Navigating the Delicate Art of Saying "No" in Cybersecurity

The Importance of Setting Boundaries

There are times when cybersecurity teams need to say, "No," to business stakeholders. What is the best way to go about it?

Saying “Yes” in business feels good, but, unfortunately, it’s not always possible. And among security departments, saying “No” isn’t happening often enough. In its effort to avoid roadblocks to innovation, security leaders are saying “Yes” too often, according to Rami McCarthy, an industry veteran, leader, and security researcher who blogs on security leadership and management. Instead, a deliberate, strategic "No" is necessary in order to ensure security isn’t too permissive. Avoiding these hard conversations can lead to a culture where security is seen as a partner rather than a blocker.

Building Trust through Open Communication

Hosting "ask-me-anything" sessions, lunch-and-learns, or open office hours can create an environment where security is seen as a partner rather than a blocker. Security teams that listen actively and engage in dialogue build a sense of partnership with employees, as cybersecurity advisor Tom Van de Wiele notes.

Finding the Balance between Empathy and Pragmatism

Empathy is key, but it must be balanced with practical decision-making, according to behavioral scientist and cybersecurity expert Dr. Jessica Barker. "Empathy is not about being nice and saying yes when we mean no; it’s about reflecting understanding and explaining decisions without being defensive."