Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

Absent a formal, distributed security group, CSOs can fashion their own informal one by partnering with key business unit leaders who will help spread the word about security and back up security initiatives with business unit support. To build these relationships, focus on not only helping fellow business executives understand what the security function can do for them but on ensuring that they see security as a help rather than a hindrance. CSOs who are always putting the brakes on business projects and lecturing about why things can't be done, as opposed to providing solutions, earn a reputation as business disablers rather than enablers. That is why business units frequently try to circumvent the security process.

Adam Hansen, who heads up the security program at law firm Sonnenschein, recommends focusing partnership efforts on a few business executives. "Once a couple of forward thinkers jump on board with you, they'll drag the rest," he says. Pay particular attention to building a strong relationship with the audit group because when the CEO and CFO are pushing back on a necessary security expenditure and the CSO's anxiety level is rising, the audit group can escalate the concern to the board of director level.

3 Educate and Deflate

When a CSO takes the time to educate management about security, it smooths the way for rational budget discussions and reduces the need for FUD. A big part of that education process is making sure management's expectations from the security organization are realistic. Information security is of particular note in this regard. "I still think there's some misconception about IT security and what it can accomplish," says Marc Rogers, principal research scientist with the Internet Innovations Center at the University of Manitoba and director of information security services for Manageworx Infosystems. "There are so many interdependencies, and sticking a finger in one hole in a leaky dike doesn't fix the other nine or 10 holes." CSOs need to temper management's expectations of security so that executives understand that a great firewall doesn't fix everything; all the other pieces such as an intrusion detection system, password protection and antivirus need to be in place and functioning as a cohesive whole.

CSOs can help manage expectations by communicating continually about the company's previous security investments so that management knows what is paying off and, more important, what isn't, and why. While these conversations can be uncomfortable, they are necessary for business management to understand the real capabilities and limitations of various security measures. CSOs who track this kind of information and communicate it proactively to top management earn important credibility.