[alephnerd]

You don't need professional services all the time, assuming you make sure to hire a large enough team of SMEs of your own, but a lot organization simply view tech as a cost center and try to spend almost nothing on it. That is the kind of issue City of Oakland faces (for everything btw - for example, starting salary for teachers in OUSD is $50k compared to $70-80k in the rest of the Bay Area). Also City of Oakland does 100% engage with Microsoft PS, but they don't have the requisite staff and budget to finish building out best practices.

[taeric]

I clearly don't know all the specifics of their case. Such that, if you have closer information, I am not trying to gaslight you on what you know.

I am concerned with "best practices" in our industry, though. Too many of them are not geared to wide adherence and have fantastically bad failure cases.

[alephnerd]

All good mate! There are some specifics I don't (and don't think I can) get into, but big picture, a lot of the core best practices in configuration management and security do work, the issue is whether you are able to hire people who can actually implement and understand WHY those practices are in place and how to iterate if said practices don't work. Most organizations across the globe have barely gotten a handle of ACLs and Security Groups, but evangelizing best practices for Endpoint Security, Cloud Security, OT Security, etc will take another 10-20 years simply because of inertia and the common sentiment that IT is a cost center.

Random think tanks doing thought leadership on CNN or at Brookings will jack themselves off to the notion of "online warfare" and whatnot, but those guys can barely type, let alone write cohesive policy.

I've been on both sides of this - both in the policy making world and in the private sector tech world - and cases like Oakland keep happening in a daily basis everywhere and will keep happening forever.