[andersonmvd]

The goal of cybersecurity should be to align cybersecurity with existing processes, but minimizing friction. What the author experienced seems to be a high friction security program, which is the result of a suboptimal cybersecurity program.

This is unfortunately the reality in many companies because cybersecurity is implemented as a subset of a high level information security framework without qualified people to connect the high and low level requirements.

In the past, security departments were the "firewall gatekepeers", choosing who to allow or deny access. They started to change over time from gatekeepers to support the business but this transition is not complete as we know from experience.

The CISO has also has the dillema of having to support the business but will also be held accountable for any hack, which increases the tension on reducing friction vs increasing friction (and increasing control).

This is not an easy problem to fix, but I particularly think it's very productive to see posts like this so we can bring this topic to light and find the right balance.

And for those interested in learning how to add security to their organizations with minimal friction (security by design, especifically), I'm creating some webinars (free on youtube) here: https://devops.security/webinars.html