Remote working has increased the attack surface.
So has the move in recent years to move various things to various cloud services, which in turn has added various other attack surfaces...
...as well as a number of other moving parts to tie it all together, which require extra time and expertise to configure and maintain ...and which often present their own attack surfaces.
The CFO in the meantime wants to know why the time spent on updates and patching isn't making their computer faster. And is questioning the increasing number of $x per user/month services that are on the bills each month, having patted themselves on the back for the reduced capex that came with moving things to the cloud.
The CFO's 2IC has recently built a hackintosh at home and is now a security expert, thinks all the after hours patching work is fake, and has been deducting regular annual leave hours for IT staff time-in-lieu requests and hoping they don't notice.
Line Manager X doesn't work in IT, but is very much up to date on various security advisories and uses this to justify their long-standing lack of effort/usage for any given system. Today, perhaps understandably, they will no longer use Confluence despite the fact their inability to either write (or read) documentation in any form (even a word document) has been longstanding.
The CEO, also very much up to date on various security advisories, uses this to constantly decree that we shouldn't use various vendors. Which at this point means we should theoretically be using pen and paper. Also refuses to use MFA despite their email account being under attack on an almost hourly basis. Is also against most forms of email security after a smoking red-hot email exchange with their partner once triggered the worst possible category of email content alerts.
So, yep, a bit stressful.
Our front line staff fortunately navigate any security related potential inconveniences like MFA, computer updates and other measures with ease.