Or internal security - who look at your system and say doing that process that way is insecure please change it. When you ask how (as you aren't a security expert) they say not our problem and don't say how to fix it.
In the security team there were experts but I suspect the issue was that if they suggested a solution and it did not work or I implemented it incorrectly then they would get the blame.