And this is true, hence shadow IT et al., but at the same time, the initial and refresher training is shitty, the practitioners thay push it, don't care. The folks taking it, don't care. It's all a checkbox for FISMA, or CMMC or whatever the reg is for the environment. The only time anyone gives a fuck is if there's a cost attached to it. No one on the BoD wants to invest to mitigate the impact, just invest enough to check that box.
That said, as a practitioner, my fatigue comes from the above in addition to heavy-handedness for the sake of it, and thus includes overclassificatiin because 'it's easier'. In general, majority of folks responsible and accountable for security simply don't give a fuck. Security is a journey not a destination and many cannot wrap their head around that.
Yep, all true. We get "security" training here every year, it's the same "Click on the things that could be a security issue" nonsense or one of those that looks like it was made in the XP era video things where it has to play "quicktime" videos and you have to listen to garbage to pick one thing out that means nothing in the grand scheme of things.
Most of us just have them memorized at this point and click on through. The one I was supposed to do I didn't even bother listening to the presentations, I just let them run (no audio on this workstation) and did the "test." Useless.
Do you have simulation testing where the company "phishes" employees? I have worked in orgs where you can get fired for failing too many simulation tests.
No, we're far too small for that.