Instead, they should strive to be considered the Ministry of Yes again, where they are fully dependent on supporting business objectives, and responsible for defining and mitigating risks. Saying no and being a Department of No are two very different things and changing this perception through conversation enables CISOs to educate the company about risk.
CISOs should seek every opportunity to embed security in innovation from the start rather than bringing IT reputation, or having to tighten security over time, or postpone innovation forever.
Turning no into a catalyst for yes
To unlock the power of saying no, CISOs must track how often they have to turn down requests from the business, why, and how much it costs in terms of potential lost market share. For example, say a CISO has been resisting a new feature because it doesn’t have the technology or culture to support the question — it’s too risky.
Source link