How do you handle a situation where a client's operational requirements conflict with established security best practices?