Being able to prioritize and being able to say no are two closely linked critical skills for cyber security leaders. The linkage is strong. Without being successful at one, it can be very difficult to be successful at the other.
Don’t get me wrong. The learned and practiced skill of being able to say no is really about the ability to say, “yes”.
No to the wrong things, and yes to the right things.
Yes should be driven by your cyber program’s priorities. And, if your priorities are truly aligned with the organization’s strategy as they should be, saying no should make more common sense than saying yes.
Think of your priorities as a set of pre-negotiated yes answers.
Being able to say no means that you have a prioritization that other stakeholders agree is working.
Over time and with confidence in your priorities, your non-cyber executives should begin to be able to predict your response to disruptive work.
No, as in “No, this disruptive work isn’t a priority.”
No, as in “not now, but this will become a priority at some point so let’s find space in the future.”
Yes, as in “yes, we didn’t foresee this. Let's reprioritize something that we are working on, get to a good stopping point, and get started on this.”
The hardest no should be to the assumption that you’ll just keep adding low priority work in with high priority or take on more high priority work than the team is scoped for. Your team will end up swamped. Worse yet, it’s hard to make the point that your team needs more resources when the leader keeps saying yes.
Good leaders can say yes to the right high priority work by saying no to less important work.
Your ability to say no reflects a lot about your leadership and the effectiveness of your priorities.
Say no more often.
Like what you've read enough to follow me on Twitter? @Opinionatedsec1.