And here I always thought it's EVPs that come up with those ridiculous security measures, not IT/SEC guys, and that's the lower-level managers that have to fight to actually get something done. At one of my previous jobs, it was our direct boss that fought tooth and nail to shield our programming teams from the consequences of the whole corporation deciding to level up some more in ISO standards...
Don't get me wrong. I understand the need for security measures in a company. But there must be some middle ground - some way of securing data and networks without incurring a 1000% penalty on productivity for all your programming teams.
Yeah, I've been in environments where they completely locked down internet access, and we had to "fight tooth and nail" to get an exemption for a handful of sites like StackOverflow. I agree it can be a huge productivity problem.
Again, my experience is very limited compared to many, but the best mix I've seen is programmers had basically wide open internet access BUT everything was still logged. And they must have had some type of automated review. A coworker was planning her wedding, and while sitting on conference calls, browsed around a bunch of wedding sites. She got an email from IT asking about that. (It wasn't a big deal, just embarrassing.) Also, certain categories of data could not be copied to a local computer; they had to be manipulated on a server. Technically you could transfer data from the server (again logged), but it was a firing offense if you were found with sensitive data from on your laptop.
Don't get me wrong. I understand the need for security measures in a company. But there must be some middle ground - some way of securing data and networks without incurring a 1000% penalty on productivity for all your programming teams.