When people talk about innovation in cybersecurity, they often focus on tools, technologies or frameworks.
But in my view, one of the most powerful and under looked shifts is to do with changing mindsets.
Chief Information Security Officer at Nasuni.
The strongest organizations I’ve worked with are the ones that learn how to measure and harness their risk, not just avoid it.
They don’t respond to new ideas with, “We can’t, because…” but instead with, “Let’s see how we can make this happen, safely and with the right controls in place.”
Security as a competitive edge
This rethink of culture doesn’t just reduce risk, it helps organizations build competitive advantage.
When a CISO and their team are clear and communicative on where the business is and is not comfortable taking risk - in short, the business’s risk appetite - the organization is in a much better place to respond to market change.
That confidence comes from strong risk frameworks, open dialogue, and a shared understanding that effective security is a business enabler, not just a gatekeeper.
Open perspective
What makes a real difference is when people in different departments or business units bring an idea to security colleagues and they’re met with an open perspective of, "Let’s see how we can find a way to do this safely.”
That kind of response builds trust and opens the door to collaboration. When teams know that their security function is there to help them succeed, and not just to say no, they’re much more likely to ask, "Can we do this?" in the first place. It creates a culture where innovation and protection go hand in hand.
A couple of examples show the benefits:
Take an organization keen to move to more agile operations: if the security department can make an early commitment to partner with specific lines of business seeking to use faster cloud applications, it can help business unit colleagues devise a strategy in conjunction with solutions architects and trusted cloud providers to derisk and streamline cloud migration - rather than quickly veto such innovation requests on the grounds of unacceptable risk.
When security is baked-in from the beginning, rather than bolted on at the end, everyone involved in the process is happier.
Similarly, an open-minded security function will help the C-level and other departments develop a data-centric development strategy to create the foundations for machine learning and AI tools - without defaulting to data compliance risk arguments to rule out such innovation pathways.
Some business challenges will need wider collaborations between CISOs and other corporate functions: for example, World Economic Forum research in 2025 found that 66% of respondents believe that AI will affect cybersecurity in the next 12 months, but only 37% have the processes in place for safe AI deployment. Surely there is no bigger case for open minds and deeper collaboration?
Saying no, driving up risk
The opposite approach, where departmental colleagues simply assume that security will simply block the idea so they don’t make the request in the first place, introduces far more risk.
That’s when you end up with teams starting their own shadow IT and shadow development projects, with inadequate controls and insecure workflows, and the CISO finding out about a risk only after it’s manifested into an incident.
By saying no too often as a security professional, you don’t eliminate risk – you just drive it underground and contribute to longstanding issues. Gartner research in 2022 found that four in ten employees were already using some form of shadow IT. With the boom in browser-based AI tools, I can only imagine what that number is today.
Clear parameters
Of course, not every innovation or leftfield request gets the go-ahead. But a principled yes, one that includes communicating clear parameters and safeguards, is far more powerful than a blanket no. It means security becomes part of the solution from the outset.
It helps ensure the organization remains robust and secure in its operations while empowering teams to experiment and grow.
Agile applications and business processes with inbuilt cybersecurity differentiate and boost organizations' responsiveness. This openness, innovation and competitive edge is what good security delivers in practice.
I challenge other cybersecurity professionals to model this mindset shift and encourage others to embrace it. Because in a fast-moving threat landscape, curiosity and collaboration are strategic strengths for an organization. And businesses that harness their risk, rather than run from it, will build a powerful competitive advantage.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.