Is security team the elephant in the room?

I suppose that depends on the priorities of your company and your customers and how well those two align. Entrepreneurs are typically risk takers so a company needs a CSO/CFO and legal team that appreciate the value of risk ranking and mitigating risks based on priorities in a practical manor that finds a balance of security and low to moderate friction.

The head of the development org should also have an appreciation for mitigating security risks as they are often born out of bugs so it isn't all just security theater if one is zapping application breaking bugs.

The head of the security org should accept that not all security bugs will be squashed and should focus on risk ranking and prioritizing the most feasible and high impact bugs first while avoiding hypothetical scenarios unless the red-team / penetration teams can prove they are not hypothetical.

Depends on alignment. Is the CISO an engineer, an attorney or a controls person?

I’ve worked with security idiots whose life’s work is monk like transcription of NIST 800-53 publications into local policy. I’ve also worked with a couple who are the smartest engineers that I’ve met.

I think that the ideal security team would be like brakes on a car - they let you go faster. Unfortunately, I’ve never really seen that happen, and the culture of security people is this weird cop-like thing that comes from the Feds.

What they suggest rarely fits the common sense model because they blindly follow best practice suggestions often outdated and without understanding context.

They have single-handedly taken all the fun and experimentation out of our engineering culture. We are so bogged down by process now. I can’t stand them.