The most secure company is, of course, the company that doesn't exist. Bankrupting your org is certainly the most effective way to keep it secure.
Yes, their role is defense, but not insofar as to remove the profitability of the organization. In several orgs now I've seen the legal team blow contracts and the security team break the product and the IT team break development in the name of performing their role "correctly".
Brainless box checking is not part of defense, you must be willing to critically think about how to fit your role to your product or organization's profit motive.
>the IT team break development in the name of performing their role "correctly".
Your daily driver account should not be local admin.
Yes, we need MS Defender/S1/Crowdstrike for EDR, DNS blocking and Mandatory updates etc for security which now is actual money with cyberinsurance that won't pay unless we fulfil certain criteria. This all requires computers to be managed by an MDM.
There is a natural tension between these equally important roles, especially when folks choose to view competing objectives as a zero sum game. I think your point of view is one-sided.
Yes, their role is defense, but not insofar as to remove the profitability of the organization. In several orgs now I've seen the legal team blow contracts and the security team break the product and the IT team break development in the name of performing their role "correctly".
Brainless box checking is not part of defense, you must be willing to critically think about how to fit your role to your product or organization's profit motive.