When a client requests weaker security, start by understanding their concerns, whether it's cost or complexity. Calmly explain the risks associated like data breaches or regulatory penalties, reinforced the explanation using relatable examples. Propose solutions that balance usability and safety, such as cost-effective tools. Frame this as a collaborative effort to align security with their business goals. Document all discussions for clarity. Always prioritize protection. Better safe than sorry!

If a customer is adamant about a less secure configuration, I would do my best to educate them on the processes by explaining the risks for increasing the likelihood of proven breaches and compliance implications. I will always try to give alternative solutions that incorporate a level of security with usability while offering a minimum level of security. If they wanted no part of security best susceptible to proven attacks, I would document the conversion for litigation purposes and reevaluate the engagement, in that regard. Security is never jeopardized.

Explain that weakening security measures increases the risk of data breaches, compliance violations, and reputational harm. Reference industry standards like ISO 27001, NIST, or SOC 2 to reinforce the importance of maintaining strong security. Offer alternative solutions that balance security and usability, such as adaptive authentication or user-friendly encryption. Emphasize that protecting their data is a priority and that a secure approach benefits their business long-term. Work collaboratively to find a solution that meets their needs without compromising safety.

Years ago, a client insisted on weaker security, dismissing MFA as unnecessary friction. Instead of arguing, I told a story: Imagine a jewelry store with no locks—trusting employees is one thing, but what about outside threats? I shared a real case where a competitor suffered a ransomware attack due to similar gaps. That got their attention. We compromised on security that balanced protection with usability. Two months later, a phishing attack failed—because they listened. Lesson: When clients push back, make the risk real. Speak their language, tell stories, and find common ground. The best security is the one that gets implemented.

I get why some clients want to ease up on security. Budgets are tight, and security can feel like overhead until something goes wrong. But every time I’ve seen shortcuts taken, it’s ended up costing more in the long run. I see my role as making sure they do not learn that the hard way. My approach is simple: listen, explain the real risks in plain language, offer smarter ways to stay protected without overcomplicating things, and make sure we both sleep at night knowing we did the right thing. No scare tactics. Just straight talk and responsibility.