Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

CSOs need to talk to management in business terms. This is vitally important to the success of a security program for a number of reasons, but it's also particularly critical to the goal of eradicating FUD. Talking to executives about "hacks" and "pings" might be effective at getting them all worked up, but chances are they'll have no idea what to do with the information. "I worked at a place before where you dropped the word hacker, and the pocketbooks opened up," says Hansen.

But the lawyers at Sonnenschein are technology savvy enough that the scare tactics don't work there, and the only way to have a useful dialogue is to talk strictly in business terms. If there's a vulnerability, Hansen translates it right into its corresponding business effect; for example, he'll show that if a particular router goes down, an attorney who would normally bill 18 hours a day could only bill six. That gets management's attention pretty quickly.

CSOs need to take themselves out of the security and technology world in communicating with executives. "I tease people that I'm not really in the security business. I'm in the risk management business," says Tyminski. "When you take issues and threats and match them with what the business risk is, it gets you out of the FUD area."

5 Play the Numbers

Meticulously gathered and maintained metrics will always make quicker work of convincing management of the need for a security investment than a scary story. CSOs who keep good metrics can drop the FUD and let the numbers do the talking. "Every tool I buy collects metrics, runs reports and keeps logs," says Wagner. You could use general scenarios and still make an eloquent argument for e-mail filtering software, but "when you can tell an executive that you're logging 150,000 spam a day, that really makes an impact." At Sonnenschein, Hansen uses a tool from Catbird Networks to constantly gather information about network integrity, connectivity and application performance. The tool also stores all the information it gathers, allowing Hansen and his staff to do historical trend analysis and perform baseline comparisons.

Although numbers about security breaches and attacks have historically been sketchy, more precise figures come out every day. The more ammunition a CSO can gather from real-world cases and from his own organization, the better prepared he will be to make a compelling argument for funding. At Equifax, Mecsics has one employee devoted to checking government sites and intelligence sources to gather information that Mecsics can use to make his cases to management. (See "One CSO's Toolkit for Executive Communication,") When Mecsics walks up to the sixth floor to the executive suites, they know that he's coming with reproducible information and validated dataas opposed to something he just saw on the evening news or heard from a security colleague.