The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

1 2 Page 2
Page 2 of 2

Meticulously gathered and maintained metrics will always make quicker work of convincing management of the need for a security investment than a scary story. CSOs who keep good metrics can drop the FUD and let the numbers do the talking. "Every tool I buy collects metrics, runs reports and keeps logs," says Wagner. You could use general scenarios and still make an eloquent argument for e-mail filtering software, but "when you can tell an executive that you're logging 150,000 spam a day, that really makes an impact." At Sonnenschein, Hansen uses a tool from Catbird Networks to constantly gather information about network integrity, connectivity and application performance. The tool also stores all the information it gathers, allowing Hansen and his staff to do historical trend analysis and perform baseline comparisons.

Although numbers about security breaches and attacks have historically been sketchy, more precise figures come out every day. The more ammunition a CSO can gather from real-world cases and from his own organization, the better prepared he will be to make a compelling argument for funding. At Equifax, Mecsics has one employee devoted to checking government sites and intelligence sources to gather information that Mecsics can use to make his cases to management. (See "One CSO's Toolkit for Executive Communication,") When Mecsics walks up to the sixth floor to the executive suites, they know that he's coming with reproducible information and validated dataas opposed to something he just saw on the evening news or heard from a security colleague.

Mecsics also uses a data-mining, mapping and spreadsheet technology called Compstat (developed by William Bratton's staff during his tenure as New York City's police commissioner) to identify and track security-related incidents within the company. Bratton used Compstat to find specific information about the criminal patterns in the city down to the precinct and neighborhood level so that he could better mobilize his officers to solve problems.

Mecsics uses it for the same purpose but is focused specifically on the company's network and the issue of security. As problems and patterns are revealed, Mecsics and his team deploy resources to fight them. The process requires constant review of those tactics. If a month passes and nothing improves, then the team changes its approach. "We have a security staff huddle session once a month where we talk about major issues and do a mini-Compstat on all our major issues whether it's fraud, governance or legal requirements," says Mecsics. The technology not only enables the security team to get a jump on emerging problems but also to stay on top of longstanding issues so that nothing falls through the cracks.

Is there such a thing as good FUD? While most CSOs claim there is not, a few when pressed will admit that if used judiciously, FUD can be an asset. Hansen uses it for tabletop exercises to map out worst-case scenarios and measure the company's level of preparedness for various situations. "In a tight economy, CSOs will be more likely to have success with the FUD approach, especially if they do have legitimate security exposures," says management consultant Schuler. "Senior management is often better able to envision dire results than positive benefits."

So a little fear can be healthy when the risks demand it, but painting a vivid picture shouldn't be taken to the point of exaggeration. Schuler admits it is a fine line. FUD should be the weapon of last resort. When it's overused or used carelessly, it can put a CSO's career in jeopardy. "Our bosses are not used to emotions, and a CSO owes it to his profession to be a professional and make a business case," says Mecsics. "Not to be the guy screaming, 'Batten down the hatches!'"

Related:

Copyright © 2003 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)