DEV Community

Robert Rees for We Got POP

Posted on

Negotiating security requirements with clients

Sometimes it feels that clients with an enterprise-level security checklist want their cake and too eat it too. The requirements can feel like an impossible mountain to climb.

There is often room for negotiation though. If answering no to a question then explain why. When making assessments, different factors may be weighted differently according to the service you are offering. Only the most difficult clients expect everything you offer to be exactly what they want initially.

If a security feature is not currently present but you are planning to implement it in the future, don't be afraid to share your plan. It can be reassuring to know that you even have a plan to change things rather than being unaware of the potential issue.

In some ways it is more important for you and your team to have a strong vision of what security story you want to tell and be delivering that rather than being reactive to different client requirements with no coherence to the changes you are making to your product.

I think it is also okay to make clear that the implementation of some security features is dependent on commercial agreements. If one client is very adamant that they need something then perhaps they need to pay to ensure that element is prioritised over other things that might matter to other clients.

Finally the truth is that security very rarely have the final word. If your product meets a unique need then often you can have an exception to given security requirements if you have an enthusiastic internal sponsor.

This can be particularly important if the parent corporate rules are set for a different kind of business to the one you are working in. For example a few organisations we've discussed with have wanted to apply the rules they use for their Active Directory users to freelancers or independent third-parties. Discussing the origin of the rule and giving some practical examples of the impact it would have on the work being down led to a more nuanced version of the policy.

Generally the best security comes from collaboration that is based on trust and openness. It should be a normal part of the process to discuss and review requirements.

Top comments (0)