Informing mgt their security is leakier than Luisa Zissman's fanny rag

**Ticktock** · 11 February 2014, 21:23

Besides telling them about it, can you do anything to sort things that will make you money?

**EternalOptimist** · 11 February 2014, 21:23

It's a no brainer. If lives are at stake you have a moral obligation, at least, to step forward and make your case in the email.
Obviously this will lead to a lot of angst, problems and antagonism and ultimately your sacking, but that is a price worth paying.
Then nothing will be done and your valuable insight will be missing, ergo the chances to save lives will be immensly reduced. So dont send that email. Its a no brainer

**CheeseSlice** · 11 February 2014, 21:37

Are you a security expert? Is it your profession?

**Gym beast** · 11 February 2014, 21:41

Originally posted by Ticktock View Post

Besides telling them about it, can you do anything to sort things that will make you money?

Like what dude? Blackmail them into a rate rise ???!??!!!?!!?

They'd possibly extend but I'd rather go for a higher rate elsewhere with my newly enhanced skillset.

**DaveB** · 11 February 2014, 22:09

The key to getting management on board with security issues is to point how how it will either *save* them money if they fix it, or *cost* them money if they don't.

You have to couch it in business terms they will understand and see as relevant to them. Just telling them that they have a technical vulnerability in an application relating to a buffer over flow leveraging a cross site scripting exploit (or whatever the problem is) will not get them to take notice, even if they are the IT manager or Director. It will just irritate them.

You can also throw in the upcoming changes to legislation coming from Europe that will mean increased accountability for data security, introduce legal requirements to report data loss incidents with 24 hours and introduce new sanctions against those that fail to protect information appropriately.

Full review from a Specialist legal firm here: https://www.slaughterandmay.com/medi...ion-reform.pdf there are lots more if you look for them, all saying the same thing.

**Ticktock** · 11 February 2014, 22:17

Originally posted by Gym beast View Post

Like what dude? Blackmail them into a rate rise ???!??!!!?!!?

They'd possibly extend but I'd rather go for a higher rate elsewhere with my newly enhanced skillset.

No dude. Like is it something that you have the skills to be able to fix?!?!?!?!?!?!?!?!?!?!
So you can not only tell them about the problem, but also sell in a solution. Hardly blackmail - they can take you up on the offer or they can source a fix elsewhere.

In any case, I fail to understand why telling your client "I've spotted a potential issue, here are the details" would get you fired. Perhaps it's because I generally have a fairly decent relationship with my clients.

**Pogle** · 11 February 2014, 23:02

Originally posted by Gym beast View Post

Like what dude? Blackmail them into a rate rise ???!??!!!?!!?

They'd possibly extend but I'd rather go for a higher rate elsewhere with my newly enhanced skillset.

With your frankly bizzare thread title and use of the word 'dude', i can only assume you're a pillock or a 15 year old boy.

**d000hg** · 11 February 2014, 23:59

Is submitting it anonymously an option, as a letter or something like that?

**northernladuk** · 12 February 2014, 00:56

Originally posted by Pogle View Post

With your frankly bizzare thread title and use of the word 'dude', i can only assume you're a pillock or a 15 year old boy.

Snorted my coffee reading this one!

Informing mgt their security is leakier than Luisa Zissman's fanny rag