When the business comes to you with an unrealistic request, how do you turn that “no” into a strategic “yes, here's what we can do instead”? Can you say “no” while also giving the business what it wants?
Sort by:
Usually the unrealistic request is "we want to implement X" where X is a system they have seen/used elswhere.
This can be easily turned around into a the question "what's the problem you're trying to solve" and focus on the outcomes.
If you give them a hard no you will create friction, by turning it around into a problem first view then you can potentially line up what they want with your broader roadmap.
Great question! Security must always position itself as an enabling partner rather than a blocker or cost center. Our role isn't to simply say "no," but rather "yes—here's how we can achieve your goals securely." By clearly aligning cybersecurity investments with the business's overall strategy, we demonstrate how security actually enables innovation, protects revenue, and strengthens our competitive position.
To quote Simon Sinek, it's essential we "start with why." When the business makes an unrealistic or risky request, we need to understand the underlying objective driving it. What's the foundational reason behind their request? Once we've identified their core need, we can present secure, practical alternatives that still accomplish their goal.
If viable alternatives are limited or nonexistent, and the original request poses substantial risk, our responsibility is to clearly articulate this risk in business terms: What's the potential impact to intellectual property, customer trust, compliance, profitability, or brand reputation? Ultimately, if the business decides to accept the risk, clarity around accountability—who exactly is accepting and owning that risk—is critical.
I think you first need to have a conversation to understand the actual need. Far too many times I have seen that what is asked and what is needed are two different things. The next step is see what can be offered. Maybe you can not get to a full yes but you can get to something. Remember that every engagement / interaction helps build the relationship for the next encounter. A quick no will never help you build the relationship equity that you will need in the future.
I believe it is important to show the business that you 'heard' their ask fully and completely first. I typically do this by documenting their request either into a visual diagram simply or perhaps a requirements type document to again show them that IT has 'heard' their request. I then would fast follow that with a presentation written, showing different options including the option they initially asked for and alternative options from IT. I would then mark the preferred option from IT as 'recommended' and list the reasons why.