I wish computer security training included courses on avoiding or destroying the bureaucracy that seems to inevitably form around cybersecurity dogma.
COVID was a lightning rod and channeled a lot of technological advances through that would’ve been otherwise halted by the cyber hand wringers who seem to have infiltrated all approval processes.
I agree that it's unfortunate that security and bureaucracy go hand-in-hand. As security becomes more a priority, the annoying overhead grows with it.
However, I think this is just the nature of security. It's a cumbersome task. Think of any organization that security is very important to, especially where it is life and death. Military, government, criminal gangs, VIPs/executives. All have large bureaucracies to maintain and enforce security. I think the adversaries any of these groups face are so persistent and capable that the only answer is bureaucracy. Training the person can only go so far. Individuals alone are too susceptible to minor slips in operational security.
If a small company that isn't targeted by advanced persistent threats has such a bureaucracy, it's overkill.
There's a difference between defense in depth and bureaucracy.
One recent example I saw was prioritizing the re-evaluation of a system that is low impact and limited access over the remediation of issues on a widely accessible system, only because the low impact evaluation was going to be out of tolerance sooner and therefore look bad on report cards.
COVID was a lightning rod and channeled a lot of technological advances through that would’ve been otherwise halted by the cyber hand wringers who seem to have infiltrated all approval processes.