Building a Security Team that Never Says No

Building a Security Team that Never Says “No” One of the most prevalent perceptions of any security team is that they just always say “no,” that they will be a blocker to progress and slow things down. This leads to teams circumventing the security process, lack of support from leadership, and an inability to implement any good new security measures. It’s a story that we all have seen time and again throughout the industry. As more companies are starting to understand, having a strong security culture doesn’t necessarily mean having to always be a blocker. Instead, implementing a security program with the mindset of never saying no to any request or new idea can enable the security team to effectively implement security controls and improve the company’s security posture at a rapid pace in collaboration with the business instead of fighting against it. And doing it all even with a smaller security team. Learn about the concepts and frameworks that companies like Indeed have established to enable this remarkable change, the mindset that is needed within the security team to make them successful, and how avoiding a single word can lead to dramatic changes in perception. The alternative is: Nick Leghorn is currently the Director of Application Security at the New York Times, and previously built the Security GRC team within Indeed from the ground up using these same principles. Nick has spent his career working for a number of large companies with complicated environments including Rackspace Hosting, Shoretel, Mitel, and Indeed improving the security of both the infrastructure itself as well as the processes within the company. About Nick Nick Leghorn is the Director of Application Security at the New York Times. After graduating from Penn State University with a degree in Security and Risk Analysis, his first job was working for the U.S. Department of Homeland Security quantifying terrorism risks and identifying mitigations to provide the best risk reduction for each dollar spent. Nick has spent his career working for a number of large companies, including Rackspace Hosting, Shoretel, Mitel, and Indeed, improving the security of both the infrastructure itself as well as the processes within the company.

This session was presented at a SecurityInstitute.com-sponsored cybersecurity conference.

Building Teams That Embrace AI Without Losing Discipline

Security teams that say "yes" to the business now face a harder question: how to say "yes" to AI adoption while maintaining security discipline. Teams need engineers who understand both traditional threat models and AI/ML attack surfaces — prompt injection, model poisoning, training data exfiltration. The security team that never says no must now evaluate AI tools, set guardrails for LLM usage, and validate autonomous system behavior. The Morpheus Cyber podcast covers how security leaders build teams that embrace convergence-era technology without compromising fundamentals.