[arghwhat]

This is the case for most orgs with corp IT. Their KPIs are around security, which often manifests itself as a game of "how many security products can one run in parallel". Crapware like Cisco Secure Endpoint (not to mention Umbrella), Thycotic, Netskope, and whatever else is the current cool way for a corp to MITM itself and introduce kernel vulnerabilities.

This in turn puts departments at odds, as their argument for speed is turned into an argument against security, which is a very hard position to be in if your department is a few layers down the corp stack.

[Cort3z]

I don’t understand. How does speed implies inverse security, even with corporate blinders on? Let’s say the add all the bloatware in the world, how would a slower developmental speed compromise the security? That their ability to push code goes up and their potential for bugs increase?

[arghwhat]

Security solutions impact speed, rendering reasonable and performant machines borderline useless. There is no implication that working fast is bad for security.

[akdjidensb]

We should be clear that it isn't ALL of corporate IT that is on board with this, or probably even the majority. Its the windows sysadmins that have to deal with non-technical end users, and are constantly being hounded about trivial shit like people clicking on phishing emails and that sort of thing. In fairness to the windows people, you probably wouldn't believe just how awful the majority of workers are with computers. So it's understandable why windows sysadmins become hyper paranoid and irrational in a lot of cases. The low pay doesn't help either. Windows sysadmin is usually a lower tier job within IT and is the most likely to suffer cost cutting and be forced to "outsource" security work to a pile of rotten security software. It's also entry level, and so sometimes they are only marginally better with computers than their end users.

Ideally, most programmers should be in IT or have some kind of alignment with IT and able to give some pushback about this during CAB for instance, and/or get some exceptions but that is increasingly difficult the more 'agile' an organization becomes and the more it seeks to silo infrastructure people from application people. A good IT department imo is one that doesn't do this and retains a more traditional culture where programmers are part of IT and able to actually influence the technical direction of the company, not just be treated like a product factory for business units.

Just from personal experience working as a programmer on the infrastructure side...complaining about windows sysadmins was the favorite past time of probably the majority of higher tier IT employees. It makes our jobs incredibly difficult for the same reason it makes application developers jobs difficult.

[arghwhat]

Problem is that most corps in my experience are run by such windows sysadmins, and when you're a subsidiary or two away from the IT department it doesn't matter whether you're all greybeards - you don't have authority. Best you can do is manage to fly under the radar.

On the other hand, you'd be surprised by just how many career programmers are completely inept at sysadmin work and have no sense for security (nothing like CI pipelines using personal credentials and committing keys into public repos), so just letting all programmers do whatever isn't a great policy either...