okay, you have SOC 2."
Then the next question is:
"Do you also have ISO 27001?"
I'm genuinely curious if others are seeing the same thing.
For people on the buyer side, does having both actually give you more confidence in a vendor? Or is it more of a procurement requirement these days?
And for founders/security teams, has anyone here decided to go for ISO 27001 mainly because customers kept asking for it after SOC 2?
Feels like the bar has quietly shifted over the last couple of years and I'm wondering if that's happening everywhere or just in the companies I'm speaking with.
I will start:
Myth: "SOC 2 takes 18 months minimum."
Reality: SOC 2 Type I can be completed in 10–14 weeks for a well-prepared company.
Myth: "You need a dedicated security team before you can start SOC 2."
Reality: A single internal owner with 20–30% of their time is enough at an early stage.
Myth: "SOC 2 is only for US companies."
Reality: Any company selling to US enterprise buyers needs it — regardless of where they are based.
Now your turn.
What compliance myth have you heard from a consultant, a forum, a competitor, or anywhere else?
Comment below and I will respond with reality.
Startups are being asked for SOC 2 earlier than ever, but most teams are still figuring things out as they go. A lot of effort goes into passing the audit, but not always into actually improving security.
SOC 2 pricing seems pretty high for small teams. How are startups generally dealing with this? Any practical ways to keep costs down?
I saw a meme online saying SOC 2 is a report, and I know that’s true, but why do I keep hearing people say, “SOC 2 certificate”?
At what stage did compliance start becoming important for your team, early on or only when customers started asking for it?