I just went through a "risk triage" they called it for a client and while the client is more focused on being able to work AT ALL the risk triage is solely focussed on the monetary damage of losing IP and data.
Two things:
1. Security to some extent doesn't always need to impede engineering. Enterprise IT security is very much focused on removing risky behaviour, without providing any alternatives.
2. The cost to the business losing IP it cannot generate due to excessive security practices should be taken into account when doing these exercises.
I'd argue that the security part of this organization has gone "rogue" and is solely focused on justifying its own existence. It's as if the security part is more focused on reducing liability for itself than it is on actually securing systems.
That said, I still think that most organizations put too little emphasis on security, not too much. And oftentimes, too late.
EDIT: an analogy I like to use is that oftentimes these people try to build a castle surrounded by massive walls without doors or gates, but since people inside still have to get things from the outside they just dig a tunnel circumventing the whole thing. But since it wasn't approved there is no liability problem for the security part of the org.
Two things:
1. Security to some extent doesn't always need to impede engineering. Enterprise IT security is very much focused on removing risky behaviour, without providing any alternatives.
2. The cost to the business losing IP it cannot generate due to excessive security practices should be taken into account when doing these exercises.
I'd argue that the security part of this organization has gone "rogue" and is solely focused on justifying its own existence. It's as if the security part is more focused on reducing liability for itself than it is on actually securing systems.
That said, I still think that most organizations put too little emphasis on security, not too much. And oftentimes, too late.
EDIT: an analogy I like to use is that oftentimes these people try to build a castle surrounded by massive walls without doors or gates, but since people inside still have to get things from the outside they just dig a tunnel circumventing the whole thing. But since it wasn't approved there is no liability problem for the security part of the org.