Content

The right and wrong way to deliver cybersecurity information

The wrong way: call it a “best practice”

  • Once I found an internal system that was logging usernames and passwords in plain text
  • In trying to educate the client about the right way, I used the term “best practice.”
  • The customer heard “best practice” and treated it as a matter of opinion.
  • I had to explain the danger of those credentials leaking out much more thoroughly than if would if I had simply presented it as what it was — a security risk

The right way: adhere to the law

  • Sometimes you’ll be asked to write software that actually violates a company’s stated privacy policy or terms and conditions
  • Companies may not understand that they’re mishandling sensitive information, but they will understand the risk of a privacy lawsuit

The wrong way: raise the concern without any organizational buy-in

  • Organizations tend to think they’ll just bring a security guy in to deal with the security stuff. If you’re not prioritizing security from the beginning, you’ll get burned
  • At a high-level, organizations say that security is super valuable. The farther you go down the line, the less people care
  • IT security needs to be raised as a cross-cutting concern. Without buy-in throughout the organization — from middle managers to the highest decision-makers — your message will be shot down

The right way: educate them in a way that appeals to their self-interest

  • The big issue is simply saying it in the first place. The right thing to do is to deal with it. You have a responsibility to your client to raise it up.
  • Part of the issue is that clients, especially middle management, aren’t aware of the questions to ask in the first place
  • You have to communicate the risk of not addressing the problem to communicate the benefits of tight security
  • Draw a line to the liability and how that could hurt the company if unaddressed

The right way: revert to information security 101

  • Some companies intentionally don’t prioritize security — that’s actually the minor threat
  • The major threat is most companies lack the broad understanding that IT security is a thing they should care about. They have no idea how much they don’t know about security
  • If you’re dealing with a company with a pre-Internet mentality, you have to meet them where they’re at.
  • Going back to the beginner-level can be teeth-grinding, but it’s the only way to speak in terms they’ll understand. The cost of a client not understanding is too high to risk.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds