Comment by mosura
8 hours ago
One notable example was signing keys for builds for distribution actually. And IT had a habit of handing them out to absolutely everyone. Being able to audit who did the signing was done in spite of IT who could, of course, never be persuaded of the merit of any process they don’t own.
But sure jump to more conclusions if you want.
I won't discount your IT can be bad, but also if you're keeping something as core to your security as signing keys somewhere your IT can't audit, you are just as bad. And your IT won't be the ones fired when your keys leak.
You are under the erroneous impression IT would be fired for leaking keys and not simply impose a new process that blames everyone else.
And this is in Fortune 500 of course.