KNOW before NO

Published: 2017-04-28
Last Updated: 2017-04-28 23:48:16 UTC
by Russell Eubanks (Version: 1)
3 comment(s)

A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”. 


We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.


There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?


Please leave what works in our comments section below.

Russell Eubanks

ISC Handler


3 comment(s)


When I worked at a bank one of our stake holders put a sign on the entrance to the Information Security Department that said “Our motto: If you can do your job, we are not doing ours.” Unfortunately because of the adversarial relationship most departments had with IS, I don’t think it was a joke. IS folks do need to know and understand the business unit’s needs. Thank for a great post.
The statement “Our motto: If you can do your job, we are not doing ours” is sad and not at all surprising. I recall many times behaving like a firewall with a "default to deny" stance when hearing about a new initiative.

Thanks for sharing and supporting the SANS Internet Storm Center!

The problem is not that security-mature security professionals say no, the problem is that security-immature managers ask the wrong questions, don't want to consider risks and want security professionals to take full responsibility.

Like, for example:

- We want to move our HRM and financial administration to cloud company X, is that secure enough? Please answer right away because we want to decide today.

- I just bought portable device X and want to access our file and mail server from that device. I presume that's okay with you?

- We want to save some expenses and run both DMZ servers and internal servers on the same virtualization platform which should be secure enough.

- Our IP-based security camera's and intercom (all mounted outside the building) are securely separated from the rest of the network by using VLANs.

- We want to cooperate with third party Z. They say they have ISO 9001 and ISO 27001 certificates. Okay?

- A photo of a chip (instead of a real chip) on personnel access cards for the US senate suffices, right?

Etc. etc.

Diary Archives