Threat Level: green Handler on Duty: Renato Marinho

SANS ISC: Why's it so hard to say yes? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Why's it so hard to say yes?
Quoting ZDNet: The average security team has a reputation of saying "no" to everything. This could come down to two things - training and leadership.
ZDNet
The best way to manage perception on this issue is to allow the business to understand the risk of saying 'yes'. If they accept the risks because the business can afford the consequences, then often a "yes" is applicable with some conditions or at a minimum a declaration that risks are acknowledged and accepted. Kevin Shortt

81 Posts
ISC Handler
A good friend once told me that as an industry, we need to change our NO to a KNOW. By knowing the desires of our business areas, we can stop being perceived as the "no police" if our first response to a new idea is anything but a NO. The very worst thing that could happen is that the business areas stop inviting us into their conversations.

Russell
Russell

84 Posts
ISC Handler
thank you Nokta

3 Posts
This is a constant challenge in our industry. How many security practitioners have been asked to stay away from project planning meetings because we reject everything. I agree that going from "no" to "know" is a good attitude to take on, and make sure that our op/dev folks, PMs, and business leaders understand that when we say "no," we're actually saying "not like that" (most of the time). Anonymous

Sign Up for Free or Log In to start participating in the conversation!