Security Needs to Start Saying 'No' AgainSecurity Needs to Start Saying 'No' Again

For years, cybersecurity was frequently (and derisively) referred to as the "Department of No." Business executives griped that in the face of innovation, cybersecurity teams would slap down ideas, list reasons why the project was insecure, and why what they wanted to do was not feasible. Then came a mindset change. As more security leaders were tasked with demonstrating a return on investment for security budgets, security departments started finding ways to say "yes" more often.

But security's effort to shed the "Department of No" label may have swung too far in the opposite direction, according to Rami McCarthy, an industry veteran, leader, and security researcher who writes regularly on security leadership and management.

"Lately, every BSides [conference] seems to have a talk on avoiding the no and reframing security teams as a Department of Yes," McCarthy wrote recently, noting that these talks help create a false premise that saying no is inherently bad and should be avoided at all costs. In the enthusiasm to enable and accommodate, security often overlooks the value of a deliberate, strategic no and how that can create boundaries to protect the organization.

"The Department of Yes talks are inspiring, but they often elide the messy realities," McCarthy tells Dark Reading. "Working in partnership-oriented security programs, I've seen the harm caused by avoiding hard conversations: belated nos disrupting delivery, technical debt, and burned-out teams."

McCarthy believes the goal of security is not to be an obstacle but a guide—and sometimes guiding means saying no in a way that is clear, thoughtful, and constructive. The notion of security as the Department of No has long been criticized for its gatekeeping and adversarial approach. But in the push to reframe security teams as enablers, organizations risk overcorrecting and prioritizing harmony over hard truths, he says.

Saying no is a necessary tool for managing risk and maintaining alignment. Avoiding it entirely can create challenges, such as misalignment, overwhelmed teams, and unmanaged risks, McCarthy warns.

"Security teams can add the most value by reducing low-ROI risks, allowing the organization to focus on higher-ROI opportunities," he says. "This means being selective about when to say no and framing decisions in terms of how they align with business goals. Done well, security doesn't just mitigate risk—it enables the company to take smarter, bolder risks."

The Cost of Avoiding No

Avoiding the word no can have cascading effects, says behavioral scientist and cybersecurity expert Jessica Barker, MBE Ph.D. She argues that a well-considered no, delivered with empathy, can be a service to the organization rather than an obstacle.

"Empathy is not people-pleasing," Barker says. "It's about understanding the perspective of the person or team making the request, reflecting that understanding, and explaining why their request is not possible or why an alternative is a better option."

But there are also risks to saying no too often, says Tom Van de Wiele, an ethical hacker and cybersecurity adviser who has written on the importance of security's need to say yes. The pitfalls of saying no to people too often extend beyond hurt feelings, he says.

"The biggest risk is that people will simply work around security altogether," Van de Wiele says. "Once that happens, data can end up in uncontrolled environments, and the organization loses visibility into who is using what, where information lives, and how it's protected."

The avoidance can lead to shadow IT, technical debt, and temporary workarounds that become permanent, creating significant security gaps.

How to Say No Effectively

So how do security leaders balance the need to say yes to enable business but also say no well when necessary? It's not always simple. Delivering a poorly handled no can undermine trust and disrupt organizational processes. McCarthy says it's important to avoid giving a no without context, saying it too late, or doing so inconsistently. He also stresses the need to align decisions with business goals to foster trust and ensure stakeholders understand security's role.

Barker emphasizes that constructive communication is critical.

"People often want to be heard and respected, more than anything else," she says. "How communications are received and delivered makes a huge difference."

By aligning security decisions with business goals and presenting them as shared priorities, security teams can build trust and collaboration.

Van de Wiele highlights the importance of open communication, suggesting initiatives like "ask-me-anything" sessions and regular stand-ups to foster a culture of partnership.

"When employees see that the security team genuinely wants to enable their work, they're more likely to follow approved processes and seek guidance," he says.

A Framework for Better Nos

McCarthy suggests several strategies for delivering a constructive no that align with business goals and build trust:

"The most effective strategy is showing, not just saying, that you're focused on enabling the business," McCarthy says. "Look for chances to align security with revenue-generating efforts. Reinforce this alignment and build trust with other teams."