Note: To some extent, this is a counterpoint to another article of mine titled “Security – Quit saying no… or how to say yes for success”
In IT and IT security you will almost certainly find your fair share of bad ideas. As humans, we tend to follow two paths when presented with such a challenge. Either dismiss the idea outright or go along to get along. As an expert, it is your responsibility to express your opinion, backed by facts and experience, when you see an idea that may harm the company.
First of all I want to be clear, in this article I am talking specifically about projects that may materially harm the company and not projects that are simply suboptimal. Suboptimal projects should always be negotiated to attempt to improve them but save your rare no for the ones that are going to cause significant business damage.
I should also be clear that unless your title happens to be CEO or Owner your no may not stop the project. This is also acceptable as long as you have explained your concerns clearly. You may not have all the details and as an IT professional it’s not your role to decide what risks the company can take on. It is absolutely your job to make sure that the company knows about risks you have identified.
Having gotten all the preliminaries out of the way the thesis of this argument is actually pretty simple.
In your career, there are projects that you will be made aware of that are simply ill conceived and proposed by those in power out of a lack of understanding or to push a personal agenda. If you have built up a reputation for fairness and thoughtfulness, in most cases you should be able to inform or negotiate to an acceptable solution but, there will be some occasions where the person pushing the initiative will not be persuaded or accept compromise.
In the case where there is no compromise to be had, you must first consider who is pushing the initiative and the criticality of the issue you identified. If the issue is minor to moderate and the person pushing the initiative is significantly more powerful than you are you may want to walk away and simply ask the sponsor to sign off on accepting the risk. There is never a good time to die on your own sword for an unimportant battle.
On the other hand, if this is a significant risk it is your responsibility to inform and mitigate the risk to the best of your ability. If you are still not gaining traction, consider that there may be forces at hand that you are not aware of. If after contemplation and discussing your concerns with the sponsor you still feel this is a catastrophic mistake, you have two options. Continue fighting or walk away. I will caution you that in most circumstances walking away is your best career option.
Fighting on against an entrenched opponent with more power has a strong potential to have negative outcomes for you personally. It will drain political capital that you have worked to build. Depending on how nasty the fight gets, it may make the environment so uncomfortable that you are no longer welcome even if you “win”. You have to decide whether these risks are worth the fight.
In short, as a professional, it will, on occasion, be your job to say no but, those occasions should be few and far between outnumbered by negotiated agreement but a huge ratio. When you decide to give a hard no and dig in you should be aware that the person you are digging in against is only fighting back because they equally believe in their position and they think they have the facts or the political power on their side to prevail. Saying no in this position is inherently risky to your career with the company so ask yourself the question is this hill worth the personal and collateral damage the fight will cause? More succinctly, would I be willing to walk away from my current position rather than see this implemented? If you answer yes then you should fight and accept the outcomes positive and negative. If you answer no, then go back up several paragraphs and see my notes about negotiation and asking for risk sign off then move on with your career.
There are times when saying no is the only option the meets you fiduciary duty but if you find that you are saying no continually something has gone wrong.