Comment by jeremyjh
2 days ago
There is very little incentive to actually do information security correctly - because hardly anyone can tell if you have - consequently there are very few people who try. It is all just theater to cover their asses, and they'll admit it under the right circumstances.
They don't want to change idiotic policies like this because it means they'd have to admit they've been dogmatically enforcing counter-productive policies for decades.
Hardly anyone can tell, until everyone can tell, because you have a breach.
It's similar to the idea that if you aren't doing restore drills you aren't really taking backups. But people rarely test their auth rules.
You could do everything correctly and still have a breach, so practitioners are quite fatalistic about it. The key is to diffuse decision making responsibility so that its not clear who can be fired.