It is the same scene but different people will interpret it differently.
Business managers or plant floor engineers have their mission to achieve in delivering the business outcome while cybersecurity practitioners have their opinions to “ensure” a secure business or operational environment to fulfil their job role.
Most often, this creates conflict.
As cybersecurity practitioner, we shall never blindly apply academic knowledge because each organization has its own specific ways of doing business. What the book or even the organization security polices themselves are just generic guiding principles. We are all hired to exercise professional judgment, to help business understand the cyber risks and after all it is the business decision to accept. If business has hesitation, then we provide them the big picture, how cyber threats are likely exploited and the practical counter-measures to reduce the likelihood. Essentially, cyber threat is just one of the many operation risks to address. Don’t invent extra and unnecessary cyber protections that these themselves will introduce more cyber risks.