The wrong way: call it a “best practice”

  • Once I found an internal system that was logging usernames and passwords in plain text
  • In trying to educate the client about the right way, I used the term “best practice.”
  • The customer heard “best practice” and treated it as a matter of opinion.
  • I had to explain the danger of those credentials leaking out much more thoroughly than if would if I had simply presented it as what it was — a security risk

The right way: adhere to the law

  • Sometimes you’ll be asked to write software that actually violates a company’s stated privacy policy or terms and conditions
  • Companies may not understand that they’re mishandling sensitive information, but they will understand the risk of a privacy lawsuit

The wrong way: raise the concern without any organizational buy-in

  • Organizations tend to think they’ll just bring a security guy in to deal with the security stuff. If you’re not prioritizing security from the beginning, you’ll get burned
  • At a high-level, organizations say that security is super valuable. The farther you go down the line, the less people care
  • IT security needs to be raised as a cross-cutting concern. Without buy-in throughout the organization — from middle managers to the highest decision-makers — your message will be shot down

The right way: educate them in a way that appeals to their self-interest

  • The big issue is simply saying it in the first place. The right thing to do is to deal with it. You have a responsibility to your client to raise it up.
  • Part of the issue is that clients, especially middle management, aren’t aware of the questions to ask in the first place
  • You have to communicate the risk of not addressing the problem to communicate the benefits of tight security
  • Draw a line to the liability and how that could hurt the company if unaddressed

The right way: revert to information security 101

  • Some companies intentionally don’t prioritize security — that’s actually the minor threat
  • The major threat is most companies lack the broad understanding that IT security is a thing they should care about. They have no idea how much they don’t know about security
  • If you’re dealing with a company with a pre-Internet mentality, you have to meet them where they’re at.
  • Going back to the beginner-level can be teeth-grinding, but it’s the only way to speak in terms they’ll understand. The cost of a client not understanding is too high to risk.