This resonates so much. One way to gauge the gap is to look for redefined reliability terms:<p>- Do they call it continuous deployment when it's really continuous integration? CD is when the build pipeline goes all the way to production without any human interaction (except possibly a review step).<p>- Do they call it continuous integration when it's really nightly builds, manual builds, local builds, or per-feature rather than per-change?<p>- When HTTP doesn't redirect to HTTPS, when common credentials aren't rotated whenever anyone who knows them leave, when full-disk encryption is optional, when someone can walk in from the street and look at or change <i>anything,</i> when not using common password storage protections or anything like that, even an amateur knows it's not "excellent" security.
The note about opening the door resonates with me.
On two different occasions I've come across IT people scratching their heads about how to get into the server closet. On the first occasion the guy with the key was at a BBQ and in no shape to drive. I opened it with a library card.
On the second, the Kisi server controlling the door had crashed (guess where the server was). I opened it with a butter knife. On both occasions I opened the door quicker than my wife can find her keys in her purse.
Lesson 1) Secure your server room against physical attacks
Lesson 2) As you secure your server room make sure you make an emergency plan for how to get in to your newly secured server room.