We’re also certified for similar reasons. It did bring information security more in the focus of upper management, so that’s a plus. I for the time for backup encryption, getting rid of outdated servers (fuck Arch Linux, really), and everyone now has a monitored laptop, and got a info sec training.
You could have organized your processes around ArchLinux instead of battling it, really. A living, dynamically developed software will benefit a lot from ArchLinux rolling releases.
Once your software becomes an ossified cash cow, moving it to RedHat makes more sense.
I'm sure that someone with enough knowledge of Arch Linux could have set it up properly, but I inherited multiple servers with three different distros (and the Ubuntu ones were on different versions). One of these was Arch Linux. It hadn't been updated in a long time, and the update simply failed. Once I got past that, it was going to break something (can't remember, but most likely the Python version). A little while later, it couldn't update anymore, because some file or package was no longer accessible. With Ubuntu (or Debian), you can at least install a new version even if some intermediate release is no longer downloadable. It's been a headache without any benefits from my point of view. By all means, run it on your personal servers, but it's an operational risk for an organization.
