You're absolutely right. I have two main job functions:
1. Instead of saying "no", saying "not that way, but let's figure this out together".
2. Evaluating risk and modeling threats: "this is who we're protecting ourselves from, and here's what happens if we fail." If a bored teenager on their couch hacked our website, it would be embarrassing because someone without a lot of resources would be able to make changes to our display system, even if no real harm was done. If North Korea hacked our user database, it would suck and be bad for our users, but in practice not too many people are going to get angry at us for being attacked by a hostile nation's government as long as we were doing the right things.
(Note: that's grossly simplified, and it's not like we're "heh we don't protect against nation states".)
1. Instead of saying "no", saying "not that way, but let's figure this out together".
2. Evaluating risk and modeling threats: "this is who we're protecting ourselves from, and here's what happens if we fail." If a bored teenager on their couch hacked our website, it would be embarrassing because someone without a lot of resources would be able to make changes to our display system, even if no real harm was done. If North Korea hacked our user database, it would suck and be bad for our users, but in practice not too many people are going to get angry at us for being attacked by a hostile nation's government as long as we were doing the right things.
(Note: that's grossly simplified, and it's not like we're "heh we don't protect against nation states".)