Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

The FUD Factor

Fear, uncertainty and doubt may help scare your company into short-term compliance, but security experts say that's a shortsighted strategy
Page:

Reader ROI

  • How and why scare tactics eventually backfire
  • Practical ideas for more effectively communicating security risks and requirements

To one degree or another, we all live with FUD - the cacophony of fears, uncertainties and doubts that plague daily life. Will my superannuation account ever rebound? Did I leave the coffeepot on this morning? Am I really going to get a brain tumour from my mobile phone?

But while we're all allowed to be neurotic worrywarts in our private lives, it's seldom a quality that's admired in business. So why do so many security executives still rely on gloom and doom tactics to sell management on security investments?

Well, for one thing, it's easy - there's a wealth of scare stories to choose from. Most organisations still view security as a cost centre, and it's much simpler to make a dramatic "invest or else" argument than it is to connect security expenditures to the company's bottom line with analysis and research. The term FUD was originally coined in the 1970s in reference to IBM's marketing technique of spreading scary rumours about a competitor's new product to dissuade customers from taking a "risk" by buying it. FUD relies on emotion - not reason - to make a sale (or prevent one). "If you're having a [security] discussion where you're talking about what happened to the other guy and not looking at it in terms of what it [realistically] means to your company, and it's all about them and not about you - then you're probably using FUD," says Ken Tyminski, vice president and CISO for Prudential Financial.

Security executives and management experts agree that FUD is a short-term fix that destroys the security team's credibility in the long term. Having witnessed FUD's shortcomings firsthand, CSOs and CIOs are developing more practical and realistic techniques for making the case for security.

Conjuring up the frightening spectre of stolen customer information, a media maelstrom and a plummeting stock price may create a dramatic impact, but when CSOs and CIOs call a crisis every time they need funding, they'll find that management catches on quickly. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say: 'OK, show me where the real [emergency] is', and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organisation - among those who haven't learned how to make a data-driven risk management argument. CSOs and CIOs who don't stamp out FUD in their teams create as much of a problem as the ones who use it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organisation that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organisation set up a conference and during a period of three days hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of September 11. Mecsics says the organisation's management started asking questions and saw through the frenzy the security personnel were whipping up, and ultimately came to believe that the security team was simply trying to feather its own nest by capitalising on the terrorist attacks. The net result was that the security team lost its credibility. In another organisation, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event, and they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.

Page:

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: ACT, Allstate, Andersen, Andersen, Bill, Boss, Dialogue, Eloquent, eMotion, Equifax, HIS Limited, IBM, Network Integrity, Prudential

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Whitepapers
Latest Stories
Community Comments
Latest Blog Posts
Whitepapers
  • Oracle Exadata: Extreme Performance Lowest Cost
    As organisations contend with escalating demands for greater quantities of information, more sophisticated data analysis, and a burgeoning user population, Oracle Exadata makes database workloads faster, easier to manage, and less expensive. Oracle Exadata is the world’s first database machine to provide extreme performance for both data warehousing and online transaction processing (OLTP) applications.
    Learn more »
  • CISO Guide to Next Generation Threats - Combating Advanced Malware, Zero-Day and Targeted APT Attacks
    Over 95% of businesses unknowingly host compromised endpoints, despite their use of firewalls, intrusion prevention systems (IPS), antivirus and Web gateways.1 Today’s attacks look new and unknown to signature-based tools because the attacks employ advanced malware and zero-day vulnerabilities. To regain the upper hand against next-generation attacks, enterprises must turn to true next-generation protection: signature-less, proactive and real time. Read on.
    Learn more »
  • SOA Best Practices and Design Patterns
    By learning from the experiences of those organisations that have been through the process and looking at the standard best practices of large‐scale technology implementations, success can come earlier and more dramatically. Read more now.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments