If security is important, you lose something in terms of getting shit done. It's up to you or your organization what the tradeoff is. Fun fact: At one company I worked at, it was a matter of security policy that every machine in the company run the Bit9 binary whitelisting software. Every. Single. One. Including all the dev machines. In addition, it was decided that valuable corporate assets such as source control be airgapped from the outside network, making it difficult to run a dev machine that could access both the repo and the Web where all your documentation is. But Security was determined to be Priority One at that company, so productivity had to take the hit. If you develop the tech ten times slower and with ten times greater annoyance to your engineers, that was a worthy price to pay for not having it stolen by scary foreign spear phishers.