Opinion
Good FUD Vs. Bad: Is There Really A Difference?
A couple security bloggers suggest CSO Senior Editor Bill Brenner spreads FUD in a column that's supposed to be anti-FUD. Why he agrees -- to a point
By Bill Brenner, Senior Editor
Let's try to look past my irritation at being criticized by people who hide behind screen names while my identity is there for all to see. Put that aside and I think tranquilo makes an excellent point. The security community and journalists who follow it would definitely benefit from the common framework he's talking about.
Security concepts get mixed up in the wrong language all the time. Industry heavyweight Chris Hoff has made the point over and over again as it relates to cloud computing. People often lack a clear understanding of what it is and talk about it and virtualization like it's all the same thing, when they are different things. [See: Chris Hoff on Virtualization and Cloud Computing]
But the bigger point for me is that these bloggers suggested I'm spreading FUD when my column is pitched as anti-FUD. It's a fair point; one that begs for a little clarification.
The column is indeed designed to put a spotlight on the kind of FUD that makes certain issues seem much more severe than they really are for the sake of generating publicity for a particular security vendor.
But the goal of the column is also to point out cases where FUD might be justified.
In the case of security vendors and other companies suffering data breaches, I think some FUD is necessary because security vendors are there to defend us and need to be held to a higher standard. Maybe that's unfair. But it's my opinion all the same.
Regarding the "death of pen testing" article: We didn't publish it for the simple sake of fanning the page-view flames. Chess offered an opinion that we covered in hopes of generating the kind of public discussion that forces us to revisit our old views and be open to new ideas. I personally didn't buy Chess' argument and think pen testing will always be one of many important tools in the security arsenal. But it's an opinion he's entitled to make.
Running the article had the desired effect. We got plenty of good feedback and Core Security Technologies CTO Ivan Arce wrote a rebuttal Industry View column. [See: Twelve Reasons Pen testing Won't Die]
So if Mordaxus and tranquilo are reading this, my offer stands. If you think I'm distorting the truth, say so in a guest column.
About FUD Watch: Senior Editor Bill Brenner scours the Internet in search of FUD - overhyped security threats that ultimately have little impact on a CSO's daily routine. The goal: help security decision makers separate the hot air from genuine action items. To point us toward the industry's most egregious FUD, send an e-mail to bbrenner@cxo.com.Other stories by Bill Brenner
FUD
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
