“Also, to give some fairness to my statement, too many security professionals have yet to learn how to speak english to upper management about risks, ease of remediation, and remediation costs vs. costs of risks.”

If you focus on the message, you are in the wrong area. You need to focus on the recipient of that message. We all say how suffering some breach or getting some new regulation always results in increased security spending. Why? Did our message become more clear? Did we learn the right incantations and magic words? No. The executives realized, only briefly, that they need to care. They invested time to listen and act.

The same is true with insurance. 20 year olds don’t buy health insurance, not because they don’t understand it, not because it isn’t marketed well, but because they don’t feel they need it and they don’t care. When that same person turns 35 and has 2 children, I bet they want insurance. Again, the message didn’t change, the recipient’s impression of their need changed.

If we forever pretend that there are some spcial words, or if the slides looked just a bit more professional, or whatever, then we’ll never solve the problem. Execs need to feel responsible for the problem, and until they do, we may as well speak Klingon.

As for Amrit’s reply that “that spending on information security negatively impacts the bottom line vs. what might happen if they do nothing or the bare minimum”, this comes down to Prospect Theory, which Bruce Schneier has written about.

Briefly, it seems that people will take accept a risky loss (I’ll suffer a breach which will cost me $1M to fix) in preference to a sure loss (I’ll spend 200K to prevent that breach) I don’t think people even think about it, it is just ingrained in our psychology, and has real ramifications to our trade.