This will be 2 parts: my personal experience (subjective) and data (objective).
Objective Data:
1. For an organization of this size and requirements the IT department is between 400 - 500% under-budgeted with about 1/5th of the staff it needs.
2. Work week is between 55 and 70 hours to include nights and weekends. My average was 62.5.
3. There were 109 projects in my department when I left, all priority 1.
4. Average employment length is 7 months.
5. At will is used.
6. The entire Finance department was let go. (Before my time)
7. Half of the HR department walked out with little to no notice. Seasoned professionals.
8. Half of the help desk walked out (this was heard secondhand).
9. SEVEN security professionals cycled in and out in less than a year. (CISO, CISSPs, Engineer, and 2 analysts)
10. Contracted for 15-20% bonus. Received 3%.
11. Salary is increased by 1% annually. With inflation that is a 7% pay cut on average.
12. Contracted for remote work. This was taken away temporarily after my remote team was put on a hybrid pilot program. The CEO did a roll call and revoked it for most.
Personal Experience:
I had a few over-the-top experiences that overstepped some hard boundaries for me that I will summarize.
1. My toddler had to go to the ER so he stayed home for a day. In a 1:1 I was told, "Anything you need we are here to fully support you." My toddler then jumped on my lap and within the same breath, I was told "Are we going to have a problem here? Do we need to discuss your work-from-home arrangement?"
2. I was singled out on numerous occasions. CEO is used as a boogieman and "company policies" are loosely applied at random to push individual preferences.
3. I was not listened to and then held accountable for other people's inaction.
Ex: I researched, purchased, installed, and maintained multiple solutions.
When I asked IT to come to the meetings to research they didn't show up.
When I asked for help solutioning they said just pick something and we'll figure it out.
When it came time to install, I asked for help completing the IT requirements documents and received no response on about a dozen emails and chats. Then I setup meetings and they didn't show.
Then I escalated to my boss.
Then when it came time to install they acted surprised when the vendors asked them to be prepared and the solution wouldn't work.
This happened at least 5 times, not only was it embarrassing but I was then told that "I didn't plan this well enough".
Less hard boundaries but unprofessional experiences:
1. Security was used as a rubber stamp/scapegoat. If I informed IT that the risk was not acceptable because no due diligence was applied I was argued with for weeks about how there is no risk. When that was proven false, non-relevant data was used to try and just win arguments.
2. We fixed not configured or improperly configured tools, implemented new solutions, hired and trained new staff, maintained operations, provided metrics and executive reports and presentations, stopped numerous attacks, and audited most of the environment. If even a single spam email got through: "why didn't you" or "why can't you just"
3. I was encouraged to reduce security because my team didn't release an email within 7 minutes of notification after hours. The phone call was returned within 5 minutes.
4. IT did not show up to ~80% of security-related meetings.
5. Security is cut off at the knees with their arms tied behind their backs and told "we take security seriously" and "you are highly supported"
a. IT Tier 1/2/3 was empowered to gate-keep all security decisions but security was held responsible for those decisions.
b. IT given decisioning authority on potential major security incidents but security is held responsible for the outcomes. Security is not informed of security events.
c. Security tools and permissions revoked or uninstalled with no notification.
d. Denied access for 10+ months to security tools and then held responsible for security events involving those tools…. You know… that we didn't have access to…
e. Had to work with vendors outside of the company just to get access to tools to protect the company.
f. Engineer told he was "wasting his time" recommending minimal configs for his specialty tool.
g. All of IT EXCLUDING security received security alerts. Security requested this be changed and was denied.
6. One of the hardest working employees was recommended to be fired THREE times in a meeting simply because management didn't like their slightly different working schedule.
TL;DR - Complete disregard for employee welfare, zero flexibility, and willful negligence with a severe lack of ethics