Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quoting :

The best way to manage perception on this issue is to allow the business to understand the risk of saying 'yes'. If they accept the risks because the business can afford the consequences, then often a "yes" is applicable with some conditions or at a minimum a declaration that risks are acknowledged and accepted. Kevin Shortt

81 Posts
ISC Handler
A good friend once told me that as an industry, we need to change our NO to a KNOW. By knowing the desires of our business areas, we can stop being perceived as the "no police" if our first response to a new idea is anything but a NO. The very worst thing that could happen is that the business areas stop inviting us into their conversations.

Russell
Russell

95 Posts
ISC Handler
thank you Nokta

3 Posts
This is a constant challenge in our industry. How many security practitioners have been asked to stay away from project planning meetings because we reject everything. I agree that going from "no" to "know" is a good attitude to take on, and make sure that our op/dev folks, PMs, and business leaders understand that when we say "no," we're actually saying "not like that" (most of the time). Anonymous

Sign Up for Free or Log In to start participating in the conversation!