I agree in principle. But actively harming security for those users that already have a secure environment in place is a sign of compliance culture. Not security culture.

I needed to have less secure passwords under new security regime. More open ports. More services being exposed to the net, more code with potential bugs running on my machine and so on.

If you want to take over any of the big firms I would probably target a tool like Tanium [0] being employed by a lot of these corporations.

Last time I checked still based on python 2.7 (EOL 2020-01-01).

This was in my case installed as well as Flash with the pretense of security. I was a bit underwhelmed.

I actually told CIO about py27. And about it already being EOL. They did not know that (neither the tool using it, nor it being EOL). And they actually did not care. And told me not to care about it, as the mix of different tools would provide absolut security.

[0]: https://www.tanium.com/de/

I don't think poster was complaining, specifically, that the security policy wasn't designed for people who care about security. In my opinion the issue is that they replaced an up-to-date and robust set of policies and tools with out-of-date tools and procedures. In addition they removed agency from their employees by installing an endpoint security tool on their machines.

I have to say, I agree! Once an endpoint security tool gets installed on my laptop and my administrator privileges have been revoked, I would definitely feel like the security of the unit was out of my hands. IMHO, this makes the organization almost entirely reliant on software and policies (which likely go unread) for security.

My belief is that this will result in an overall less secure posture for the organization as a whole. As this poster points out, his password is now less secure because whatever tool judges its strength is behind the curve. Other people may be more prone to open suspicious email under the impression that the endpoint security tool will take care of it. And so on.