{"id":7035,"date":"2025-01-22T16:30:05","date_gmt":"2025-01-22T22:30:05","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/security-needs-start-saying-no-again"},"modified":"2025-01-22T16:30:05","modified_gmt":"2025-01-22T22:30:05","slug":"security-needs-to-start-saying-no-again","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/22\/security-needs-to-start-saying-no-again\/","title":{"rendered":"Security Needs to Start Saying ‘No’ Again"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

For years, cybersecurity was frequently (and derisively) referred to as “The Department of No.” Business executives griped that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. Then came a mindshift change. As more security leaders were tasked with demonstrating a return on investment for security budgets, security departments started finding ways to say “yes” more often.<\/span><\/p>\n

Security’s effort to shed the “Department of No” label may have swung too far in the opposite direction, according to Rami McCarthy, an industry veteran, leader and security researcher who writes regularly on security leadership and management. “Lately, every BSides [conference] seems to have a talk on avoiding the ‘No’ and reframing security teams as a ‘Department of Yes,'” McCarthy <\/span>wrote recently,<\/a><\/span> noting that these talks help create a false premise that saying “No” is inherently bad and should be avoided at all costs. In the enthusiasm to enable and accommodate, security often overlooks the value of a deliberate, strategic “No,” and how that can create boundaries to protect the organization.<\/span><\/p>\n

“The ‘Department of Yes’ talks are inspiring, but they often elide the messy realities,” McCarthy tells Dark Reading. “Working in partnership-oriented security programs, I\u2019ve seen the harm caused by avoiding hard conversations: belated ‘No’s’ disrupting delivery, technical debt, and burned-out teams.”<\/span><\/p>\n

McCarthy believes the goal of security is not to be an obstacle, but a guide \u2014 and sometimes, guiding means saying no in a way that is clear, thoughtful, and constructive. The notion of security as the \u201cDepartment of No\u201d has long been criticized for its gatekeeping and adversarial approach. But in the push to reframe security teams as enablers, organizations risk overcorrecting and prioritizing harmony over hard truths, he says.<\/span><\/p>\n

Saying “no” is a necessary tool for managing risk and maintaining alignment. Avoiding it entirely can create challenges like misalignment, overwhelmed teams, and unmanaged risks, McCarthy warns.<\/span><\/p>\n

\u201cSecurity teams can add the most value by reducing low-ROI risks, allowing the organization to focus on higher-ROI opportunities,\u201d he says. \u201cThis means being selective about when to say \u201cno\u201d and framing decisions in terms of how they align with business goals. Done well, security doesn\u2019t just mitigate risk\u2014it enables the company to take smarter, bolder risks.\u201d<\/span><\/p>\n

The Cost of Avoiding “No”<\/h2>\n

Avoiding the word “no” can have cascading effects, says behavioral scientist and cybersecurity expert Dr. Jessica Barker. She argues that a well-considered “no,” delivered with empathy, can be a service to the organization rather than an obstacle.<\/span><\/p>\n

“Empathy is not people-pleasing. It\u2019s about understanding the perspective of the person or team making the request, reflecting that understanding, and explaining why their request is not possible or why an alternative is a better option,” Barker says.<\/span><\/p>\n

But there are also risks to saying to “no” too often, says Tom Van de Wiele, an ethical hacker and cybersecurity advisor who has written on the importance of security\u2019s need to say yes. The pitfalls of saying “no” to people too often extend beyond hurt feelings, he says.<\/span><\/p>\n

“The biggest risk is that people will simply work around security altogether. Once that happens, data can end up in uncontrolled environments, and the organization loses visibility into who is using what, where information lives, and how it\u2019s protected.”<\/span><\/p>\n

The avoidance can lead to shadow IT, technical debt, and temporary workarounds that become permanent, creating significant security gaps.<\/span><\/p>\n

How to Say “No” Effectively<\/h2>\n

So how do security leaders balance the need to say yes to enable business but also say \u201cno\u201d well when necessary? It\u2019s not always simple. Delivering a poorly handled “no” can undermine trust and disrupt organizational processes. McCarthy says it\u2019s important to avoid giving a “no” without context, saying it too late, or doing so inconsistently. He stresses the need to align decisions with business goals to foster trust and ensure stakeholders understand security\u2019s role.<\/span><\/p>\n

Barker emphasizes that constructive communication is critical. “People often want to be heard and respected, more than anything else,” she says. “How communications are received and delivered makes a huge difference.”<\/span><\/p>\n

By aligning security decisions with business goals and presenting them as shared priorities, security teams can build trust and collaboration.<\/span><\/p>\n

Van de Wiele highlights the importance of open communication, suggesting initiatives like “ask-me-anything” sessions and regular stand-ups to foster a culture of partnership.<\/span><\/p>\n

“When employees see that the security team genuinely wants to enable their work, they\u2019re more likely to follow approved processes and seek guidance,” he says.<\/span><\/p>\n

A Framework for Better Nos<\/h2>\n

McCarthy suggests several strategies for delivering a constructive \u201cno\u201d that align with business goals and build trust:<\/span><\/p>\n

\n
    \n
  1. \n
    <\/span><\/p>\n
    \n

    Align on Business Outcomes:<\/span><\/span> Ensure all stakeholders agree on shared priorities and organizational goals before making decisions.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  2. \n
    <\/span><\/p>\n
    \n

    Provide Context:<\/span><\/span> Clearly communicate the rationale for decisions, including the associated risks and how they align with priorities.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  3. \n
    <\/span><\/p>\n
    \n

    Be Consistent:<\/span><\/span> Build trust by maintaining clear policies and standards so stakeholders know what to expect.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  4. \n
    <\/span><\/p>\n
    \n

    Demonstrate Partnership:<\/span><\/span> Reinforce alignment with business goals by enabling secure pathways or timelines for progress where possible.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n

  5. \n
    <\/span><\/p>\n
    \n

    Prioritize Critical Decisions:<\/span><\/span> Be selective about when to say \u201cno,\u201d reserving firm decisions for significant risks or high-priority situations.<\/span><\/p>\n<\/div>\n<\/div>\n<\/li>\n<\/ol>\n<\/div>\n

    “The most effective strategy is showing, not just saying, that you\u2019re focused on enabling the business,” McCarthy says. “Look for chances to align security with revenue-generating efforts. Reinforce this alignment and build trust with other teams.”<\/span><\/p>\n

    Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

    For years, cybersecurity was frequently (and derisively) referred to as<\/p>\n","protected":false},"author":12,"featured_media":7036,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-7035","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=2000%2C1125&ssl=1",2000,1125,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=2000%2C1125&ssl=1",2000,1125,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/security-needs-to-start-saying-no-again.jpg?fit=2000%2C1125&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7035","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7035"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7035\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/7036"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7035"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7035"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7035"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}