That’s the thing. There’s a ton of grifters and/or idiots in the compliance space. If you talk to an actual lawyer that specializes in SOX litigation, or similar, you’ll find that many of the measures your compliance or fake-infosec people are telling you that you have to do aren’t actually required by any law or regulation.
What companies paid a big enough fine to have an unprofitable year? Which executives are sitting in prison?
These things only exist in theory, not practice.
I’ll give you endless reams of pointless box checking exercises in the name of auditing and compliance.