The FUD Factor
Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.
By Daintry Duffy
April 01, 2003 — CSO — To one degree or another, we all live with FUD—the cacophony of fears, uncertainties and doubts that plague daily life. Will my 401(k) account ever rebound? Did I leave the coffeepot on this morning? Am I really going to get a brain tumor from my cell phone?
But while we're all allowed to be neurotic worrywarts in our private lives, it's seldom a quality that's admired in business. So why do so many security executives still rely on gloom and doom tactics to sell management on security investments?
Well, for one thing, it's easy—there's a wealth of scare stories to choose from. Most organizations still view security as a cost center, and it's much simpler to make a dramatic "invest or else" argument than it is to connect security expenditures to the company's bottom line with analysis and research. The term FUD was originally coined in the 1970s in reference to IBM's marketing technique of spreading scary rumors about a competitor's new product to dissuade customers from taking a "risk" by buying it. FUD relies on emotion, not reason, to make a sale (or prevent one). "If you're having a [security] discussion where you're talking about what happened to the other guy and not looking at it in terms of what it [realistically] means to your company, and it's all about them and not about you
Security executives and management experts agree that FUD is a short-term fix that destroys the security team's credibility in the long term. Having witnessed FUD's shortcomings firsthand, CSOs are developing more practical and realistic techniques for making the case for security.
Conjuring up the frightening specter of stolen customer information, a media maelstrom and a plummeting stock price may create a dramatic impact, but when CSOs call a crisis every time they need funding, they'll find that management catches on quickly. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say, 'OK, show me where the real [emergency] is,' and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organization—among those who haven't learned how to make a data-driven risk management argument. A CSO who doesn't stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.
Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference and during a period of three days hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents' arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization's management started asking questions and saw through the frenzy the security personnel were whipping up, and ultimately came to believe that the security team was simply trying to feather its own nest by capitalizing on the terrorist attacks. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group's use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event, and they lost the ability to look at the issue rationally. "They got worked into such a frenzy that it was like a runaway train," says Mecsics.
FUD also wastes money. When CSOs buy and implement a security initiative based on fear, they'll have a much harder time managing and assessing it based on merit and actual results. "You can end up spending money to put a solution in place that can demonstrate no value," says Tyminski. "It can make the security program so expensive that people won't believe in it anymore."
But fundamentally, the problem with FUD is that it sets up a destructive pattern of communication between the CSO and management; it breeds mistrust and second-guessing. A CSO's persistent use of FUD tactics will eventually color management's view of everything he says and does, affecting their perception of his abilities and the security function as a whole. Do you want to be the business enabler who is always ready with ideas and who projects good security as a competitive advantage? Or the executive who always walks into meetings with a dire prediction to levy?
In place of FUD, CSOs offer the following strategies for communicating security risks and requirements.
1 Change Your Attitude