Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That hell wouldn't exist without the guys who like to endlessly and "dutifully" set up and rearrange security groups, IAM, ldap hierarchies, just in order to feel important I guess. Every company bigger than a dozen of employees has this type of guys and they are nightmare to work with; they vision is very often detached from the reality how the company works, but somehow they have the illusion that the policy existing mainly in their heads is more important than the real behaviours of people in the organization.


These guys are often hired to implement regulation or certification requirements and the organization, if its goal is to comply, has to change its behavior and processes.

Not saying your point is not true, I met guys who did it just because too. But it's not always malice or incompetence on their part.


My experience is that both of you are right: the security people implement important regulations, and they do so without ever looking at the business processes themselves. Then it's up to the targeted people to chase exceptions and recategorization and and and, which on one hand creates a friction which eats up lots of resources and time, and secondly pokes holes in that exact perfect structure it was supposed to create. And all this could be avoided if security worked hand in hand with business but no, security is all ivory towers and business is all "don't touch my rights". Aka, guaranteed constant conflict and frustration.


That’s because businesses goals are to make something work, and securities goals are to stop something from happening (or comply with a process with that goal in mind).

Hopefully not the same ‘thing’ being targeted of course, because then it will get really bad, but yes conflict is inevitable.


In my company, they made the entire company PCI-compliant (as opposed to a small team of beancounters).

This meant that the janitors had the same security responsibilities as the CFO.

It was ... invigorating.

The consultants that recommended it made a lot of money, though, so I guess it's all good.


Sorry for you experience. But it not always like this. Sane security guys always remember that they are there to support the business, not to slow down the development or to prevent useful information and assets from being accessed. So they are ready to accept compromises and are always trying to control the potential risks keeping the comfort of the colleagues in mind.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: