Does Non-Compliance in Tech Really Matter?

The author mentions having heard many senior technical leaders say that compliance automation tools or meeting security compliance requirements can be painful when they require significant technological changes. One CTO stated having to implement a security vulnerability tool that generated a lot of noise due to the number of non-critical alerts, and others mentioned having to make significant changes at the platform and infrastructure level. The author notes that frameworks like SOC2, ISO27001, etc., are more process-oriented and should not require much technological downtime, but it was quoted 20 hours per week to ensure the compliance of their technology.