Cops or plumbers? The culture of your security team matters

Now that LLMs are flipping the table on so much of what we knew about IT best practices, and we are struggling to feel at all confident that we're not exposing ourselves to new unknown risks when we add inference engines to our pipelines, my mind came to think about the many models adopted by organizations to deal with these issues. I've found it to be a telling indicator of organizational culture. Does your security team see themselves as cops or plumbers?

I've encountered both types. The "cops" have the job of protecting the company's assets, a truly vital role. But one that is subject to all the pressures and incentives that their real world analogs are subject to. I certainly am not one to say ACAB, but that sobriquet did not come out of nowhere. It was blowback from a community that felt the chaffing from constantly running into boundaries that weren't responsive to changing contexts.

OTOH those that considered themselves plumbers, whom I mostly encounter in companies in genesis or startup mode, consider themselves equal partners with everyone else trying to create business value. Like a plumber, they have an area of responsibility, but that area has to serve the needs of the company. You want sufficient capacity, you don't want leaks, and if you suddenly have the need for a swimming pool on the roof, they're going to figure out how to provide it without compromising the rest of the plumbing.