[dogleash]

Yeah, they're risk analysts, not technologists. That's not inherently bad, you need those. In a previous life I worked in a domain with a lot of risk analysis, by the end I liked a lot of them and they were usually fairly easy to have as stakeholders. But security has a track record of failing to equip the rest of a business with process adequate for the inherent volatility in risk they're supposed to be managing. In the engine room it's still dashing from fire to fire, just with better fire alarms. The things you complain about are precisely the business problems that the security group should be solving. Cybersecurity is important enough that they can get away with overbearing demands without providing holistic solutions for the organization to reach them.