Is it really OK to say ‘No’?

*EDIT* The person who started the term “our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

As information security professionals we often get the stigma of being “the department of no”. We tend to rain on everyone’s parade who doesn’t take a second and think “huh…you mean validating input would be a good idea?” We’re the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche. You start to feel bad saying no so often and want to say yes. You feel that if you don’t, you’ll start to lose respect and people will stop bringing ideas and projects to your group for review. So you start saying “Ok…but what if you add this” or “Have you considered this?”

This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk. You’re finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say “Really….No. You can’t put your application with the un-encrypted customer payment database out on the internet as world-readable. I don’t really care how much time/money you saved by doing it that way.” (I hope no one has ever had to have that conversation in real life)

We all know it’s a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say “Ok, it’s your deal but we warned you.” Other times you need to stand in front of that bus and get run over. When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to “It’s our job to see the iceberg, not steer the ship”. I believe this is how we need to see things. Our job isn’t to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil is a bad idea.

I think we need to change the sign on the door from “Department of No.” to “How does this affect our risk-posture?” and realize even then sometimes you need to say “Just…No.”

One thought on “Is it really OK to say ‘No’?”

  1. I agree with the iceberg/steering idea. We should present the risks/rewards and options, but someone above us usually makes the decision, ultimately. In a better world, the experts should always win out, but that’s not innovative, or cool, or whatnot.

    I think this is one of the bigger benefits of compliance: it says “No” for us. You do this, you lose compliance, you can’t do this other thing anymore. Basically it says what we’d like to say.

    It also should be mentioned that there’s no universal security answer for every company, which means way too many of our decisions and situations are unique/subjective. John down the street doesn’t do it this way, so why do we?

    At some point, though, we do have to understand and cultivate the professional respect to be able to say no and still Get Things Done. You tell kids no, law enforcement tells people no, we can all be Big Boys at work and say no now and then when something really is a bad idea.

    Or twist it into a decision rather than a No, just like the decision-maker is going to do anyway. “Well we have option A or option B, and I’m choosing Option A.” That’s still a “No” for option B without saying no. 🙂

    (Flowing further off into a tangent: This is also the *real* crux of the “security needs to align with IT” nonsense that still gets bandied about. The real problem is security wants perfect security and says no to anything but doing it the right way from their perspective. But for most normal business, security needs to compromise on some things and move on when that bus rolls through a decision is made that isn’t optimal just for security. Security doesn’t need to “align,” it just needs to work with what it can.)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s