If the security team is a blocker it might be that they’ve been brought in too late.

Security is everyone’s responsibility and creating an environment where it’s like this, and making it as easy as possible to get people to report stuff they see without playing the blame game is key to getting trust and demonstrating that togetherness.

There’s only really hate in them v us type environments (I’ve seen it also in other cross team interactions like Dev v Ops for e.g.) or security teams blindly giving teams lists of controls to implement without having even done any kind of risk assessment with the asset owner (and quite possibly without taking other business risk priorities into account).

As for convincing non-technical staff of the importance: The technical vulnerability (or whatever) needs relaying in business risk terms they can understand.

Really? What kind of staff are you talking about and what new implementations did they resist you on? And why?

I'm curious cause while I'm not on my company's security team, due to heightened awareness and wanting to ensure we're protecting our trade secrets, etc, we've ramped up security in basically every way across the entire organization, and it's been basically a pleasant ride internally for all few thousand members of the company across the globe. The technical teams (dev, support) had some speed bumps, but a frank discussion with IT Security to discuss what our need was and why it wasn't being met, we found acceptable new routes. If anything, we've used the locking down of potential security risks as a leap-board to overhaul and optimize a LOT of workflows for the better.

Our customers now, that's another story, and it's like trying to make a pet take medicine. Our largest customers are fine and understand (even appreciating) the security changes we made for our interactions, but a lot of the small business customers only care about the fact that they can't do what they previously used to in some cases.

But I'm fairly curious what resistance people are seeing from their implementations and what these implementations are.

I love working with good Infosec people, I want to deliver secure software.

Good Infosec people are as rare as hen’s teeth.

No hate. I am an enabler. I help our teams do what they need to do to move forward securely. When there is an issue, I respond to the event then quickly contain and remediate so business can continue. It is part of my job to help them understand this.

Hate is reserved for the "if checkbox is not checked we kill your project by end of week" and "the form doesn't have (client-side) validation, that's a OWASP vulnerability" kind of "pentest" teams. People who don't even reply when you're asking which threat model we're defending against.

I'm a developer in an organisation with a large dedicated security team. I've been given advice but can't think of a time when I've been blocked.