And IT has time to check alarms, very unrealistic.

Depends on the culture. I interned at a place that fell under the Critical Infrastructure Protection program. It was so strict you'd get a visit from security if you tried to badge through a door you didn't have access to.

Interesting. I wonder if, in a “mind your own business,” curiosity-discouraged sort of environment, people might also be less likely to notice and report threats.

The first thing I do with credentials is find out what they open. Seems like if you have the resources to follow up on access attempts, you have the resources to set ACLs correctly so you’re not scared of them.

Plus, budget to hire a pen tester?!?

I mean its consistent with the fact that they actually had good security, thus they're probably not shorting the IT budget.

A bank!

Nah, I've worked with some banks here and there. Amazing lack of security. Can't talk specifics, but yeah, just wow....

I think you dropped an /s

The security of banks is certainly not in their IT departments.

I had an interview at a relatively secure place. Premises are walled and gated, the first thing you come to is a checkpoint with armed guards and security cameras. If you don't have an access card or your access card isn't permitted in the area you're going to, you don't go in without escort. And that escort must have been agreed to in advance; the security team must have a document about your planned trip. Of course they check your id before calling the escort. People don't do work on internet connected computers; if you need to browse, there's a separate computer for that. That's about as much I'm comfortable revealing.. it goes deeper :)

I guess it's a place where "getting work done" doesn't involve downloading 1000 deps with npm and what have you from random sources on the internet.

I don't believe one once of this story.