I would repeat user Aaronstotle's comment that smaller teams are likely not the right audience for these levels of compliance.

When it does become a concern, I think this post [0] put out by Latacora (no affiliation) is a great starting guide, although it is bent towards SOC 2 compliance. All of the items they mention are concrete wins for the business from a compliance/security perspective. The process of implementing just a few can help you better realize if your business is going to be able to muster the time and effort needed to continually work towards these standards, or if the business value isn't there yet.

[0] https://latacora.micro.blog/2020/03/12/the-soc-starting.html

Only a few months ago Amazon bought Cloud9, arguably the best online IDE. [1] Perhaps they might beat Google to the punch?

[1]: http://thenextweb.com/dd/2016/07/14/amazon-buys-cloud9-aws/

Doesn't Google already have a web based, but internal only, IDE? I don't know if that'd be easy to make external, but my understanding is that they've got a lot of internal users on it.

Yeah, and Cider was getting surprisingly good at the point I left Google (I was initially a skeptic). But so much of what made it good came from its tight integration with other internal tooling. I'd be surprised if it's ever externalized in a form that captures most of that value.

yup, this was what I was referring to in my other comment.

a cloud based IDE is certainly lighter than VS. the fact that it's accessible anywhere is a huge plus.

I would still like to see a desktop version of C9, sort of like Atom & Microsoft Visual Code.

It's going to be hard to justify using Google Cloud after this when I know I'm most likely to ditch Azure in the process as well.