It goes to your comment about layering. I was dumbfounded that witness after witness at our first meeting said, “Oh, it's not on our security list; we did the right thing.” It's almost like we flew the plane into the mountain, but we checked all the checklist items, so it was a success. Common sense certainly has to have a part in it, but we seem to be lacking because we're more focused on ticking boxes than actually doing the right thing.
Should we do an outright ban until we can change our processes so that we don't have department after department turning a blind eye to our security concerns?