If they want to do their job well, how about adding some thinking into the mix, for good measure? Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.

> If they want to do their job well, how about adding some thinking into the mix, for good measure?

That’s what the conversation I shared is demonstrating ;)

> Good would also be,if they actually knew what they are talking about, before trying to tell the engineers what to do.

Often the people enduring the rules aren’t supposed to be security specialists. Because you’ll have your SMEs (subject matter experts) and your stockholders. The stakeholders will typically be project managers or senior management (for example) who have different skill sets and priorities to the SMEs.

The problem is that when it comes to security, it’s a complicated field where caution is better than lack of caution. So if a particular project does call on following enhanced secret practices, it becomes a ripe field for snake oil salesman.

Or to put it another way: no company would get sued for following security theatre but they are held accountable if there is a breach due to not following security best practices.

So often it doesn’t matter how logical and sensible the counter argument is, it’s automatically a losing argument

They don't want to do their job well. They want to look like they're doing their job well, to people who don't know how to do the job and whose metrics are completely divorced from actual merit.