You might think security teams inside big companies hate it when researchers and the press point out vulnerabilities, but that’s not always the case.

Security teams are just one voice among many, and often they have trouble convincing bosses that security and privacy should be a priority. An embarrassing story in the press can change that quickly.

For example: Security researcher Troy Hunt once called out Betfair Security for a system that allowed anyone who knew a user’s birthday to change their password. A month later Hunt met an employee from that company, which he wrote about on his personal blog:

…a bloke came up and handed me his card – “Betfair Security”. Ah shit. But the hesitation quickly passed as he proceeded to thank me for the coverage. You see, they knew this process sucked—any reasonable person with half an idea about security did—but the internal security team alone telling management this was not cool wasn’t enough to drive change. Negative media coverage, however, is something management actually listens to.

We all know how hard it can be for small teams to push their agenda in large companies, so there’s a certain logic here. But I wish companies would listen to internal security teams, and outside researchers, before problems go massively public. It’s usually a communication breakdown inside companies, but fixing this breakdown could prevent a lot of bad press—and keep us all more secure.