If the security team is a blocker it might be that they’ve been brought in too late.
Security is everyone’s responsibility and creating an environment where it’s like this, and making it as easy as possible to get people to report stuff they see without playing the blame game is key to getting trust and demonstrating that togetherness.
There’s only really hate in them v us type environments (I’ve seen it also in other cross team interactions like Dev v Ops for e.g.) or security teams blindly giving teams lists of controls to implement without having even done any kind of risk assessment with the asset owner (and quite possibly without taking other business risk priorities into account).
As for convincing non-technical staff of the importance: The technical vulnerability (or whatever) needs relaying in business risk terms they can understand.
Security is everyone’s responsibility and creating an environment where it’s like this, and making it as easy as possible to get people to report stuff they see without playing the blame game is key to getting trust and demonstrating that togetherness.
There’s only really hate in them v us type environments (I’ve seen it also in other cross team interactions like Dev v Ops for e.g.) or security teams blindly giving teams lists of controls to implement without having even done any kind of risk assessment with the asset owner (and quite possibly without taking other business risk priorities into account).
As for convincing non-technical staff of the importance: The technical vulnerability (or whatever) needs relaying in business risk terms they can understand.