• United States



Watch Your Language: Rebuilding The Case for Cybersecurity

Jun 19, 20094 mins
IT Leadership

  Over the past few months I’ve discussed security topics with professionals from across America. I keep hearing the same questions: How do we build (or rebuild) the case for improving cybersecurity during this economic downturn? Why aren’t more companies (or governments) hiring certified security professionals right now? Why can’t my security program get any respect from upper management? Should I just sit back and ride out the recession by waiting? Why doesn’t my management get it? Or, getting even more personal, why can’t I find a security job?

  Bottom line, with all of the ID Theft, fraud and hacker stories, why are they cutting my security budget?

No doubt, much of what is going on is out of our control. Layoffs, furlough days, and salary cuts are common across industries. Most technology and security projects are getting hit hard. Where good ideas used to require a 3-5 year ROI, getting approval for new initiatives may now mean near-real-time cost savings – or at least same year hard savings.

  Yes, there are plenty of good answers. Hundreds of articles and white papers have been written over the past few years on return on investment (ROI) for security,  the fear, uncertainty and doubt (FUD)-factor, focusing on risk assessments and ways to leverage HIPAA and other compliance efforts. I’ve used each of these approaches over the years to sell security projects, and we still need to apply similar arguments.

  But can we be doing more to improve our chances? More important, should we act differently moving forward?

  I think we need to focus on our language. What are the enterprise priorities and the words we say to describe those priorities? Good security execs have learned that they need to be discussing how to enable not disable and offer secure alternatives, but what are we enabling?

 I was intrigued by this New York Times blog by Saul Hansell entitled: The Nation’s CTO Lays Out His Priorities. Saul had a chance to sit down with Aneesh Chopra recently. Saul describes the key areas that will drive Mr. Chopra’s next few years:

  • Economic growth through innovation
  • Addressing presidential priorities through innovation platforms
  • Building the next-generation digital infrastructure
  • Fostering a culture of open and innovative government


     I know, Aneesh Chopra is not the President’s new Cyber Czar. He’s doesn’t even mention the word “security” in his four mentioned priorities. But if you read these and say “so what,” I suspect that you may need to change your language in describing the benefits of security. Perhaps you should even consider rebuilding your approach to gaining wider executive buy-in.

     Gaining the required support for security requires us to use the same words that our most senior leaders use – whether in government or in the private sector. Take another look at the list. The case can be made that cybersecurity is an integral component to each of Aneesh Chopra’s stated priorities, but I’ll leave that argument to be made on another day.

      My point is that we need to rethink the words we use to sell security (or any other technology initiative) in this new environment. Despite their validity, the old arguments for security often fall short today when everyone is cutting. Success usually starts with the right words on the agenda for important meetings with key stakeholders. Use the wrong words, and that urgent threat discussion may never even occur.  I’m not talking about spin, but allowing security and risk to be incorporated into hot projects. Focus on their agenda, and you will be more successful.

  • Most of all, watch your language.   

    What are your thoughts? Any good war stories about selling security to execs?


    Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

    More from this author