In security, resilience and disaster recovery discussions with your client, how do you go about threading the needle between “scaring the pants off them” and “she’ll be right mate”?

When I look around me, the weight of discussion seems to be towards the latter, rather than the former. I could conclude that the client has been getting advice from idiots and charlatans, but that might be considered uncharitable, not to mention potentially career limiting.

I’ve had to read the riot act on a couple of occasions in my 40 year career, whilst it gets the job done, it’s never fun.

What is your winning strategy to get the client to go, oh, Oh, ooooh, fuck, without running a mile?