Yes, from my very limited to exposure to this (not in SV, but in healthcare), these are two key points:
absurd amount of anomaly detections per day, usually with a 99.9% false positive rate
Adding lots of red tape and restrictions and wasting time investigating employees who've done nothing wrong
What I've seen/heard about is that you end up with some EVP pissed off that IT/SEC is bothering their people – rightly or wrongly, it'll inevitably get used an excuse for why something is late. So the EVP (virtually) marches into the office of the IT/SEC director and issues an edict that everyone in <this super special department> are too important to be bothered and any access restrictions or investigations affecting <the department> must get prior approval from the EVP's office. That's of course a huge pain in the ass, which results in that department effectively being exempt, i.e., a perfect place for an internal spy.
The IT/SEC director, often several rungs down from the angry EVP, usually has the authority to stand up to the EVP, technically, but that is a risky move, can easily start a turf war.
So, for these programs to be effective, they must get buy-in from the absolute highest levels with no exemptions, which is not easy in the highly political world of huge organizations.
As someone who worked in a special unit in a big healthcare company, this hits really close to home. Our BU sponsor got us an outside internet connection in our building so we would have unfettered internet access. That would've been the perfect spot to offload documents because you're using a company computer on a non-monitored internet connection and our department had no oversight.
In hindsight, this is very scary given that I had access to production systems with loads of PHI, PII, etc. with no censoring or filtering in place.
And here I always thought it's EVPs that come up with those ridiculous security measures, not IT/SEC guys, and that's the lower-level managers that have to fight to actually get something done. At one of my previous jobs, it was our direct boss that fought tooth and nail to shield our programming teams from the consequences of the whole corporation deciding to level up some more in ISO standards...
Don't get me wrong. I understand the need for security measures in a company. But there must be some middle ground - some way of securing data and networks without incurring a 1000% penalty on productivity for all your programming teams.
Yeah, I've been in environments where they completely locked down internet access, and we had to "fight tooth and nail" to get an exemption for a handful of sites like StackOverflow. I agree it can be a huge productivity problem.
Again, my experience is very limited compared to many, but the best mix I've seen is programmers had basically wide open internet access BUT everything was still logged. And they must have had some type of automated review. A coworker was planning her wedding, and while sitting on conference calls, browsed around a bunch of wedding sites. She got an email from IT asking about that. (It wasn't a big deal, just embarrassing.) Also, certain categories of data could not be copied to a local computer; they had to be manipulated on a server. Technically you could transfer data from the server (again logged), but it was a firing offense if you were found with sensitive data from on your laptop.
absurd amount of anomaly detections per day, usually with a 99.9% false positive rate
Adding lots of red tape and restrictions and wasting time investigating employees who've done nothing wrong
What I've seen/heard about is that you end up with some EVP pissed off that IT/SEC is bothering their people – rightly or wrongly, it'll inevitably get used an excuse for why something is late. So the EVP (virtually) marches into the office of the IT/SEC director and issues an edict that everyone in <this super special department> are too important to be bothered and any access restrictions or investigations affecting <the department> must get prior approval from the EVP's office. That's of course a huge pain in the ass, which results in that department effectively being exempt, i.e., a perfect place for an internal spy.
The IT/SEC director, often several rungs down from the angry EVP, usually has the authority to stand up to the EVP, technically, but that is a risky move, can easily start a turf war.
So, for these programs to be effective, they must get buy-in from the absolute highest levels with no exemptions, which is not easy in the highly political world of huge organizations.