I don't think any kind of careerist conspiracy is required to arrive at a culture of over-classification.
The habits of anyone working in any kind of role involving information security are so utterly obvious that they barely require discussion.
You make sure your office environment is secured, don't leave papers on your desk. Don't duplicate information more than necessary. Full disk encrypt everything. Never email documents without encryption. Don't use USB sticks without encryption. Know who you're talking to on the phone. Don't ever talk about incidents, jobs or the specifics of what you do.
Now think about people who reflexively do all this stuff and consider: a) how strong the urge to classify by default is and b) how much more work it takes to be 100% sure a document is safe for release.
You've just described a careerist culture, if not a conspirace, it seems to me.
What's the difference between reflexively classifying everything as highly as you can, and routinely covering up inefficiency and waste, and maybe a little graft on the side? Pretty much nothing.
The habits of anyone working in any kind of role involving information security are so utterly obvious that they barely require discussion.
You make sure your office environment is secured, don't leave papers on your desk. Don't duplicate information more than necessary. Full disk encrypt everything. Never email documents without encryption. Don't use USB sticks without encryption. Know who you're talking to on the phone. Don't ever talk about incidents, jobs or the specifics of what you do.
Now think about people who reflexively do all this stuff and consider: a) how strong the urge to classify by default is and b) how much more work it takes to be 100% sure a document is safe for release.