I have the misfortune of working with a "security group" that has zero understanding of actual security other than "tool said thing bad".

They are so low-temp IQ I will not be shocked if they are the direct cause of a breach in the company at some point.

The problem with cybersecurity is that it’s ruled by pajeets and lawyers.

The lawyers know nothing about cybersecurity because they’re lawyers. They just want legal assurances, so they demand company certifications (ISO standards) and they don’t care about anything else.

The pajeets in IT / security roles know nothing about cybersecurity because they’re pajeets. They’re also lazy, so security means mindlessly following a check list and crippling the company by shutting down essential services even though the full docs say not to do that. Some of the sketchy monitoring software they install makes the company even more vulnerable and they don’t care. They just act important (they’re narcissists) and probably sell the company’s data on the side (they’re also corrupt).