I never worked for big law, but medium law is terrible. Partners can just order the IT department to do anything. We had a new head of IT that tried to implement some common sense changes for an organization that handles sensitive data. Basic stuff: Block websites that tend to be malware vectors, don't let users be admins on their own machines, restrict USB storage to certain users, etc. We were forced to override it on the partners machines almost immediately.