No doubt.
We're sure there will be better ways, and we'd like to help in getting there.
Rather than die on that battlefield before we've built something meaningful, we're working to help at least solve the immediate need that companies face.
We're fans of refactoring rather than blow up and replace right off the bat, with the thinking that it'll be a lot easier to change things from a position of relevance and experience.
Personally, I'd love to move to a more protocol-based approach that has verification behind it.
This is actually what we’re trying to build towards :) Our first products rely on the policies that company’s put together themselves, but we’re building towards tools that they could use to show more convincingly that information written in policies is actually put into practice.
That's wat certifications are supposed to be used for (PCI, SOC2, ISO27001). But even if your company has them, some businesses want you to fill these horrendous questionnaires.