Why security pros are addicted to FUD and what you can do about it

Despite professing anti-FUD rhetoric, cyber experts fan the flames, breathlessly sharing the details of the latest data breaches. It's a risky addiction that can lead to security apathy in enterprises. Here's how to harness it.

After more than 30 years in the security industry, I must confess, I am (sadly) still addicted to FUD. For example, one recent morning I clicked (and tweeted) these cyber headline stories:

Indeed, big data breach stories and other major security incidents that keep offering large doses of fear, uncertainty and doubt (FUD) to the world, just keep drawing me back.

Despite my best efforts to stay positive about cybersecurity and keep clear of that dangerous, addictive substance, bad news FUD is still winning me over.

But…. I’m not the only one, there are plenty of us that are tempted by FUD. In fact, it is my opinion that, despite professing anti-FUD rhetoric, the vast majority of cyber experts have the exact same problem – even if they don’t know it. Allow me to explain.  

My history with FUD

Backing up a bit, I have studied the many dangers of indulging in FUD and have written about it several times before, defining the good, the bad and the ugly of FUD back in 2012. There is little doubt that FUD, when overused, can certainly destroy security careers and harm one’s credibility and hurt the security industry as a whole. Many experts proclaim a critical need to cut the FUD.

But like a hungry boy drawn by the smell of freshly baked chocolate-chip cookies on the kitchen table, I’m hopelessly attracted to the juicy details behind big banks being hacked, credit agency employees falling for phishing scams, ransomware bringing down governments, cyber pirates hacking ships, the latest zero-day malware that defeats Microsoft or Google or Apple, big tech companies making stupid online mistakes, cars stolen by hackers' radio transmitters, NSA employees and contractors turning to the dark side and more and more and more.

Yes – my enquiring mind wants to know. …

I get excited when a major new data breach hits the top headline of the Wall Street Journal, New York Times, USA Today or the Washington Post. I often see big hacks and other huge cyber problems as opportunities – not societal ills.

When the Target, Equifax, OPM, Yahoo and other data breaches were announced, I devoured the details, surfing the cyberspace for the “rest of the story,” hidden secrets, and expert commentary. I share my views on LinkedIn, tweet about various aspects and angles of the security problems, argue with simple fixes and explain how the story fits into historical context.

I write about cyber incidents, hacking trends, breach predictions, new technologies like IoT — and try to connect the never-ending security ramification dots. When bad news surfaces, I ask: What does it all mean? What’s next?

I add the best articles to a database of stories regarding vulnerabilities, malware causes, hackers, ransomware, dumb mistakes, best practices and more. I go to data breach “tell all details” sessions at security conferences.

But before you laugh and say “been there, done that, got the T-shirt,” I have a challenge for you. Do a little soul searching. Are your prone to this too? Really?

I think the majority of security pros and hackers that I know act in a similar way – even if they consider themselves security “enablers.”

Yes, I even went through major “FUD rehab” more than a decade ago. I became (one of the first) professed security enablers (anti-FUD champions) back in 2006, and tell stories at more recent conferences about my redemption from FUD. You can read about that history here, and how I almost got fired as a CISO before I figured out that I needed to get to a “secure yes” using technology.  

But the problems live on as our global cyber challenges accelerate.

Is FUD in our cyber industry DNA?

So how did I learn about this hard reality and come back to relook at FUD – again, right now?

Back in February, I was at a Super Bowl party, where I saw a friend that I typically talk to a few times a year in Michigan. He came right up to me and said (in a melancholy tone), “Dan, I see your posts on LinkedIn all the time. I love your writing, but I can’t read them anymore.”

“Why?” I slowly responded.

 “I just get too depressed reading about all that negative security news. It’s all problems, hacks, breaches, lawsuits, privacy violations, and worse. No good news. But things can’t be that bad – since technology is booming.”

 (Side note: At this point someone interrupted us with a game update of a touchdown for one team, and we never finished the conversation.)

That exchange stuck in my mind for months – leading to this article. 

I started asking myself questions: Is FUD in my DNA? Why do I keep going back to these stories?

I analyzed my LinkedIn posts, Tweets and other online activities. My weekly blogs were varied, well-rounded and offered cybersolutions, so that didn’t seem to be the top concern.  

But I did notice a more negative trend with my tweets and LinkedIn posts, likes and comments. I did tend to send out multiple posts when a big data breach story broke. These posts received the most attention, likes, comments, responses and dialogue.

And it wasn’t just me. Analyzing Brian Krebs and several other well-known security bloggers, I saw even more data breach focus. I wondered if endless descriptions regarding these stories – and even breaking the news of new data breaches – hadn’t become a part of how our cyber industry survives and thrives. Don’t people have a right to know? Don’t they have a need to know?   

Diagnosis: Why is FUD so addicting?

After pondering FUD further, I diagnosed why these negative stories are so popular. Here are a few reasons for FUD growth:

  • Viral attention
  • Easy to talk about – everyone is doing it
  • Front and center – hard data – facts are facts
  • Gets a lot of easy attention in social media (likes, comments, more connections)
  • Keeps you relevant – for now – shows need for security
  • Shows that you keep up with news – even deciphering fake news
  • Questions people will ask anyway. Why not beat them to the punch?
  • Play Monday morning QB –Those stupid idiots… - I would never… yada, yada, yada…
  • Cyber solutions are hard
  • Need to understand problems (i.e., think like a hacker) to understand how to build solutions
  • Solutions often don’t work well or only work for a moment in time
  • Bad actors can go around solutions almost like a roadblock
  • Solutions can make you vulnerable to counterattacks   
  • Stay illusive. Don’t get pinned down
  • Viral attention (yes, it's bears repeating)

Living with FUD

While I am convinced that the FUD addiction will be with us for the rest of my life, I also believe that FUD does have role to play in the industry. Here are a few ideas that can help harness the power of FUD:

  • Be aware – Understand your own actions and the natural security pro tendency to “share the FUD” as described above.
  • Offer cyber solutions – Even when you do share FUD, don’t leave people hanging. Even one cyber hygiene tip (or two) can help. What could have been done to prevent the issue? Use more thoughtful answers when possible.
  • Make FUD an appetizer, not the main course.  When using FUD in conversations, presentations or as examples, don’t make it the main topic. Provide a balanced cyber diet.

Final thought: As this blogger points out, the opposite of FUD is often security apathy. Passionate security pros can struggle when others neglect, ignore or dismiss cyber risks as not being relevant or worth addressing in the enterprise. In those cases, FUD is many times used to defeat the naysayers.

But FUD becomes a serious long-term concern when overused. The Chicken Little, yelling FUD too often can burn people out.

This “FUD / apathy pendulum” can swing back and forth while pragmatic business people look for a reasonable middle ground.  One helpful goal is to become (or maintain the role as) the trusted advisor who, even if you are addicted to FUD, offers your business best practice solutions that can help reduce cyber risk in reasonable ways — without hype.

So how about you? Are you ready to cut the FUD – or not?

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.