Prompted by recent discussions on security teams and their interactions with engineering teams, I thought I'd reshare some advice I received a while ago.
Paraphrasing, it goes like this:
As a security team, you have a bucket of trust. You fill it slowly, over time, by showing up, doing a good job day in and day out. You fill it by showing the teams you work with that you're there to help, not to get in their way, and that we're all there for the same goals (building a more secure product for our users).
It's very hard to build up that trust. And very easy to lose it. You get to choose when to spend that trust. Choose wisely. You'll want to reserve the right to use it e.g. when there's a big incident and you need to tell people "do this, trust me, I'll explain later".
But if you unintentionally burn trust on things like this (--- I'm redacting what the actual thing was :) --- ) because you didn't do your homework, then you're SOL. You can do some damage control to recover the trust, but some of it is fundamentally gone.
Think about what you're doing and why. Is it really that important to burn a valuable resource on? Can you do some additional work or meet folks in the middle, or improve your messaging so things work better?
It's been solid advice that has helped me at that job and a future one (I have made this mistake and learned it the hard way). Sharing in case it helps others.
Would love to learn from others: how do you approach building trust? how do you avoid spending too much of it when you need to?
(PS: I think this applies to all platform/core infrastructure teams, not just security, but security is the example I have)