> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.

This is a tale as old as time. At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.

I call this sort of thing a self-DoS. If the system is unusable enough, it's indistinguishable from a DoS attack. This sort of sabotage isn't restricted to the security team, anything that makes the system unreliable enough from bad design through bad performance can have the same effects as an external attack.

>> Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively.

Currently dealing with this at our current company. People were clamoring for access to various LLM's. They were slow to adopt and since we're a huge MS client, we were granted limited licenses for copilot. Then more people made waves about getting access and they slow walked a ton of licenses until a small portion finally had access.

Then came all the other non-MS apps that people wanted to plug copilot into (such as Figma) and that was another round of frustrations with users here as they locked stuff down, then slowly relented.

The company is still struggling with giving access to AI tools and LLM's since now the company is really lagging behind many other companies who are just running wide open with AI.

We're 100% dealing with what you're saying. EIS has been making people jump through so many hoops that every time they add an LLM, its completely locked down to just the enterprise network and people are getting really frustrated since so many of us are already well along using AI at home and elsewhere. Yet here our day-to-day stuff using AI is an act of congress to get access to the LLM and tools.

Not really new. A long time ago I had to wait 2 months to have access to a shared folder on a development server.

It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.

Security through eternity I guess ?

> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.

This is certainly not true. I personally consider how much friction things introduce for users, things like normalizing having to reenter your password too much making phishing easier, and so on. It's well understood that you will get shadow IT, which is worse, if you make doing things the right way too difficult. I regularly advocate for streamlining processes and procedures, introducing more user-friendly systems, hosting office hours where the security team is available for any question or concern you have making us more available to the company, etc.

What's the issue? Well, for one, there's a ton of incompetent people in the field, so they'll just do whatever to make themselves look like they're working. Two, most security departments are criminally understaffed, so even if you have competent people they just have to put things together quickly and can't clean it up. Three, there's tons of idiotic regulatory and legal requirements that take forever to modernize. And finally, half of security is playing politics and arguing with the rest of the company, meaning that half the time the solutions you get are a slop of compromise with which nobody is happy.

TL;DR we aren't psychopaths without empathy, we struggle for the same reasons you developers have tech debt and other things that suck even though you would prefer not to.