• United States



Marketing security: True stories strengthen numbers for making point

Sep 08, 20124 mins
IT LeadershipROI and Metrics

How do security pros typically make the case for more, better or stronger security? Answer: Numbers - big numbers! I recommend adding a few stories.

How do security pros typically make the case for more, better or stronger security? Beyond scaring crowds at the beginning of presentations, how do we convince senior management that we need more resources than last year? Answer: Numbers – big numbers!

We still use quite a bit of fear uncertainty & doubt (FUD) as well, but metrics, dashboards and score cards are hot items right now. Yes, there are good reasons for using security metrics and big numbers.

Here are a few recent headline examples:

Computer viruses, trojans, malware, Ransomware, botnets: Web attacks are soaring – “In its quarterly “Threats Report,” Intel subsidiary McAfee said that it had found more than 8 million new kinds of malware in the second quarter, up 23% from the first quarter. There are now more than 90 million unique strands of malware in the wild, the security company said.”

Cyber Attacks On Feds Soar 680% In 6 Years: GAO“Reported cybersecurity incidents at federal agencies have risen 680 percent in six years, the Government Accountability Organization testified today — and note that key word “reported,” which means that’s just the ones we know about.”

Global cyber-security tab hits $10 billion“Cyber-attacks on U.S. computer networks rose 17-fold from 2009 to 2011, according to data cited by Gen. Keith Alexander, head of the National Security Agency and U.S. Cyber Command, at a July conference.”

Budget cuts and the next Pearl Harbor “Billions at stake”

But is this the most effective strategy? There is no doubt that good measurements are essential in technology, security and all areas of business. We need to make sure that measurements that we are using are relevant and accurate.  We need to compare where we were to where we are and where we are going. We need to ensure that we are aware of new trends and innovative approaches

Find Relevant Stories

 I found it interesting that both political parties featured speakers that told stories at their 2012 conventions. Sure there were numbers describing the federal deficit, unemployment rate, number of jobs created and more, but most speakers connected the numbers to real-life situations and personal stories

I like this excerpt from the CNN article about the candidates’ wives:

“We Americans believe that a wife can tell us about her husband in ways we can’t discern from ads, stump speeches, or even debates: about his personal morality, his character, how he reacts to crisis — in short, who he really is.”

I think the same is true of making the case for cybersecurity. Sure, we need to measure progress with good numbers, but add a story or two to make the situation real to the audience you are speaking to. I like the slideshow examples provided by this Bloomberg article on Extortion in the Digital Age. Here’s an excerpt from their 3rd example:

Holding S.F.’s Network Hostage

“A San Francisco city employee was so desperate to save his job as a network technician that he hijacked the city’s computers and held them hostage to protest his reassignment in 2008. Terry Childs was being transferred because of conflicts with management when he locked out his supervisors by withholding network passwords, prosecutors said. Childs’s move was described by prosecutors as a “power play” to turn the city’s network into a “pawn” in his feud with management. He gave up his fight after a high-profile intervention: Then-Mayor Gavin Newsom paid a visit to Childs in jail and left with the passwords. Childs was sentenced to four years in prison.”

Notice how real names, with real people about real situations with specific details builds a very intriguing case?

I think security pros can learn from these stories – and be more effective if we can learn to tell the stories in ways that impact the audience we are talking to.

What are your thoughts on this topic?

Any good cyber stories to share?


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author