Speak Business: Stop Selling Fear, Start Solving Problems

Josh Mason · 35:14 · 2025 · Track 2

leadershippublic-speakingcareer

Josh Mason on speak business. A Track 2 session from Simply CyberCon 2025.

Open this segment on YouTube ↗ · jumps to 4:19:15 in the Track 2 livestream

Speak Business: Stop Selling Fear, Start Solving Problems

Josh Mason, a former C-130 pilot turned cyber educator at Synack, opens with three hands-up questions: who has fought tooth and nail for security budget, who has filed the same pentest report twice, who has tried to brief a SOC report up to executives and been told to get back to work. Most hands stay up. His thesis is that cybersecurity professionals are selling fear to people who do not buy fear, and the fix is learning to speak the business's language.

The C-130 Lesson

Josh learned this in the Air Force. After qualifying as a co-pilot he was assigned the additional duty of safety officer and spent a month in Albuquerque investigating plane crashes. Tenerife in 1977 (two 747s on the runway, the deadliest crash in history) reset global flight safety. The lesson he took: when you fix the system, you stop hunting for crashes. You stop scanning the horizon for breaches. You go do the mission. Cyber treats prevention as the mission. Prevention is not the mission. The mission is whatever the company is actually trying to accomplish, and security exists to enable it.

Carnegie, Not CISSP

Josh leans on Dale Carnegie hard. People are 100 times more interested in themselves and their problems than in yours. Talk in terms of the other person's interests. He is autistic and has had to study these social mechanics deliberately, and his MBA gave him a vocabulary (CapEx vs OpEx, churn rate, cost of acquisition, loss conversions) that most security people never learn. You do not need an MBA. Read a Sec+ flashcard deck for business terms once and you are most of the way there. Then use AI for the OSINT: ask Gemini or Claude what your company is about, what they are working on this quarter, what the CEO would care about.

Reframe the Same Story

The core demonstration: same vulnerability, same fix, two framings. Framing one starts with "I found a CVSS 8.5" and the executive tunes out. Framing two starts with "if we do not patch this, demos start failing and deals stall, I can fix it in an hour, just wanted to give you a heads up." Same story, completely different relationship. By week two, executives are coming to you to ask what they should know. By the end of the month, you are no longer the boogeyman, you are strategic. Same work. Different opening sentence.

Who Should Watch

Anyone trying to get budget approved who keeps getting walked over. Pentesters whose reports get filed and forgotten. Anyone climbing toward a CISO seat who needs to translate technical findings into revenue, risk, and BAU. New entrants who think the certs alone will carry them.