How to Speak Convincingly about IT Security Consequences

I’m sure many of us have been in similar situations. You find a BIG problem but no-one appears to be listening. This article gives some practical steps to help make your voice heard…:

A few months into one of my first IT jobs, I discovered a massive security vulnerability that could potentially allow an attacker to log into the network without having to provide any credentials. I tried explaining the situation to my boss, but she wasn’t having it.

At the time, I assumed that the reason why I had not been taken seriously was because I was a teenager and had very little IT experience. Later, however, I began to realize that, like any IT director, my boss was busy and I might not have done a very good job of explaining why she needed to prioritize this particular issue. After all, vulnerabilities are not all created equally. Some vulnerabilities are really obscure, and have almost no chance of ever being exploited. Other vulnerabilities, like the one that I had found, are so serious that they need to be addressed immediately.

As embarrassed as I am to admit this, the aforementioned security vulnerability remained in place for at least another year. I didn’t have the authority to fix it myself, and those who did have the authority had about a million other demands being made of their time. Eventually, I began to understand that the key to making things happen in the world of IT is to present the information in a way that makes the identified risk impossible to ignore. This is especially critical if you need funding.


Original article here