Many presentations by information security managers for stakeholders within their organizations include the depiction of a lifecycle in one form or another to underline that information security is not a one-off project, but a continuous activity. However, often these depictions focus on what you do (such as NIST Cybersecurity Framework: Identify Protect Detect Respond Recover) or how you do it (such as Deming cycle: Plan Do Check Act). As useful as these lifecycle models are, they often do not resonate as well as expected with the audience, because they do not give the reason why we do information security. Marketing professionals will tell you that you need to start with the why to get your message across. Only the why gives stakeholders purpose and motivates them to take action.