Information security has finally become mainstream. It is almost a recognized profession, with its own areas of specialization: network security, audit, incident response, forensics, and security management. Salaries for IS practitioners have been rising constantly, the market for security products and services is much bigger than it was five or ten years ago, and more firms are entering it.

The “security frontier” has moved from firewalls and anti-virus to IM and VoIP security. However, convincing people and organizations to implement effective security measures has not become easier, so we must ask ourselves:

Is security worth it?

First, let’s look at how vendors attempt to sell security. There is usually some FUD factor involved. Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”. Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc. The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.


Security as insurance does not work really well because either people can see through FUD and dismiss it as a cheap sales ploy, or because the potential consequences of a lapse in security are not immediately clear. The issue is quantification. You or your firm may not care much that “virus attacks have increased by X% in the last 12 months”, but you may pay more heed if the warning was specific to your industry: “virus attacks against XYZ systems running ABC applications have increased against ACME-industry institutions”.

It is of course, easier to sell any type of insurance or advisory services in regulated industries: housing or car insurance, financial services, health care, government. One only has to look at laws like Data Protection Act, HIPAA (US) and Sarbanes-Oxley to see how these created new business opportunities for consulting firms in may countries. However, for the security practitioner catering for a diverse clientele, another class of arguments must be found, in order to successfully convince clients to buy security services and products.

Fear vs. Economics

The problem with using Fear to sell security is that it is subject to the stroboscopic light effect: you get used to it, you may not realize when it really is bad and you could collapse under it not knowing why. Fear also works if you are naturally risk averse. But, it doesn’t work if you’ve never experienced the touted bad consequences or, if you are not risk averse.