Salaries for IS practitioners have been rising constantly, the market for security products and services is much bigger than it was five or ten years ago, and more firms are entering it. Years ago it was pretty blunt, concentrating on web defacements and Denial of Service takedowns “the hackers are coming”. Now, sleek statistics from reputable firms or institutions are used, so the language has also become more grown up: “organizations should secure,”, “we must ensure that every piece of critical information in a company is appropriately secured”, etc. The problem with these approaches is that the need for security is not personalized enough to trigger a buying decision.