Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

As management's filter for all the security information about viruses and hackers that floats over the transom, CSOs are tasked with providing a clear-eyed, steady-handed perspective on what each event or news item means to their companies. "Just the facts, ma'am. That's the way I operatejust the facts, and no emotion," says Mecsics. "I have to be able to cull out the bad and superfluous information."

When all that senior managers hear from their CSOs is a succession of bad news, they will quickly learn to tune them out. Mecsics has witnessed situations where a security executive lost stature within his organization for always going into the boss's office with bad news. Suddenly it becomes impossible for him to get on the CEO's schedule, and he is pushed to a vice president to have his information vetted and filtered.

Lew Wagner, CISO at the M.D. Andersen Cancer Center at the University of Texas, suggests that security executives make a point of picking off some low-hanging fruit in the first year on the job to establish a flow of positive information to management. When the Bugbear virus started to wend its way through corporate networks last fall, Wagner made a point of letting managers know that even though two major institutions had been felled by the virus, their organization was protected. Wagner also created a site for all of his user community (including management) with tips for identifying security threats and guidelines for safe online behavior at work and at home.

2 Forge Connections

Communicating about security is particularly hard when the security executive is the only one doing the talking. CSOs say FUD is the last resort of those who haven't forged critical executive partnerships and set in place education initiatives that broaden the base of security responsibility.

At Allstate, Assistant Vice President and CISO Kim Van Nostern works with a team of information protection governance officers who act as her security tentacles throughout the organization. "These 50 officers are responsible for making sure that security education and awareness is prevalent throughout our company," she says. "Security is not just a one-person job; it's a shared responsibility." Too often, CSOs hesitate to delegate responsibility for security. They set themselves up as the resource for all security information within the company. Instead of spreading their knowledge, they choose to listen to the voice of self-preservation that whispers, If I'm the only one who knows what's going on, they can't fire me. But the ability to build consensus and delegate is critical to avoiding FUD and communicating effectively about security. Mecsics describes this approach to the CSO role as being an "advocate" rather than the "focal point."