The wrong way: call it a “best practice”
- Once I found an internal system that was logging usernames and passwords in plain text
- In trying to educate the client about the right way, I used the term “best practice.”
- The customer heard “best practice” and treated it as a matter of opinion.
- I had to explain the danger of those credentials leaking out much more thoroughly than if would if I had simply presented it as what it was — a security risk
The right way: adhere to the law
- Companies may not understand that they’re mishandling sensitive information, but they will understand the risk of a privacy lawsuit
The wrong way: raise the concern without any organizational buy-in
- Organizations tend to think they’ll just bring a security guy in to deal with the security stuff. If you’re not prioritizing security from the beginning, you’ll get burned
- At a high-level, organizations say that security is super valuable. The farther you go down the line, the less people care
- IT security needs to be raised as a cross-cutting concern. Without buy-in throughout the organization — from middle managers to the highest decision-makers — your message will be shot down
The right way: educate them in a way that appeals to their self-interest
- The big issue is simply saying it in the first place. The right thing to do is to deal with it. You have a responsibility to your client to raise it up.
- Part of the issue is that clients, especially middle management, aren’t aware of the questions to ask in the first place
- You have to communicate the risk of not addressing the problem to communicate the benefits of tight security
- Draw a line to the liability and how that could hurt the company if unaddressed
The right way: revert to information security 101
- Some companies intentionally don’t prioritize security — that’s actually the minor threat
- The major threat is most companies lack the broad understanding that IT security is a thing they should care about. They have no idea how much they don’t know about security
- If you’re dealing with a company with a pre-Internet mentality, you have to meet them where they’re at.
- Going back to the beginner-level can be teeth-grinding, but it’s the only way to speak in terms they’ll understand. The cost of a client not understanding is too high to risk.