I've been thinking about this for a bit. Vendors and InfoSec pros alike use Fear, Uncertainty and Doubt to sell their gear and services. I like Fear. It is a great motivator and, as long as you resist the temptation to panic, you (well, at least I) tend to rationalize options, engage in contrustive decision making discussions and and formulate solutions that reflect both business goals and protection of assets. So I say keep the Fear! It's the Uncertainty and Doubt that we should clearly have issues with. IMHO Security Awareness should be an essential element of your enterprise security architecture. REAL awareness, again, not your SOX checkbox. With awareness comes Understanding. And the direct result of Understanding your InfoSec Fears is the Confidence to meet them head on and be able to effectively manage your business risk decisions. Sound advice, i say, and a nice little elevator pitch at that.
And you can't beat the acronym.
