Infosec: Is it Really OK to Say No?

Monday, July 16, 2012

Scott Thomas


As information security professionals we often get the stigma of being "the department of no".

We tend to rain on everyone's parade who doesn't take a second and think, "Huh... you mean validating input would be a good idea?"

We're the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche.

You start to feel bad saying no so often and want to say yes. You feel that if you don't, you'll start to lose respect and people will stop bringing ideas and projects to your group for review.

So you start saying, "Ok... but what if you add this" or "Have you considered this?"  This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk.

You're finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say, "Really.... No. You can't put your application with the un-encrypted customer payment database out on the internet as world-readable. I don't really care how much time/money you saved by doing it that way."

(I hope no one has ever had to have that conversation in real life.)  

We all know it's a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say, "Ok, it's your deal but we warned you." Other times you need to stand in front of that bus and get run over.

When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.  

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to, "It's our job to see the iceberg, not steer the ship". I believe this is how we need to see things. [1]

Our job isn't to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil is a bad idea. 

I think we need to change the sign on the door from "Department of No" to "How does this affect our risk-posture?" and realize even then sometimes you need to say just... "No."  

[1]  *EDIT* The person who started the term ”our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

Cross-Posted from Secureholio

Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Application Security Due Diligence Information Security Infosec Mitigation Professional IT Security
Post Rating I Like this!
John Nicholson Traditionally the legal department has had the reputation of the "Department of No," creating a vicious circle - business hides things from legal until the last minute for fear that legal will delay them, legal then examines the project and says, "Did you think about ..." and, frequently says, "You can't do this until you address ..." which fulfills the business team's fears.

Until we can break the cycle and get everyone to believe that it's better and more efficient to include the compliance/risk mitigation experts in the process from the beginning, this process will repeat itself.
Kathleen Jungck Scott, I don't think of my position as saying "No" or being a road block but rather as consequence avoidance, much like the parent of a teenager. At the end of the day, we don't steer the ship; our jobs are to help identify those icebergs, identify ways to get from point A to point B without running into said icebergs, and if the navigator chooses not to heed our advice and does clip one, having mitigation plans in place to survive it.

John, I agree, prevention and education are always preferable to mitigation and I believe they are severely undervalued and underfunded. Unfortunately, in our current environment, features are driving the revenue and security it "just supposed to be there".
Gregory MacPherson Yes, I have had that conversation in real life, and yes it ultimately cost me the position. Of course, three months later the person who let me go came around and realized that I was completely correct, essentially vindicating my objections. Unfortunately I already had left the building - small consolation prize.

It is not about risk posture - it is about integrity. Granted the inherent lack of social skills of technicians and the ignorance and short attention spans of the unwashed managerial masses do not mix well. Suffice to say that people whose main goal in life is to 'maximize shareholder value' are NOT the proper people to be making engineering decisions. There needs to be a Chief Engineer (Scotty) who is responsible and accountable to the business people on matters pertaining to Infosec. That Chief Engineer needs to be an engineer - a CS graduate, not an MBA or CFO or other non-technical person. And part of their job description should include being able to be antisocial (and even downright vulgar) if and when they deem that the level of ignorance merits such behavior.

One salty haired engineer put it to me this way: when he was asked by the head business ch0ad why everyone else in his department always agreed with him and this person always argued with him, his response was, "Their job is to kiss your ass, and my job is to cover your ass!"

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.