The security guy always says "no" is a phrase that is heard all too often. Unfortunately, it is usually a phrase based on the reality in which people work. Even if it is not actually the case, often people will think it is. Perception is reality.
Information security has a bad name. We are the people who always tell others that they cannot do certain things in ways that they feel they need to do them. Often, we do not even give them real reasons: because that would not be secure is not sufficient. As a child, there is nothing as frustrating as a parent saying: because I told you so.
When addressing requests of users, the most important thing to remember is that an information security professional is a service provider, and service providers never say no. It is in our best interest to keep our users happy, to guide them and to educate them about how to go about certain things. If we really feel that a request is unreasonable, we should be able to convince the requestor of that, and have him withdraw that request himself.
The person saying no should not be the information security professional. Our job is to identify risk, and have someone else decide if that risk is acceptable. Once that assessment has been made, we will design, implement, and operate security controls that are designed to help people do their jobs better.
We do not say no. Business representatives do.
By constantly reminding everyone in the organization that we are not there to make their lives harder by blocking them from doing things a certain way, but that we are there to make their lives easier by providing them with reliable information and with reliable information systems, we will be looked at much more favorably.
Once we get the reputation that we are there to help make things better (remember, perception is reality!) People might even come to us early on in projects to ask for our input when a project is still young.