InfoSec Teams: Getting Comfortable Saying “No”

Any Chief Information Security Officer will tell you that the work we do is never ending.

It’s never ending because there will always be insecurity systems, or insecure people, or a combination of the two. A Security person’s job is never done.

We recognize that the supply of Security personnel is not infinite; many Security Pros will take a “risk based approach” to deciding what to work on, and what not to work on. For example:

  • Some CISOs, in some industries, can monetize their assets, systems or data. In other words: “If system X is not available for 30 minutes, it will cost us $10 million dollars in lost memberships”.
  • Some CISOs can evaluate the life impact: ”If this system is hacked, a person will die.”
  • Some CISOs can do none of these things, so resort to a legal/regulatory view: “If the data in this system is compromised, it will cost us $10 million in fines.”

So, you would make a call to work on issues affecting the most expensive system, or the system that will impact the most lives, or handle the most regulated data.

Some of us, particularly those of us handling multiple industries at once (hello Higher Education) have to evaluate different risk elements against each other. What’s a life worth in terms of reputation, or fines? If a system is compromised and starts spamming so the whole email system shuts down, what’s the impact of that compared to data integrity of another system? Can one system with no critical data cause a critical impact? (The answer is yes, actually it can). What if this happens at the end of a sales cycle, or during peak enrollment times, or during the biggest football game of the year?

Fortunately, these questions are typical risk-based decisions, taught at any business school (phew — what a relief!):

Risk = (Likelihood x Impact) — Compensating Controls = Return on Security Investment, etc. etc. blah blah blah.

CISO’s understand this equation. This is not their problem on a day to day basis.

The CISO’s problem is that we have only so many staff to go around, to respond to the Security needs of the business, the vendors, the customers, the stakeholders. Let us not forget the demand generated by the crooks, the social cyber activists, the nation state actors.

The Catch 22 is that we have an historical reputation of being the team who says “No” — as in, “No, you can’t do that, what a bad idea” but we cannot say “Yes, and let us help you” to everything.


Any self-respecting CISO has tried a bunch of things to compensate.

Teach Them To Phish

The theory goes that if you make folks more Security-aware, they will behave more securely, resulting in fewer incidents requiring Security support. If you train them on Security stuff, they can manage their own security, taking the burden off the core Security team to be everywhere at once. Great. Check.

Make Security Services Easier To Use

Here, the theory is that an easy-to-use Security tool is used more often, by more people, resulting in less Security overhead. I haven’t seen any data to say this is true — but it’s a nice theory and I’m willing to run with it, for a while anyway.

Improve The Pipeline

Related image

Internships, Bootcamps, Hackathons — bring more folks to the Security profession. Yes! Absolutely, improving the Security talent pipeline is a priority for many of us — but at the micro-team level, this only helps fill the finite positions, it doesn’t help with the infinite demand.

Make Security Teams More Agile

CISOs are constantly training their teams on new techniques and technologies — both to respond to the emerging technology utilized in our industry (hello Blockchain! Howdy AI!) and to enable a single person to be effective in more than one role.

All these things have helped reduce demand for Security services, and increase supply of Security talent — but none of this is enough to close the Security Skills Deficit Gap.

CISOs have pivoted from being the team of “No” to the team of “Let me help you put lipstick on that pig of an idea” — but we have more pigs than we can possibly handle. So, what are our options?

There are no appropriate responses when the resulting outcome could be catastrophic, yet this is exactly the situation we find ourselves in. This leads me to:

Get Used To Saying No

CISOs have to get comfortable with letting stuff go, without losing sleep that they made the wrong risk decision.

Business Associates need to take ownership of the decision to move forward without Security’s support or guidance, and be ready to own the consequences of that decision.

Boards and Leaders need to get comfortable that things will, inevitably, slip through the cracks, and that no amount of cyber insurance will be enough to transfer the reputational damage this will cause.

Policy makers will have to get used to the reality that a security incident isn’t always due to business malfeasance, and stop punishing companies that are making good faith efforts to attend to security issues but who nonetheless experience a reportable issue.

Customers will have to get used to the risks to which they are exposed, and accept that doing business in the modern economy will result in their information being compromised — and that there is nothing they can do about it except to choose not to share their information (if it’s not too late).

Most of all, Security professionals in the Security teams need to get used to it. Most folks in Security are there because of an almost fanatical belief that they are doing a Good Thing in the World, and that they have a Duty to do this as much as possible. This leads to burn out, with long term mental and physical health implications. CISOs need to give their teams permission to say “Carry On Without Me”, and to be comfortable doing so.

I know that getting used to saying “get used to it” is a nihilistic philosophy for a CISO to adopt. Am I throwing in the towel? Am I conceding defeat? No, I am not.

There is still value in the Security effort, there is poetry in the fight, there is nobility in the cause.

I would like to think I’m being pragmatic. No Security solution has come forward to guarantee the safety of our data or our systems, and I see nothing on the horizon that makes such a promise. So let us stop making the Security team the front, middle and back lines of defense in an unwinnable war. Let us recognize that we’ll win some, and we’ll lose some, and that sometimes the losing will hurt — a lot — but it’s a cost of doing business and we will do our best to pick ourselves back up and soldier on.

We owe ourselves at least this much.