Successful ransomware attacks are at an all time high, we are losing the cyberwar, cyber criminals are making more money than ever before and it is only going to get worse, a cyber attack could be as damaging as a nuclear war – the headlines abound with comments such as this. Yet, there are still a lot of postings about how information security should not be the office of No. Really? Information security is a security function, as an information security professional are you really going to say – Yes, sure, go ahead and port that un-scanned software code into our production environment? I would hope you are going to say no you cannot port that un-scanned software code into our production environment. No is not a bad word, it is one that the job requires us to say. If you are offended when someone says you are the office of No- don’t be. To be a security professional no is a good response. I train my team members to say “yes, but” in order to soften the perceived impression of the word no ….. (here’s a clue – “yes, but” is still a no – no matter how you spin it).
However, I have yet to sit in a business meeting and see any of my peers simply say no without being willing to engage in dialogue that would lead to a good and secure solution. So for those who don’t like to say no then do it this way – yes you can put that server with 2 catastrophic exploitable vulnerabilities into the environment after we help you remediate the vulnerabilities or work on additional adequate controls that will allow us to use the server in a safe and secure manner. For me, information security professionals can and should say no, but after doing so we need to be helpful and smart enough to engage in conversations that help the business figure out how to do what they want to do in a way that is cost effective, safe and secure.
In many ways with the types and amount of successful attacks we are experiencing across the U.S. infrastructure being the office of Yes is a far more scary response than saying No to items that put your business at risk.