Signal to noise
The most widespread problem in information security, however, is the constant crying of wolf. Within an organization, executives quickly become jaded when every security problem is referred to as "critical" and risk summaries contain page after page of technical esoterica cut-and-pasted from Nessus scanning reports.
Conversely, even the lowest-level users start to ignore risks over which they have no control. When the smallest detail is broadcast to the lowest level, it's not surprising to see people set up email rules to automatically delete every security alert from IT.
Outside the organization, certain security consultants and so-called-experts become known for fear mongering in professional circles, and are eventually dismissed as blowhards after drowning others in false positives in the present, or by endlessly recounting war stories of times long past.
I suggest sticking to the facts, and presenting conditions and discoveries in a sane, context-appropriate manner. Give executives risk information that pertains to the business instead of details about technical infrastructure that's intended to insulate the business from risk. Don't ever dump raw security data on unprepared people. Give them information they can use, and ask them questions they can answer.
Likewise, don't bother office workers with alerts and cranky warnings about security risks when they have no control or authority over preventive or reactive defenses. Tell 'em what they need to know, and let them come looking if they want more.
If it's useful -- for political, budgetary or just general-interest reasons -- one can increase the signal-to-noise ratio of information security status and incidents by establishing a security topics mailing list. The content of such a list shouldn't provide current vulnerability details that would be of significant help to a troublemaker, but might convey the dashboard-style status within the organization, with links to explanations and more reading. If nothing else, this is a nice way to address another classic security problem: If we're doing our jobs right, no one knows we exist.
Jon Espenschied has been at play in the security industry for enough years to become enthusiastic, blase, cynical, jaded, content and enthusiastic again. He is Director of Security Consulting at a Pacific Northwest organization, and continues to have his advice ignored by CEOs, auditors and sysadmins alike.