BIP America

collapse
Home / Daily News Analysis / What a financial planner taught me about cybersecurity

What a financial planner taught me about cybersecurity

Jul 08, 2026  Twila Rosenbaum  5 views
What a financial planner taught me about cybersecurity

When I spoke at a recent cybersecurity awareness event for financial planners and tax advisors, the audience really engaged with the subject.

As happens at conferences the world over, people often come up to speakers to ask follow-up questions, or just give their feedback about points made during the presentation. This time, it struck me how many of them said they had been scared by what they heard during my talk.

As I made my way back to the office, that word “scared” was like one of those tunes you hear that constantly replays in your mind. My immediate reaction was to think that I hadn’t succeeded in raising awareness about security threats and risks. It also made me wonder whether we in the cybersecurity industry sometimes make things harder than they need to be by describing risks in ways that sound frightening, technical, or overwhelming to people who simply want to understand what they need to do to better protect themselves and their businesses.

The problem with how we talk about threats

As anyone who has seen me speak knows, I’m not one for throwing my hands up in the air and declaring the world is about to end or indulging in irresponsible hype. I don’t believe in selling security by fear, uncertainty, and doubt, otherwise known as FUD. I’ve always believed that one of my roles is to raise awareness of information security as an important business issue, not to scare people into buying more stuff.

I naturally tend to look at any new or emerging security threat and automatically think of it simply as a risk to be managed. But because of my line of work as a security consultant, am I so used to talking about data breaches, CEO fraud, or ransomware in a measured way that I don’t realise the extent to which it frightens other people who aren’t as immersed in this area as me.

Thinking about it some more a while later, I remembered a conversation with one of the organisers just before the event. This person was in the financial planning business, so naturally he asked me if I had appropriate protection both for my business and for myself personally. I had always thought that I had most boxes ticked from an insurance or pension perspective, but his conversation got me thinking, and yes, I’ll admit it made me slightly afraid that maybe I was missing some crucial piece to ensure I was fully protected.

What it feels like to be the non-expert in the room

I’m pretty sure his intention wasn’t to scare me. All he was doing was applying his domain knowledge to my situation. It was me, as a non-expert in financial matters, who reacted the way I did.

Ultimately, each of us is an expert in our own field. The event organiser happened to work in financial planning, so pensions and insurance were a natural conversation starter, just as information security would be for me. For many of us, venturing into areas beyond our own expertise can provoke varying degrees of worry or anxiety. To the uninitiated, any talk of technology is enough to tip their needle towards outright panic.

Part of the problem is the language we use. In cybersecurity we talk about “threat actors”, “Advanced Persistent Threats”, “phishing campaigns” and “compromised credentials”. To us, these are everyday terms, but to everyone else, they can sound like something from a spy novel. In reality, we’re often talking about criminals, scams, fraud, and people trying to trick us into handing over money or information.

The history of fear-based marketing in security

The cybersecurity industry has long relied on fear to drive sales. In the 1990s, antivirus companies ran ads showing crashed computers and stolen identity, framing the internet as a lawless wild west. By the 2000s, the rise of data breaches and the term “cyberwar” from nation-state attacks further amplified a climate of fear. Vendors often highlight worst-case scenarios—complete network destruction, multimillion-dollar ransomware payouts—to justify high-priced tools. While these dangers are real, constantly emphasizing them has created a culture where many business leaders feel helpless or overwhelmed, leading to either paralysis or checkbox compliance rather than meaningful risk reduction.

The impact on non-technical audiences

When people feel overwhelmed by warnings about cybercrime, they often react in one of two ways: some dismiss the advice because it feels too complicated or alarmist, others become so worried about making a mistake that they avoid using technology altogether. Neither response helps. Consider a small business owner who hears about ransomware and decides it’s too complex to address, so they do nothing. Or an employee who, after a security awareness session, becomes so anxious about clicking a wrong link that they stop using email efficiently. These are real consequences of fear-driven communication.

Research from behavioral psychology shows that fear appeals are most effective when paired with clear, actionable steps. If the threat feels overwhelming but no solution is offered, people ignore it to reduce anxiety. Conversely, if the solution is presented as simple and effective, people are more likely to act. This means cybersecurity communicators must go beyond warnings and provide concrete actions like enabling multi-factor authentication, using password managers, and knowing how to report suspicious emails.

Translating technical jargon into everyday language

One of the simplest ways to reduce fear is to replace technical jargon with plain terms. Instead of saying “threat actor,” say “criminal.” Instead of “phishing campaign,” say “fraudulent email.” Instead of “compromised credentials,” say “stolen passwords.” When we use language that people already understand, the problem feels more familiar and manageable. We can also use analogies from everyday life: a firewall is like a lock on your door; antivirus software is like a vaccine; software updates are like getting a regular checkup. These comparisons help non-experts grasp the concepts without the intimidation.

Financial planners already do this for their clients: they explain compound interest with stories, not formulas. Cybersecurity professionals must adopt similar techniques. The goal is not to simplify the truth but to present it in a way that invites understanding rather than fear.

Practical steps for communicators

To shift from fear-based to empowerment-based cybersecurity communication, we can follow a few guidelines:

  • Focus on the “why” and the “how”: Explain why a threat matters in the context of the audience’s daily life, and then give clear, actionable steps they can take. For example, instead of warning about social engineering, explain that criminals may call pretending to be IT support, and instruct employees to never share passwords over the phone.
  • Use stories that show success, not just disaster: Share examples of how someone avoided a scam because they knew what to look for. Positive reinforcement builds confidence.
  • Avoid statistics that shock without context: Saying “80% of businesses will be breached” can cause paralysis. Instead, say “most breaches start with a phishing email; here’s how to spot one.”
  • Tailor the message to the audience: A talk for financial planners should include analogies from their world—like comparing a security audit to a tax audit. Relevance reduces fear because the audience feels the information applies directly to them.
  • Encourage questions and create a safe space: Admit that security is complex and it’s okay to ask for help. This humility from experts can disarm fear.

The role of security professionals in redefining the narrative

From a security perspective, my recent experience was a valuable reminder that what we in the profession perceive as normal and everyday can be a frightening subject to anyone outside the bubble. The truth is, many of us in business rely on the expertise and knowledge of other professionals, whether that’s legal, finance or PR. Many of them will use terms we’re not familiar with. It’s not our job to be experts in those domains but to be sufficiently well informed to ask the right questions of those who are providing us with that expertise.

On the flip side of that, if we’re the ones being asked to share our knowledge to provide guidance, it’s up to us to think about how we deliver the message to educate, not intimidate. Cybersecurity should not be about frightening people with stories of hackers, breaches, and worst-case scenarios. It should be about helping people understand the practical steps they can take to reduce risk. The goal is not to turn everyone into cybersecurity experts, but to help people recognise scams, ask good questions, make informed decisions, and feel confident using technology. If people leave a security presentation feeling empowered rather than frightened, then we’ve done our job properly.


Source: Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy