Forem

Robert Rees for We Got POP

Posted on

3

Negotiating security requirements with clients

Sometimes it feels that clients with an enterprise-level security checklist want their cake and too eat it too. The requirements can feel like an impossible mountain to climb.

There is often room for negotiation though. If answering no to a question then explain why. When making assessments, different factors may be weighted differently according to the service you are offering. Only the most difficult clients expect everything you offer to be exactly what they want initially.

If a security feature is not currently present but you are planning to implement it in the future, don't be afraid to share your plan. It can be reassuring to know that you even have a plan to change things rather than being unaware of the potential issue.

In some ways it is more important for you and your team to have a strong vision of what security story you want to tell and be delivering that rather than being reactive to different client requirements with no coherence to the changes you are making to your product.

I think it is also okay to make clear that the implementation of some security features is dependent on commercial agreements. If one client is very adamant that they need something then perhaps they need to pay to ensure that element is prioritised over other things that might matter to other clients.

Finally the truth is that security very rarely have the final word. If your product meets a unique need then often you can have an exception to given security requirements if you have an enthusiastic internal sponsor.

This can be particularly important if the parent corporate rules are set for a different kind of business to the one you are working in. For example a few organisations we've discussed with have wanted to apply the rules they use for their Active Directory users to freelancers or independent third-parties. Discussing the origin of the rule and giving some practical examples of the impact it would have on the work being down led to a more nuanced version of the policy.

Generally the best security comes from collaboration that is based on trust and openness. It should be a normal part of the process to discuss and review requirements.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

Image of Docusign

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more

đź‘‹ Kindness is contagious

Engage with a sea of insights in this enlightening article, highly esteemed within the encouraging DEV Community. Programmers of every skill level are invited to participate and enrich our shared knowledge.

A simple "thank you" can uplift someone's spirits. Express your appreciation in the comments section!

On DEV, sharing knowledge smooths our journey and strengthens our community bonds. Found this useful? A brief thank you to the author can mean a lot.

Okay