I would absolutely send him an email to the effect of
“Per our multiple verbal conversations, this is just to serve as notice that, in my professional opinion, your refusal to allow me to upgrade a system at risk of multiple security vulnerabilities on a platform that is no longer supported is a risk that you are choosing to accept against my advise.”
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
I disagree. That’s a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to “serve notice” or have any meaningful “professional opinion”.
I would absolutely send him an email to the effect of
with a list of known major vulnerabilities attached if possible.
That way at least if this comes back to bite the company on the ass, he can’t say “Well he never told me this was a problem!”
Exactly. After that he can basically let it go. Unless he has some stake in the company or ite survival, he’s done his job. It’s his bosses problem, the one responsible.
this is the correct response.
get it in writing that they accept the risk that comes with not upgrading so it can’t come back on you. all you can do is CYA and make recommendations - if management does not agree with your recommendations make sure you have it documented that you informed whoever is making the decision of the risk.
if you think your employer will somehow still try to hold you accountable for this, save the aforementioned correspondence using something your employer does not manage i.e. a personal device. you could also let other people than this specific individual know about this so it isn’t just your word vs his.
And keep a copy off site
I disagree. That’s a consultant-style answer. OP is an idiot newb three months into his first job with zero responsibility, and not in any position to “serve notice” or have any meaningful “professional opinion”.