Instead, they should strive to be viewed as the Department of Yes and, where they are fully leaning in to support business objectives, along with the responsibility of explaining and mitigating risks. Saying no and being the Department of No are two very different things and shifting this perception through conversation enables CISOs to educate the company on the risks.

CISOs should seek every opportunity to embed security into new innovations from an early stage rather than giving rise to shadow IT, or having to bolt security on later, or postponing innovation indefinitely.

Turning no into a catalyst for yes

To unlock the power of no, CISOs must track how many times they must decline requests from the business, why, and what it actually costs in terms of potential lost market share. For example, say a CISO has repeatedly been pushing back against a new feature because they don’t have the technical or cultural implementations to support the ask — it’s too risky.