The right and wrong way to deliver cybersecurity information

  • Once I found an internal system that was logging usernames and passwords in plain text
  • In trying to educate the client about the right way, I used the term “best practice.”
  • The customer heard “best practice” and treated it as a matter of opinion.
  • I had to explain the danger of those credentials leaking out much more thoroughly than if would if I had simply presented it as what it was — a security risk

The right way: adhere to the law

  • Sometimes you’ll be asked to write software that actually violates a company’s stated privacy policy or terms and conditions
  • Companies may not understand that they’re mishandling sensitive information, but they will understand the risk of a privacy lawsuit

The wrong way: raise the concern without any organizational buy-in

  • Organizations tend to think they’ll just bring a security guy in to deal with the security stuff. If you’re not prioritizing security from the beginning, you’ll get burned
  • At a high-level, organizations say that security is super valuable. The farther you go down the line, the less people care
  • IT security needs to be raised as a cross-cutting concern. Without buy-in throughout the organization — from middle managers to the highest decision-makers — your message will be shot down

The right way: educate them in a way that appeals to their self-interest

  • The big issue is simply saying it in the first place. The right thing to do is to deal with it. You have a responsibility to your client to raise it up.
  • Part of the issue is that clients, especially middle management, aren’t aware of the questions to ask in the first place
  • You have to communicate the risk of not addressing the problem to communicate the benefits of tight security
  • Draw a line to the liability and how that could hurt the company if unaddressed

The right way: revert to information security 101

  • Some companies intentionally don’t prioritize security — that’s actually the minor threat
  • The major threat is most companies lack the broad understanding that IT security is a thing they should care about. They have no idea how much they don’t know about security
  • If you’re dealing with a company with a pre-Internet mentality, you have to meet them where they’re at.
  • Going back to the beginner-level can be teeth-grinding, but it’s the only way to speak in terms they’ll understand. The cost of a client not understanding is too high to risk.

Originally published at




100% US-based Agile developers, designers and strategists who create great software for enterprises and tech companies.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Reasons You Should Ensure the Security of Your Healthcare Data on The Cloud

Closeup of test tubes

Step by step instructions to Forward Postal Mail to Someone

Introduction To IoT Structure & Security: The Achilles Heel

Cellframe Token Launch Announcement


Microsoft backtracks on Windows 11’s controversial default browser changes

Alpine Formula One Team Token increased its value by 1800%

GSOC’20 Week 16 Update

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


100% US-based Agile developers, designers and strategists who create great software for enterprises and tech companies.

More from Medium

2021: A Year in Review

Closing the Loop Between Detection and Auto-Remediation in our Cloud Environments

Ultima Labs launches sustainability calculator for Microsoft Azure

7 Cloud Vulnerabilities Endangering Your Data!