Agree. Working for an ISP I have administrator-level access to nodes that are the
single point of failure link for dozens to tens of thousands of people in addition to numerous
OSS or
OAM provisioning automation / element management applications. I am
extremely cognizant of what I click on using the work machine and even the work phone - phishing e-mails are a near-weekly occurrence.
Security is a trade-off as well - too little and you invariably get hacked, too much and nothing gets done on time. Unfortunately the speed of business precludes
air-gapped networks for most functions - and those that exist tend to have USB ports a-plenty shuffling packets via sneakernet, often with mere seconds of added latency. There are however firewalls
everywhere in the typical enterprise network, such is the reality of
de-perimeterisation - endpoints are hardened, the data center itself is segmented, and devices at work locations are not treated as fully trusted by default.
There is an unfortunate
perfunctory aspect to IT security as well - short password reset intervals, password complexity requirements that all but guarantee people write them down on sticky notes posted to their monitors, guarding against
movie plot scenarios unlikely to happen in the real world, nix plans Because Reasons™ without offering viable alternatives - that do nothing, inhibit business operations, and can make the business less secure as users or even entire organizations work around security policy.
