7 Tips for Strategically Saying 'No' in Cybersecurity

Source: Javier Sanchez Mingorance via Alamy Stock Photo

Question: There are times when cybersecurity teams need to say, “No” to business stakeholders. What is the best way to go about it?

Answer: Saying “yes” in business feels good, but, unfortunately, it’s not always possible. And among security departments, saying no isn’t happening often enough. In its effort to avoid roadblocks to innovation, security leaders are saying yes too often, according to Rami McCarthy, an industry veteran, leader, and security researcher who blogs on security leadership and management. Instead, a deliberate, strategic no is necessary to ensure security isn’t too permissive. Avoiding these hard conversations can lead to delayed decisions, technical debt, and burned-out teams.

If you need to say no, here are seven tips for doing so in a strategic, clear, and constructive way.

1. Provide context: A flat-out no without an explanation leaves teams frustrated and unclear about risks or alternatives. Security professionals should explain the reasoning behind their decisions and offer actionable next steps, says McCarthy in a recent blog post about saying no.

“Security should not own most risks, so conversations should be about advising a business owner rather than outright denial,” he says.

2. Say no early: The later security intervenes, the more disruptive it becomes. Address potential risks at the earliest stages to allow for smoother course corrections. Avoid “aggressive passivity,” where security hesitates to voice concerns until it becomes too late to address them efficiently.

“Belated nos disrupt delivery, create technical debt, and lead to burned-out teams,” McCarthy says.

3. Offer secure alternatives: Saying no should never be a dead end. Providing secure, preapproved alternatives helps teams achieve their goals safely. Even if the perfect solution isn’t available yet, pointing to a road map fosters goodwill. Offering alternatives helps prevent roadblocks and build collaboration, McCarthy says.

4. Be consistent: Inconsistent decisions undermine trust and create confusion. Security teams should establish clear policies and standards that allow stakeholders to anticipate decisions. Consistency builds credibility and reinforces a sense of fairness across the organization.

"Inconsistency in saying no leads to stakeholders who don’t know what to expect — and that’’s a fast way to lose trust,” McCarthy notes.

5. Align with business goals: Security should not operate in a vacuum. When saying no, it’s crucial to align the decision with business priorities and risk tolerance.

"Security doesn’t just mitigate risk — it enables the company to take smarter, bolder risks,” McCarthy says.

6. Foster open communication: Encouraging dialogue between security and other teams builds trust and lowers barriers. Hosting “ask-me-anything” sessions, lunch-and-learn events, or open office hours can create an environment where security is seen as a partner rather than a blocker.

"Security teams that listen actively and engage in dialogue build a sense of partnership with employees,” says cybersecurity adviser Tom Van de Wiele.

7. Balance empathy with pragmatism: Empathy is key, but it must be balanced with practical decision-making, according to behavioral scientist and cybersecurity expert Jessica Barker, MBE Ph.D.

“Empathy is not about being nice and saying yes when we mean no,” she says. “It’s about reflecting understanding and explaining decisions without being defensive.”

About the Author

Contributing Writer, Dark Reading

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.