Clarification, in my context I'm typically talking about the IT Security and employee relationship. But the dynamics you outline still hold, although my experience has been reverse (they value what they perceive as "the company" over employees).
> I would imagine companies like that are generally toxic across orgs, and not just in IT, but probably any area where investment is forced and it isn't revenue-generating
I'd agree this is probably a key contributing factor.
It's been my fortune / misfortune to work for a number of companies that qualify (healthcare, financial, insurance).
But it has also been true (in my much more limited experience) with healthier, IT-as-profit-center companies.
I'd hazard better framing (than profit/cost center) might be "incentivized to improve" vs "penalized for mistakes."
Unless it's the former, it's in no one's personal interest to go above and beyond or suggest change. So you get glacial, incremental processes, and lose people who are impatient with working that way.
As you note, I think monetizing security is a key step to establishing a healthier balance.
> I would imagine companies like that are generally toxic across orgs, and not just in IT, but probably any area where investment is forced and it isn't revenue-generating
I'd agree this is probably a key contributing factor.
It's been my fortune / misfortune to work for a number of companies that qualify (healthcare, financial, insurance).
But it has also been true (in my much more limited experience) with healthier, IT-as-profit-center companies.
I'd hazard better framing (than profit/cost center) might be "incentivized to improve" vs "penalized for mistakes."
Unless it's the former, it's in no one's personal interest to go above and beyond or suggest change. So you get glacial, incremental processes, and lose people who are impatient with working that way.
As you note, I think monetizing security is a key step to establishing a healthier balance.