You should probably point out that you're the head of a compliance-focused company.
Your previous 2 comments seem to be drawing a very strange dichotomy where the only options for "security" are "capture all traffic" and "compliance". I'm not even sure where to begin in responding to that, because it's so far beyond any facts you provided in either update.
Neither compliance nor traffic capture are "security". Capturing and analyzing traffic can be a facet of a security stance, and structured compliance frameworks can provide structure and goalposts for measuring your security stance, but there's a near-infinite range of other factors at play here.
I'm not sure I understand what you're saying. Capture all the things is exactly what security professionals are asking for as the most reasonable approach to securing sensitive data.
Other security researchers have gone so far as suggesting Penetration Testing and Risk Assessment are the most reasonable approaches to providing security for sensitive data.
Option 1. Collect all the things.
Option 2. Just do good hygiene.
Aside from these two options, what else is available to provide a most reasonable approach to protecting our customer's sensitive data?
EDIT: I'm the head of a compliance agency