- How and why scare tactics eventually backfire
- Practical ideas for more effectively communicating security risks and requirements
To one degree or another, we all live with FUD - the cacophony of fears, uncertainties and doubts that plague daily life. Will my superannuation account ever rebound? Did I leave the coffeepot on this morning? Am I really going to get a brain tumour from my mobile phone?
But while we're all allowed to be neurotic worrywarts in our private lives, it's seldom a quality that's admired in business. So why do so many security executives still rely on gloom and doom tactics to sell management on security investments?
Well, for one thing, it's easy - there's a wealth of scare stories to choose from. Most organisations still view security as a cost centre, and it's much simpler to make a dramatic "invest or else" argument than it is to connect security expenditures to the company's bottom line with analysis and research. The term FUD was originally coined in the 1970s in reference to IBM's marketing technique of spreading scary rumours about a competitor's new product to dissuade customers from taking a "risk" by buying it. FUD relies on emotion - not reason - to make a sale (or prevent one). "If you're having a [security] discussion where you're talking about what happened to the other guy and not looking at it in terms of what it [realistically] means to your company, and it's all about them and not about you - then you're probably using FUD," says Ken Tyminski, vice president and CISO for Prudential Financial.
Security executives and management experts agree that FUD is a short-term fix that destroys the security team's credibility in the long term. Having witnessed FUD's shortcomings firsthand, CSOs and CIOs are developing more practical and realistic techniques for making the case for security.
Conjuring up the frightening spectre of stolen customer information, a media maelstrom and a plummeting stock price may create a dramatic impact, but when CSOs and CIOs call a crisis every time they need funding, they'll find that management catches on quickly. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say: 'OK, show me where the real [emergency] is', and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organisation - among those who haven't learned how to make a data-driven risk management argument. CSOs and CIOs who don't stamp out FUD in their teams create as much of a problem as the ones who use it in personal conversations with senior executives.
Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organisation that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organisation set up a conference and during a period of three days hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of September 11. Mecsics says the organisation's management started asking questions and saw through the frenzy the security personnel were whipping up, and ultimately came to believe that the security team was simply trying to feather its own nest by capitalising on the terrorist attacks. The net result was that the security team lost its credibility. In another organisation, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event, and they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.