Brian Gibbs

No. It is the easy way out, so delete it from your vocabulary.

As an information security professional, you generally are working for someone in an organization. The simplistic goal of an organization is to make a profit. Your role is to help that organization to understand and accept risk. There is a concept around balance where you can be 100% secure and 0% functional or 0% secure and 100% functional. Helping the organization find the correct balance is your role.

How do you go about saying no? You simply do not start with no. If you are in senior leadership, ask to schedule a meeting to review the idea or item in more detail. Then ask probing questions around this idea or item. You may surprise yourself with the additional information you gather. The initial no reaction may start to fade away with ideas on making this more secure and enabling the organization to proceed forward in a safe and secure method. Even if you still “feel“ the answer is no, you should document the risks and present them back; if the organization decides to accept the risk, that is fine. You did your part by establishing the known risks and learning more about the idea or item without saying NO!

If you are a more junior member of the team, you can assist as requests come in by applying similar processes. It never hurts to pick up the phone or schedule a quick meeting (even 15 minutes) to ask more probing questions. You may have assumptions about the request, and learning more may open new ideas on how to solve the request to reduce the organization’s risk. It may be necessary to escalate to someone that has liability within the organization. The concept of liability is someone that has a financial stake at risk. The person(s) that may accept risk may be a board of directors, CXO, or even a VP. Depending on your organization’s policies, they generally can accept liability. The process also assists with you not being the person that says, NO! Your role was to review the risk and help guide so that a liable person accepted your organization’s right level of risk.

When all else fails, give it a 72-hour rule when your initial reaction is NO. Take those other meetings, do the additional research, and help profile the organization’s overall risk. If after the 72 hours have passed and it is still NO, proceed to present your findings. Taking the emotion out of the process will elevate you higher within the organization and help you gain more respect.

In closing, consider the organization’s purpose. How will this new product, idea, or process impact the risk profile and profit of the business? Does this drive forward with the mission of the organization? Help be the enabler and be known as a partner to the organization not the person that says NO and is known as the blocker.