The real answer as pointed out in this document is simple - IT Security and Administrative policy in non-technology companies trends towards restriction and justification rather than permissiveness.
I work in a role that develops air gapped custom communications system, my title is engineer - and to that end I have a broad cross domain knowledge - including traditional system administration tasks. I have to go thru special justification to get local admin to install software our company makes. T
here appears to be a future that will prevent me from using a thumb drive to move our software and configurations from my work PC to our systems - when we ask IT for a solution, they tell us "us the approved file sharing mechanisms" - which are basically limited to OneDrive. On top of all of that, per the written policy, we regularly violate written policy - for example distributing software requires LOB executive permission - which in the context of our larger company would be CEO level - and this is just one glaring example.
IT is either clueless or doesn't care and no one outside of my LOB cares - or is aware - and nothing will change until security policy prevents a major project from delivering on time.
And I know that feeling. I had a job once where if you wanted to install a text editor, not only did you need permission, but someone from IT dept had to come to your desk and install it themselves. And this was at an ordinary mid-sized private company manufacturing nothing special.
All you can do is starve these companies of support, by leaving as soon as you discover such attitudes, and encourage any other devs there to do the same.
Implementing prohibitively tight security and mandating that any files are shared through a product with security footprint of Onedrive is crack-smoking-monkey level of insane.
> IT Security and Administrative policy in non-technology companies trends towards restriction and justification rather than permissiveness.
I work in a tech company and the IT department is like that. The worst part is that IT/security is separate from the operational branch, and they don't care if it impacts our projects. Even though we are the same company, it seems they only care about their own profits (we get billed), we probably would have better service going to competitors, but we can't (obviously). We lost contracts because of it.
I'm trying to explain to our IT that we need to match our customers expectations on how to interface with them, not the other way around, that has so far, either fallen on deaf ears or not made it to the correct person.
I have a ticket open about MX Resolution failures on outbound email to a certain subset of customers - IT keeps blaming unspecified configuration errors on the customer side, not a misconfiguration in our infrastructure. If they gave me a RCA and told me what was wrong, I'd be happy to go to the customer and tell them what's wrong. They won't do that though, nor will they open up a ticket with our vendor to resolve or investigate the issue on our end.
> I'm trying to explain to our IT that we need to match our customers expectations on how to interface with them, not the other way around
That's exactly the problem.
Here is a personal anecdote.
Our customer wanted us to setup a development/test machine. Because the software had some real-time constraints, we had to use a CPU with enough physical cores and a customized Linux distribution, accessible through SSH with a remote desktop, it didn't need direct access to neither our corporate network nor the customer network. Essentially, what we needed was a computer with an internet connection and root access for at least one member of the team.
So we setup to talk with the customer to decide on the various requirements. We forwarded them to our an IT security department, and they essentially replied with "this is not a standard configuration, do it yourself". I ended up making the plan myself, had it checked with some guy at the IT security that happened to be cooperative and after a few back-and-forth on some details to make sure it was fine, I started to set up the server. At the same time, my manager made sure we had a spot to put the computer in the server room, all good. We essentially did it all by ourselves, and the customer was ok, I wouldn't say "happy" because all these exchanges with IT security took way too much time. All that was needed was for the IT guy to plug in the machine and configure the network.
Then it went downhill. They first stated that they couldn't let us have our own computers in the server room, only VMs. It was not only completely inadequate due to the real-time requirements, but the price was absurdly high, like hundreds of euros a month. Plus, it is not what they told us earlier.
So, we insisted. They then sent us someone who was probably an architect of some kind and started to suggest some ridiculously complex architectures with a dedicated router, firewalls, etc... when all we really needed was an internet connection with no special privileges (something the customer has already agreed with). Not only it would have cost thousands just for the study, and who knows how much for the actual setup and maintenance, but it came with annoying restrictions.
In the end, we told the customer we couldn't do it, so they did it themselves and we did the dev and tests we had to do on the customer machine. Needless to say, the customer didn't really appreciate the whole affair, and we got dumped.
What we probably should have done, and I have seen it many times is to get a regular consumer-grade DSL/fiber plan just to work around the IT department.
I work in a role that develops air gapped custom communications system, my title is engineer - and to that end I have a broad cross domain knowledge - including traditional system administration tasks. I have to go thru special justification to get local admin to install software our company makes. T
here appears to be a future that will prevent me from using a thumb drive to move our software and configurations from my work PC to our systems - when we ask IT for a solution, they tell us "us the approved file sharing mechanisms" - which are basically limited to OneDrive. On top of all of that, per the written policy, we regularly violate written policy - for example distributing software requires LOB executive permission - which in the context of our larger company would be CEO level - and this is just one glaring example.
IT is either clueless or doesn't care and no one outside of my LOB cares - or is aware - and nothing will change until security policy prevents a major project from delivering on time.