Over the past few months I’ve discussed security topics with professionals from across America. I keep hearing the same questions: How do we build (or rebuild) the case for improving cybersecurity during this economic downturn? Why aren’t more companies (or governments) hiring certified security professionals right now? Why can’t my security program get any respect from upper management? Should I just sit back and ride out the recession by waiting? Why doesn’t my management get it? Or, getting even more personal, why can’t I find a security job? Bottom line, with all of the ID Theft, fraud and hacker stories, why are they cutting my security budget? No doubt, much of what is going on is out of our control. Layoffs, furlough days, and salary cuts are common across industries. Most technology and security projects are getting hit hard. Where good ideas used to require a 3-5 year ROI, getting approval for new initiatives may now mean near-real-time cost savings – or at least same year hard savings. Yes, there are plenty of good answers. Hundreds of articles and white papers have been written over the past few years on return on investment (ROI) for security, the fear, uncertainty and doubt (FUD)-factor, focusing on risk assessments and ways to leverage HIPAA and other compliance efforts. I’ve used each of these approaches over the years to sell security projects, and we still need to apply similar arguments. But can we be doing more to improve our chances? More important, should we act differently moving forward? I think we need to focus on our language. What are the enterprise priorities and the words we say to describe those priorities? Good security execs have learned that they need to be discussing how to enable not disable and offer secure alternatives, but what are we enabling? I was intrigued by this New York Times blog by Saul Hansell entitled: The Nation’s CTO Lays Out His Priorities. Saul had a chance to sit down with Aneesh Chopra recently. Saul describes the key areas that will drive Mr. Chopra’s next few years:Economic growth through innovation Addressing presidential priorities through innovation platforms Building the next-generation digital infrastructure Fostering a culture of open and innovative government I know, Aneesh Chopra is not the President’s new Cyber Czar. He’s doesn’t even mention the word “security” in his four mentioned priorities. But if you read these and say “so what,” I suspect that you may need to change your language in describing the benefits of security. Perhaps you should even consider rebuilding your approach to gaining wider executive buy-in. Gaining the required support for security requires us to use the same words that our most senior leaders use – whether in government or in the private sector. Take another look at the list. The case can be made that cybersecurity is an integral component to each of Aneesh Chopra’s stated priorities, but I’ll leave that argument to be made on another day. My point is that we need to rethink the words we use to sell security (or any other technology initiative) in this new environment. Despite their validity, the old arguments for security often fall short today when everyone is cutting. Success usually starts with the right words on the agenda for important meetings with key stakeholders. Use the wrong words, and that urgent threat discussion may never even occur. I’m not talking about spin, but allowing security and risk to be incorporated into hot projects. Focus on their agenda, and you will be more successful. Most of all, watch your language. What are your thoughts? Any good war stories about selling security to execs? Related content opinion 3 security career lessons from 'Back to the Future' You don't need to be able to predict the future to have a successful security career, but you had darned well better be able to learn from the past. By Dan Lohrmann Jan 12, 2021 6 mins Careers Security interview Secrets of industry-hopping CSOs Who says you can't change industries? Veteran security leaders Mark Weatherford and Cheri McGuire teach you how it’s done. By Dan Lohrmann Mar 02, 2020 12 mins Careers Security opinion Why security pros are addicted to FUD and what you can do about it Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it. By Dan Lohrmann Sep 06, 2018 7 mins Security opinion Bridging the smart cities security divide There are plenty of organizations that seem to be working on answers to secure smart cities, but in many ways it's like the early days of cloud computing with everyone building their own solutions. By Dan Lohrmann Feb 01, 2018 6 mins Internet of Things Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe