The Office of No, Really?

Successful ransomware attacks are at an all time high, we are losing the cyberwar, cyber criminals are making more money than ever before and it is only going to get worse, a cyber attack could be as damaging as a nuclear war – the headlines abound with comments such as this. Yet, there are still a lot of postings about how information security should not be the office of No. Really? Information security is a security function, as an information security professional are you really going to say – Yes, sure, go ahead and port that un-scanned software code into our production environment? I would hope you are going to say no you cannot port that un-scanned software code into our production environment. No is not a bad word, it is one that the job requires us to say. If you are offended when someone says you are the office of No- don’t be. To be a security professional no is a good response. I train my team members to say “yes, but” in order to soften the perceived impression of the word no ….. (here’s a clue – “yes, but” is still a no – no matter how you spin it).

However, I have yet to sit in a business meeting and see any of my peers simply say no without being willing to engage in dialogue that would lead to a good and secure solution. So for those who don’t like to say no then do it this way – yes you can put that server with 2 catastrophic exploitable vulnerabilities into the environment after we help you remediate the vulnerabilities or work on additional adequate controls that will allow us to use the server in a safe and secure manner. For me, information security professionals can and should say no, but after doing so we need to be helpful and smart enough to engage in conversations that help the business figure out how to do what they want to do in a way that is cost effective, safe and secure.

In many ways with the types and amount of successful attacks we are experiencing across the U.S. infrastructure being the office of Yes is a far more scary response than saying No to items that put your business at risk.

About mclaukl

Professional Certifications - Certified CISO, CISM, CISSP, PMP, ITIL Master Certified, GIAC Security Leadership Certificate (GSLC), CRISC. Kevin also holds Certificates in the Advanced Principles of Information Security and in Advanced Information Security Research Methods from Jones International University. Kevin L. McLaughlin began his career as a Special Agent for the Department of Army. He was responsible for investigating Felony crimes around the globe. He has had many careers over the years, including being a Police Officer in Kissimmee Florida, an Investigator for Mastercard/Visa, a Middle School teacher, a Director at Kennedy Space Center (where he worked with Fred Hayes, James Lovell, Armstrong, Sheppard, etc.), the President of his own company, an IT Manager and Senior Information Security manager with the Procter & Gamble (P&G) company (fortune 35), a CISO at the University of Cincinnati and a Senior Information System Security Manager for the Whirlpool Corporation (fortune 125). Kevin has also been an adjunct since 1992. While at P&G Kevin created one of P&G’s augmentation outsourcing teams in India. Kevin designed and implemented this India team and it won a global Gold Service award from Atos-Origin and has acted as a model for countless corporate relationships since. Over the years Kevin has: created an Information Security program conducted Information Security Strategic planning designed Information Security solutions, investigated over 700 Cyber cases and operated a Global Security Operations Center. • Education - MS in Computer Science Education, BS in Management of Information Systems * PhD in Cyber Security, University of Fairfax

View all posts by mclaukl →

M	T	W	T	F	S	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30