Engineers Bypass Security Controls, Exposing IT Flaws

Engineers Bypass Security Controls, Exposing IT Flaws

In today’s rapidly evolving IT landscape, few topics are as critical as the balance between security and productivity. I’m thrilled to sit down with Maryanne Baines, a renowned authority in cloud technology, whose extensive experience evaluating cloud providers, tech stacks, and industry applications offers invaluable insights. In this interview, we dive into the alarming trend of engineers bypassing security controls, the persistent challenges of access management, the disconnect between IT policies and workflows, and the slow journey toward zero trust adoption. Maryanne shares her expert perspective on why these issues persist and how organizations can navigate the complex intersection of security and efficiency.

How do you think the widespread bypassing of security controls by IT and engineering professionals reflects broader challenges in today’s workplace?

It’s a symptom of a fundamental tension between security and productivity. When 83% of professionals admit to bypassing controls, it’s often because they feel those controls are slowing them down or blocking their ability to deliver results. In many cases, engineers and IT staff are under tight deadlines, and the tools or policies in place aren’t intuitive or flexible enough to match their workflows. This isn’t about negligence; it’s about a mismatch between the systems designed to protect and the reality of getting work done. Organizations need to recognize that if their security measures are being circumvented at such a high rate, it’s not just a user problem—it’s a design problem.

What types of security controls do you see being bypassed most often, and why might that be the case?

From my observation, controls like VPN restrictions, static firewall rules, and overly rigid permission settings are among the most commonly bypassed. These are often seen as cumbersome or outdated by teams who need quick access to resources. For instance, VPNs can introduce latency or operational headaches, pushing users to find workarounds. Similarly, if permissions don’t align with dynamic project needs, engineers might resort to shared accounts or other shortcuts. It’s usually a matter of convenience over compliance, which highlights the need for more user-friendly and adaptive security solutions.

Can you walk us through the potential consequences of professionals retaining access to internal systems after leaving a company?

This is a massive risk. When 68% of people report still having access to systems after leaving a job, you’re looking at a wide-open door for data breaches, insider threats, or even unintentional misuse. Former employees might not have malicious intent, but if their credentials are compromised, or if they access sensitive data out of curiosity or for a new employer, the damage can be severe. Beyond that, it erodes trust in the organization’s ability to safeguard its assets. It’s a glaring oversight that can lead to regulatory violations, financial loss, and reputational harm.

Why do you think so many organizations struggle to revoke access immediately when an employee departs?

A lot of it comes down to poor offboarding processes and reliance on manual systems. Many companies don’t have automated tools to deprovision accounts across all platforms instantly. Instead, they depend on IT teams to manually update access lists, which can be error-prone or delayed, especially in larger organizations. There’s also sometimes a lack of clear ownership—HR might notify IT too late, or there’s no centralized system to track access. In some cases, companies might intentionally delay revocation for contractors or temporary rehires, but that’s a risky gamble.

How do IT and security policies often misalign with the day-to-day needs of engineers, and can you share an example?

Policies often misalign because they’re designed with a one-size-fits-all mindset, ignoring the specific workflows of technical teams. For example, a policy might require multi-factor authentication for every single system access, even for internal tools used dozens of times a day. While the intent is to bolster security, it can frustrate engineers who need rapid, seamless access to iterate on code or troubleshoot issues. This friction leads to workarounds like shared credentials or bypassing authentication altogether. It’s a clear sign that policies need to be tailored with input from the people who actually use the systems.

What strategies can companies adopt to balance security policies with the practical needs of their IT and engineering teams?

First, companies need to involve their technical staff in the policy-making process. Engineers and IT professionals should have a seat at the table to explain their workflows and pain points. Second, adopting adaptive access models—like just-in-time access—can help by granting permissions only when and where they’re needed, reducing friction. Lastly, investing in user-friendly tools that integrate security seamlessly, rather than as an afterthought, is critical. If security feels like a burden, people will find ways around it. The goal should be to make compliance the path of least resistance.

Why do you think so many organizations still rely on manual processes for managing network access, despite the obvious drawbacks?

It often boils down to inertia and budget constraints. Many organizations have legacy systems that have been in place for years, and transitioning to automated, modern solutions requires time, money, and expertise that they may not have readily available. There’s also a comfort factor—manual processes, while inefficient, are familiar, and some IT teams may resist change due to fear of disrupting operations. Unfortunately, this reliance on static firewalls or IP-based permissions creates bottlenecks and security gaps that are hard to ignore in today’s threat landscape.

What are some of the biggest obstacles preventing companies from fully embracing zero trust network access strategies?

Zero trust sounds great in theory, but implementing it is a heavy lift. One major hurdle is the cultural shift—it requires moving away from perimeter-based security to an identity-first mindset, which can be a hard sell for leadership used to traditional models. Then there’s the technical complexity; integrating identity-based access across diverse systems, especially in hybrid or multi-cloud environments, is no small feat. Cost is another factor—zero trust often demands new tools and training. Finally, there’s a knowledge gap. Many organizations simply don’t know where to start or how to prioritize, which stalls progress.

How can organizations effectively transition from outdated security models to a zero trust framework without disrupting operations?

It’s all about a phased approach. Start by identifying critical assets and high-risk areas where zero trust principles like identity verification and least privilege can be applied first. Pilot these changes in a controlled environment to iron out issues before scaling. Invest in training so that both IT teams and end-users understand the ‘why’ behind the shift—it’s not just about security, but enabling better workflows. Partnering with cloud-native platforms that support zero trust out of the box can also ease the transition. The key is to avoid a rip-and-replace mentality; gradual integration minimizes disruption while building toward a more secure posture.

What is your forecast for the adoption of zero trust strategies over the next few years, and how do you see the landscape evolving?

I’m optimistic but realistic. Over the next two to three years, I expect a significant uptick in zero trust adoption as more organizations recognize that traditional VPNs and perimeter defenses just aren’t cutting it. We’ll likely see a surge in unified, cloud-native secure access platforms that make zero trust more accessible, even for smaller companies. AI and automation will play a bigger role, dynamically adjusting access based on context and behavior, which will reduce human error. That said, the journey won’t be complete for many—zero trust is a mindset, not a checkbox, and cultural and technical barriers will persist. Education and vendor innovation will be key to closing those gaps.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later