We’re a small b2b saas team (<20 people) and starting to feel pressure from customers to get soc 2. I get the trust and security benefits, but internally this has become a huge source of anxiety.
Everyone keeps throwing around “12 months” like it’s inevitable, which feels… brutal for a lean startup that’s already stretched thin. We’re pretty disciplined on security basics, but the timeline feels vague and hard to plan around.
Is a year really the norm, or can a small team move faster if we’re focused and structured? Am I being unrealistic pushing for a quicker path, or is the long timeline mostly process overhead?