The Evolution of Cybersecurity: From "Department of No" to "Department of Yes"

For years, cybersecurity was frequently (and derisively) referred to as the "Department of No." Business executives would complain that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. However, this mindset began to shift as more security leaders were tasked with demonstrating a return on investment for security budgets.

As a result, security departments started finding ways to say "yes" more often. But, security’s effort to shed the "Department of No" label may have swung too far in the opposite direction, according to Rami McCarthy, an industry veteran, leader, and security researcher who writes regularly on security leadership and management.

The False Premise of "Department of Yes"

"Lately, every BSides [conference] seems to have a talk on avoiding the no and reframing security teams as a Department of Yes," McCarthy wrote recently, noting that these talks help create a false premise. He argues that this approach can lead to a lack of critical decision-making and a failure to prioritize security efforts.

Prioritizing Critical Decisions

McCarthy emphasizes the importance of prioritizing critical decisions and being selective about when to say no. This means reserving firm decisions for significant risks or high-priority situations. He advises security teams to focus on enabling the business and aligning security with revenue-generating efforts.

"The most effective strategy is showing, not just saying, that you’re focused on enabling the business," McCarthy says. "Look for chances to align security with revenue-generating efforts. Reinforce this alignment and build trust with other teams."

By adopting this approach, security teams can strike a balance between being proactive and being selective, ultimately leading to more effective security decisions.