What a financial planner taught me about cybersecurity

When I spoke at a recent cybersecurity awareness event for financial planners and tax advisors, the audience really engaged with the subject.

As happens at conferences the world over, people often come up to speakers to ask follow-up questions, or just give their feedback about points made during the presentation. This time, it struck me how many of them said they had been scared by what they heard during my talk.

As I made my way back to the office, that word “scared” was like one of those tunes you hear that constantly replays in your mind. My immediate reaction was to think that I hadn’t succeeded in raising awareness about security threats and risks. It also made me wonder whether we in the cybersecurity industry sometimes make things harder than they need to be by describing risks in ways that sound frightening, technical, or overwhelming to people who simply want to understand what they need to do to better protect themselves and their businesses.

The problem with how we talk about threats

As anyone who has seen me speak knows, I’m not one for throwing my hands up in the air and declaring the world is about to end or indulging in irresponsible hype. I don’t believe in selling security by fear, uncertainty, and doubt, otherwise known as FUD. I’ve always believed that one of my roles is to raise awareness of information security as an important business issue, not to scare people into buying more stuff.

I naturally tend to look at any new or emerging security threat and automatically think of it simply as a risk to be managed. But because of my line of work as a security consultant, am I so used to talking about data breaches, CEO fraud, or ransomware in a measured way that I don’t realise the extent to which it frightens other people who aren’t as immersed in this area as me.

Thinking about it some more a while later, remembered a conversation with one of the organisers just before the event. This person was in the financial planning business, so naturally he asked me if I had appropriate protection both for my business and for myself personally. I had always thought that I had most boxes ticked from an insurance or pension perspective, but his conversation got me thinking, and yes, I’ll admit it made me slightly afraid that maybe I was missing some crucial piece to ensure I was fully protected.

What it feels like to be the non-expert in the room

I’m pretty sure his intention wasn’t to scare me. All he was doing was applying his domain knowledge to my situation. It was me, as a non-expert in financial matters, who reacted the way I did.

Ultimately, each of us is an expert in our own field. The event organiser happened to work in financial planning, so pensions and insurance were a natural conversation starter, just as information security would be for me. For many of us, venturing into areas beyond our own expertise can provoke varying degrees of worry or anxiety. To the uninitiated, any talk of technology is enough to tip their needle towards outright panic.

Part of the problem is the language we use. In cybersecurity we talk about “threat actors”, “Advanced Persistent Threats”, “phishing campaigns” and “compromised credentials”. To us, these are everyday terms, but to everyone else, they can sound like something from a spy novel. In reality, we’re often talking about criminals, scams, fraud, and people trying to trick us into handing over money or information.

The goal is confidence, not expertise

When people feel overwhelmed by warnings about cybercrime, they often react in one of two ways: some dismiss the advice because it feels too complicated or alarmist, others become so worried about making a mistake that they avoid using technology altogether. Neither response helps.

From a security perspective, my recent experience was a valuable reminder that what we in the profession perceive as normal and everyday can be a frightening subject to anyone outside the bubble.

The truth is, many of us in business rely on the expertise and knowledge of other professionals, whether that’s legal, finance or PR. Many of them will use terms we’re not familiar with. It’s not our job to be experts in those domains but to be sufficiently well informed to ask the right questions of those who are providing us with that expertise.

On the flip side of that, if we’re the ones being asked to share our knowledge to provide guidance, it’s up to us to think about how we deliver the message to educate, not intimidate.

Cybersecurity should not be about frightening people with stories of hackers, breaches, and worst-case scenarios. It should be about helping people understand the practical steps they can take to reduce risk.

The goal is not to turn everyone into cybersecurity experts, but to help people recognise scams, ask good questions, make informed decisions, and feel confident using technology. If people leave a security presentation feeling empowered rather than frightened, then we’ve done our job properly.

Don't miss