You are currently viewing Why Cybersecurity Can’t Just Say “No”

Why Cybersecurity Can’t Just Say “No”

There was a time, not too long ago, when there were only a limited number of ways to accomplish a computing task. Whether you were building a website, setting up a new computer, or installing software, your options were limited – if there were any. That time is over.

Now, any type of product or service can be acquired easily and with minimal effort, and usually at very low or no cost. When circumstances change, experts must adapt or see their expertise become irrelevant or even harmful. Information security services and the consultants advising them need to understand that simply saying “no” should not be accepted.

Saying “no” leads to permanent temporary solutions

If you say “no” to an employee who asks to transfer a large file via an alternative solution because email cannot be used, the transfer will almost certainly happen, and it will be via a free cloud service out of control of the company. Now, internal company data will potentially be stored forever in a cloud service somewhere in the world – usually in the United States – where it can potentially be accessed or compromised by third parties. On top of that, no one will have any indication of how much data was exposed, for how long, and by whom. And what was known will slowly erode as employees move in and out of different departments.

As the saying goes: nothing is as permanent as a temporary solution. This is equally true for actions taken by employees on their own behalf, both before and after a breach.

While the security department denies a request with a simple gold-plated “no,” the problem won’t go away just because the business need won’t simply go away. On the contrary, this slight problem could be the smoldering ember that triggers your next security incident. Then, incident responders will get awkward silences instead of answers to their questions, preventing a quick and thorough investigation.

Companies need clinicians, not gatekeepers

So rather than trying to behave like palace guards trying to enforce the security policy of the organization, we need to behave more like doctors.

We need to better explain why something isn’t possible, what kind of risk it might entail in the short or long term, and most importantly, ask why the question was asked. This is the best way to find out what the root cause might be: by asking thoughtful questions back to the original question and taking notes.

There is no shortage of short-sighted ideas when it comes to decision-making. But ignoring the reasons why certain requests were made could have real and potentially dangerous consequences.

So how do we move beyond “no”?

Be accessible

Questions are good. And most questions come from a good place, trying to achieve something that fits the mission of the company. Hardly anyone wakes up in the morning trying to find new ways to make their own job or service miserable by actively trying to sabotage it. Most ideas come from a legitimate challenge or observation.

Be aware that not everyone is aware of threats and the potential impact of certain decisions that could expose the business to attack or make any successful breach more severe and costly.


Listen instead of waiting for the conversation to be over, nodding politely.

Really listen, because companies are far from perfect and documentation is rarely correct or complete. Real-world knowledge of how things work lives with your employees. Treat them with respect and listen to them while asking them what they are basing their observations on, how a use case can be made of the situation so it doesn’t go away, and to see what can be done to bring the necessary changes.

Do this before employees get demoralized and end up taking matters into their own hands. There is nothing more potentially destructive than a loyal employee who has stopped asking questions.

Be constructive and informative

Ultimately, IT security is about protecting the business from harm – financial damage, operational damage, reputation and brand damage. You are trying to prevent a situation that will harm not only the well-being of the company, but also that of its employees. That’s why we need to explain real threats and how incidents happen.

Explain what steps can be taken to reduce the risk and impact of these incidents and show them how they can be part of it. People like to learn new things, especially if it has something to do with their daily work.

Explain the trade-offs that are made, at least in general terms. Explain how quickly convenience, such as running a machine as administrator, can lead to abuse. Not only will companies appreciate you for your honesty, but they’ll have the right answer the next time the question arises. They will think through constraints and find new ways to add value to the business, while removing factors from their day-to-day work that could result in one less incident down the line.

Level with your colleagues

Everyone has an area of ​​expertise, and we have to respect everyone’s job and responsibility, but human beings are human beings, and computers and security policies impose a certain way of thinking and acting, which can lead to power plays between individuals or departments.

No one wants to sit in the middle of these kinds of tennis matches or hellish encounters. So keep discussions fact-based and try to keep emotions and stigma as low as possible. Ultimately, everyone should be working towards the same goals. Trying to blow out a department’s candles does not make your candles brighter.

Respect the corporate culture

Trusting your employees is important and a vital part of anyone’s job. Being able to work in a team would not be possible without it. Yet trust is not a security model and it is certainly not scalable. Whatever measures are taken to ensure that employees and their work, data and end customers are under control, they must take into account the culture of the company.

The culture of a company is not fixed and must evolve with its employees and with the times. Understanding where a business stands when making a cybersecurity decision will make everyone’s life easier.

The best security is invisible, imperceptible. But it must come with the understanding and realization that just because you’re not facing a particular threat doesn’t mean it doesn’t exist.

Leave a Reply