The wrong way: call it a “best practice”
- Once I found an internal system that was logging usernames and passwords in plain text
- In trying to educate the client about the right way, I used the term “best practice.”
- The customer heard “best practice” and treated it as a matter of opinion.
- I had to explain the danger of those credentials leaking out much more thoroughly than if would if I had simply presented it as what it was — a security risk
The right way: adhere to the law
- Sometimes you’ll be asked to write
- Companies may not understand that
they’re mishandling sensitive information, but they will understand the risk of
a privacy lawsuit
The wrong way: raise the concern without any
- Organizations tend to think they’ll
just bring a security guy in to deal with the security stuff. If you’re not
prioritizing security from the beginning, you’ll get burned
- At a high-level, organizations say that
security is super valuable. The farther you go down the line, the less people
- IT security needs to be raised as a
cross-cutting concern. Without buy-in throughout the organization — from middle
managers to the highest decision-makers — your message will be shot down
The right way: educate them in a way that appeals to
- The big issue is simply saying it in the
first place. The right thing to do is to deal with it. You have a
responsibility to your client to raise it up.
- Part of the issue is that clients,
especially middle management, aren’t aware of the questions to ask in the first
- You have to communicate the risk of not
addressing the problem to communicate the benefits of tight security
- Draw a line to the liability and how
that could hurt the company if unaddressed
The right way: revert to information security 101
- Some companies intentionally don’t
prioritize security — that’s actually the minor threat
- The major threat is most companies lack
the broad understanding that IT security is a thing they should care about.
They have no idea how much they don’t know about security
- If you’re dealing with a company with a
pre-Internet mentality, you have to meet them where they’re at.
- Going back to the beginner-level can be
teeth-grinding, but it’s the only way to speak in terms they’ll understand. The
cost of a client not understanding is too high to risk.
Want to read more?
Please login or register first to view this content.