“Clients don’t care about cyber security. They care about risk.”

By Sam Glynn, founder of Code in Motion

In every survey, we are told that cyber security is a major concern and a top priority for organisations around the world. And yet, when we try to talk to the ‘normal’ people in these organisations about cyber security, their eyes glaze over. 


Because they don’t want to engage in a detailed discussion about cyber security. And they certainly don’t care about magical solutions.

They care about their strategic goals and implementing the actions necessary to achieve these goals. They also care about understanding and reducing the risks that might prevent them from achieving these goals.

This is why most ‘normal’ people are not interested in understanding the lingo of cyber security, but they understand the language of risk and are very interested in understanding how to reduce the most significant risks.

Clients don’t care about cyber security. They care about risk.

So, if we want to talk to most ‘normal’ people about cyber security, we need to talk to them about reducing risk.

Reducing risk means:

  • Reducing the likelihood of a particular undesirable event, or
  • Reducing the impact if that undesirable event were to occur.

In other words, when we talk about magical cyber security solutions, we need to clearly communicate how these solutions reduce the likelihood and/or impact of an undesirable event.

An example: 

A financial services firm engaged an independent security assurance provider to check that their security controls* were aligning to the Central Bank’s expectations.

(* As an aside, ‘security controls’ are not just ‘technical security controls‘. Only a minority of ISO 27001’s Annex A security controls are ‘technological controls’. And if you read the Central Bank’s guidance of 2016 and the EU’s DORA regulation, the ‘technical controls’ are the easy bit!)

During the engagement, the client mentioned that they were very unhappy with their current IT Managed Service Provider (MSP) because the MSP had tried to upsell an expensive backup solution to them, even though they were already being paid to run their backups.

The independent security assurance provider asked to see the proposal. It was ‘upselling’ an immutable backup solution, which was described in the proposal as ‘better’ and ‘more secure’ than the client’s current backup solution.

When the independent security assurance provider explained the value of the solution in terms of risk (i.e. how it could significantly reduce the impact of a ransomware attack because the backups would be safe), the client signed up immediately.

The client may have paid for a new backup solution. But they bought a significant reduction in a risk that they were concerned about.

Our clients do not care about our magical solutions. They care about how our solutions reduce the likelihood and/or impact of an undesirable event.

Let’s be honest. After all, it’s good for business.

When we talk about solutions, we need to be honest about the risks these solutions will reduce.

And for everyone’s sake, we need to be clear that none of these solutions will eliminate risk or ‘make them secure’. Even if they believe us today, they will realise at some point that nothing can make them completely secure.

We can’t solve the problem of cyber security risk. But we can manage it.

Going back to the previous example:

When it was explained to the client that this immutable backup solution did nothing to reduce the likelihood of a ransomware attack, or to reduce the other potential impacts of a ransomware attack (e.g. data theft), they became very interested in further discussions with their current IT MSP to identify other ways to reduce these likelihoods and impacts.

Result? The client was more secure, and the MSP was better paid.

Aren’t we all hoping for this kind of happy ending?