If you can come up with a way to make IT security “sexy” than you’ll likely make a mint. To me security is equivalent to insurance:
- You buy it to prevent “bad stuff” that might happen
- You usually only look at it annually (or even less frequently) or after something bad happens and you discover you are inadequately covered
- The sales and purchase process is universally detested; no one likes to talk about all the “bad stuff,” and feels like they’re getting hoodwinked into buying more than they need during the sales process.
Rather than trying to come up with more dire scenarios, or bigger scarier numbers, I would personally turn my pitch into something like “Hey, we both know you need this, we both know it’s a painful process, we’ll help you make it fast, relatively painless, and work with you to understand the right level of protection as your ‘security advocate’ of sorts.”
That would assume you’re not in bed with all the vendors and getting a larger profit the more of their stuff you sell. I don’t think insurance/security are ever going to be perceived as high value products (unless the client just went through a disaster), but if you can present yourself as acting in the client’s best interest then you could have a more compelling value statement than the vendors that just want to scare you into buying more stuff.