They are only mutually exclusive if your business and product management teams deprioritize security. In my experience, the typical reason that security gets neglected (as opposed to just making reasonable trade-offs) is that management and product management both care too much about just shipping shiny things and don't care enough about doing right by the end user. I've seen better and worse teams. Most teams fall into a category of "you're lucky you're not big enough to be a target."
General best practices I can think of, in broad organization level strokes:
1. Make sure security is implemented at the dev ops layer through practices such as logged just-in-time access to production systems, secret vaults for service keys and certificates, airgapped machines for handling secret keys, etc.
2. Make sure security best practices are implemented by default into your API's (CORS, TLS 1.3, whitelist based firewalls between services that shouldn't need to talk to each other, etc.) and make it transparent to the API caller, at least when it's your own services talking to your own services.
3. Make security an element of design and code reviews. Square, for example, did this by having subject matter experts advise teams on security design when projects were still in the ideation/design phase.
Ultimately, security costs a non-trivial amount of time, and it requires training your developers to be able to reason about security.
General best practices I can think of, in broad organization level strokes:
1. Make sure security is implemented at the dev ops layer through practices such as logged just-in-time access to production systems, secret vaults for service keys and certificates, airgapped machines for handling secret keys, etc.
2. Make sure security best practices are implemented by default into your API's (CORS, TLS 1.3, whitelist based firewalls between services that shouldn't need to talk to each other, etc.) and make it transparent to the API caller, at least when it's your own services talking to your own services.
3. Make security an element of design and code reviews. Square, for example, did this by having subject matter experts advise teams on security design when projects were still in the ideation/design phase.
Ultimately, security costs a non-trivial amount of time, and it requires training your developers to be able to reason about security.