Security is important
Security is important. But some companies take it too far.
“We can't because of security" is often used to block reasonable requests.
Examples:
You can’t install apps.
You can’t have a laptop.
You can’t work from home.
You must use this slow VM.
You can’t bring your phone to work.
You need approval to install a package.
You must change your password every 5 days.
Your session times out after 1 minute of inactivity.
Why? "Security reasons."
Security is important. So it feels like we can’t argue with these things. But in most cases, these policies are overkill.
The risk: Some security teams take their job too far, which makes it hard for people to do their job.
The solution: Remember, security is a spectrum. It involves tradeoffs.
Ask:
Have we taken this too far?
What are the costs of this policy?
Do the benefits outweigh the downsides?