QUESTION: There are times when cybersecurity teams need to say, “No,” to business stakeholders. What is the best way to go about it?
Saying “Yes” in business feels good, but, unfortunately, it’s not always possible. And among security departments, saying “No” isn’t happening often enough. In its effort to avoid roadblocks to innovation, security leaders are saying “Yes” too often, according to Rami McCarthy, an industry veteran, leader and security researcher who blogs on security leadership and management. Instead, a deliberate, strategic “No” is necessary in order to ensure security isn’t too permissive. Avoiding these hard conversations can lead to delayed decisions, technical debt, and burned-out teams.
If you need to say “No,” here are seven tips to saying no in a strategic, clear, and constructive way.
1. Provide Context. A flat “No” without an explanation leaves teams frustrated and unclear about risks or alternatives. Security professionals should explain the reasoning behind their decision and offer actionable next steps, says McCarthy in a recent blog post on saying no.
“Security should not own most risks, so conversations should be about advising a business owner rather than outright denial.”
2. Say No Early. The later security intervenes, the more disruptive it becomes. Address potential risks at the earliest stages to allow for smoother course corrections. Avoid “aggressive passivity,” where security hesitates to voice concerns until it becomes too late to address them efficiently.
“Belated ‘No’s’ disrupt delivery, create technical debt, and lead to burned-out teams,” says McCarthy.
3. Offer Secure Alternatives. Saying no should never be a dead end. Providing secure, pre-approved alternatives helps teams achieve their goals safely. Even if the perfect solution isn’t available yet, pointing to a roadmap fosters goodwill. McCarthy also thinks that offering alternatives helps to prevent roadblocks and build collaboration.
4. Be Consistent. Inconsistent decisions undermine trust and create confusion. Security teams should establish clear policies and standards that allow stakeholders to anticipate decisions. Consistency builds credibility and reinforces a sense of fairness across the organization.
“Inconsistency in saying no leads to stakeholders who don’t know what to expect—and that’s a fast way to lose trust,” McCarthy notes.
5. Align with Business Goals. Security should not operate in a vacuum. When saying no, it’s crucial to align the decision with business priorities and risk tolerance.
“Security doesn’t just mitigate risk—it enables the company to take smarter, bolder risks,” says McCarthy.
6. Foster Open Communication. Encouraging dialogue between security and other teams builds trust and lowers barriers. Hosting “ask-me-anything” sessions, lunch-and-learns, or open office hours can create an environment where security is seen as a partner rather than a blocker.
“Security teams that listen actively and engage in dialogue build a sense of partnership with employees,” says cybersecurity advisor Tom Van de Wiele.
7. Balance Empathy with Pragmatism. Empathy is key, but it must be balanced with practical decision-making, according to. behavioral scientist and cybersecurity expert Dr. Jessica Barker.
“Empathy is not about being nice and saying yes when we mean no; it’s about reflecting understanding and explaining decisions without being defensive.”
