Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference and during a period of three days hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization's management started asking questions and saw through the frenzy the security personnel were whipping up, and ultimately came to believe that the security team was simply trying to feather its own nest by capitalizing on the terrorist attacks. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event, and they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.

FUD also wastes money. When CSOs buy and implement a security initiative based on fear, they'll have a much harder time managing and assessing it based on merit and actual results. "You can end up spending money to put a solution in place that can demonstrate no value," says Tyminski. "It can make the security program so expensive that people won't believe in it anymore."

But fundamentally, the problem with FUD is that it sets up a destructive pattern of communication between the CSO and management; it breeds mistrust and second-guessing. A CSO's persistent use of FUD tactics will eventually color management's view of everything he says and does, affecting their perception of his abilities and the security function as a whole. Do you want to be the business enabler who is always ready with ideas and who projects good security as a competitive advantage? Or the executive who always walks into meetings with a dire prediction to levy?

In place of FUD, CSOs offer the following strategies for communicating security risks and requirements.

1 Change Your Attitude
CSOs say the first step in banishing FUD is to lose the Chicken Little attitude yourself. Scare tactics are seldom necessary in discussions of security anyway. "With security, you don't need to exaggerate the exposures because they really are scary enough already," says Pat Schuler, a Minneapolis-based management coach and consultant who has worked with a number of Fortune 500 clients. Executives want a CSO to give a rational, factual presentation of the situation followed by his recommendations for the next steps to take. That information can cover the worst-case scenario, or risks associated with inaction, but without any unnecessary drama. Schuler recommends that CSOs condense information into bulleted items as a FUD-proof format for communicating a situation that executives can quickly and easily understand. "It can be empowering [for managers] if you give them all the information, make your recommendation and then instead of pushing harder, step back to let them make a decision," says Schuler. "Nobody likes to be pushed up against a wall, and that's when FUD really doesn't work."