Information Security is an occupation filled with professional cynics, curmudgeons and defeatist who are often proud of that role and at the same time do not understand while they are not included in decision making in their companies.
I think some security professionals think that Mordac is a role model:
A mentor of mine who is a CISO for a large organization has this quote hanging in his office:
Successful people find a solution for every problem and unsuccessful people find a problem in every solution.
We ended up having a fairly long discussion around this quote and he walked me through his basic rules of saying no.
Never Say “No” when you mean “I don’t know”.
If you are in a place to help make a decision an acceptable answer is always “I don’t know, I need to think about it”. If it isn’t you aren’t being asked you are being told what is going to happen.
No isn’t a solution.
You are being paid to provide solutions to help your company become more secure. Saying no makes other employees find reasons to work around you. No one wants to be insecure they just want to be productive.
Saying “No” make you a target.
Saying no means you are not helping. You are leaving someone else without a solution for their problem and giving them someone to blame.
Sometimes there isn’t a good solution to a problem an you just have to tell people no. You are now not acting as a problem solver but as a sanity check. If you get too many of these types of questions it probably time to brush up your resume.