We realize that every human loves convenience and security removes conveniences. Simple As.
No matter what we do as security folks, the users will do everything possible to return to their convenience or complain about the inconvenience until the security is removed.
I’m not saying there aren’t over zealous security folk but our goal isn’t to make humans lives harder. We want to make it harder for the bad guys to ruin humans lives.
Except that it's not a matter of 'convenience', it's a matter of being able to do their jobs. Security is a hard job, in part because you have to come up with security practices that are actually workable, and keep work impediments to a minimum. It's really easy to just add more restrictions. It's hard to add security that doesn't impede the users. When I see 'defense in depth' being invoked to justify massive work impediments for minimal security improvements, I don't see effective security practices - I see a cargo cult.
not your objective is make the organización loss the less money posible by reducing the incident rate the recovery rate or the impact if you damage the org more the risk you are saving against you are liability, this isn't good vs bad thing, this is decide when the line is worth crossing and this article say at least in their opinion this open isn't, you still have multiple other layers.
Security folks are humans too.
We realize that every human loves convenience and security removes conveniences. Simple As.
No matter what we do as security folks, the users will do everything possible to return to their convenience or complain about the inconvenience until the security is removed.
I’m not saying there aren’t over zealous security folk but our goal isn’t to make humans lives harder. We want to make it harder for the bad guys to ruin humans lives.