Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

Mecsics also uses a data-mining, mapping and spreadsheet technology called Compstat (developed by William Bratton's staff during his tenure as New York City's police commissioner) to identify and track security-related incidents within the company. Bratton used Compstat to find specific information about the criminal patterns in the city down to the precinct and neighborhood level so that he could better mobilize his officers to solve problems.

Mecsics uses it for the same purpose but is focused specifically on the company's network and the issue of security. As problems and patterns are revealed, Mecsics and his team deploy resources to fight them. The process requires constant review of those tactics. If a month passes and nothing improves, then the team changes its approach. "We have a security staff huddle session once a month where we talk about major issues and do a mini-Compstat on all our major issues whether it's fraud, governance or legal requirements," says Mecsics. The technology not only enables the security team to get a jump on emerging problems but also to stay on top of longstanding issues so that nothing falls through the cracks.

Is there such a thing as good FUD? While most CSOs claim there is not, a few when pressed will admit that if used judiciously, FUD can be an asset. Hansen uses it for tabletop exercises to map out worst-case scenarios and measure the company's level of preparedness for various situations. "In a tight economy, CSOs will be more likely to have success with the FUD approach, especially if they do have legitimate security exposures," says management consultant Schuler. "Senior management is often better able to envision dire results than positive benefits."

So a little fear can be healthy when the risks demand it, but painting a vivid picture shouldn't be taken to the point of exaggeration. Schuler admits it is a fine line. FUD should be the weapon of last resort. When it's overused or used carelessly, it can put a CSO's career in jeopardy. "Our bosses are not used to emotions, and a CSO owes it to his profession to be a professional and make a business case," says Mecsics. "Not to be the guy screaming, 'Batten down the hatches!'"