TBF there are orgs at companies whose sole role is to play DEFENSE - lawyers, CSO etc… if they deem something too risky it IS their job to block it, and then it’s up to upper management to override them if the situation calls for it.
Now that said they should still try to advance the mission within that framework, and not be lazy.
The most secure company is, of course, the company that doesn't exist. Bankrupting your org is certainly the most effective way to keep it secure.
Yes, their role is defense, but not insofar as to remove the profitability of the organization. In several orgs now I've seen the legal team blow contracts and the security team break the product and the IT team break development in the name of performing their role "correctly".
Brainless box checking is not part of defense, you must be willing to critically think about how to fit your role to your product or organization's profit motive.
>the IT team break development in the name of performing their role "correctly".
Your daily driver account should not be local admin.
Yes, we need MS Defender/S1/Crowdstrike for EDR, DNS blocking and Mandatory updates etc for security which now is actual money with cyberinsurance that won't pay unless we fulfil certain criteria. This all requires computers to be managed by an MDM.
There is a natural tension between these equally important roles, especially when folks choose to view competing objectives as a zero sum game. I think your point of view is one-sided.
Now that said they should still try to advance the mission within that framework, and not be lazy.