I came across certain cybersecurity practitioners who are obsessive with technical controls and insist a strict binary decision in determining policy compliance. Otherwise, so-called non-compliance process needs to be initiated with necessary executive signature as acceptance. Even worst, the policy is badly written and lack of precise generic as well as precise specific at the appropriate scenarios.
Such mentality is not securing the business but an major obstacle in digital transformation and competitiveness with peers.
As competent cybersecurity practitioners, our roles is to explain what are protection in place to neutralize the published cyber threats rather than creating FUD to management. Sometimes, a management directive with disciplinary action for non-compliance is far much cost-effective than technical controls. Example is password complexity and MFA, this only make password sharing harden but not impossible.
Education is another domain why we should not doing so. More technical controls means complexity. Complexity doesn’t make it more secure but user will try to evade or circumvent the controls.