The FUD Factor

To one degree or another, we all live with FUD—the cacophony of fears, uncertainties and doubts that plague daily life. Will my 401(k) account ever rebound? Did I leave the coffeepot on this morning? Am I really going to get a brain tumor from my cell phone?

But while we’re all allowed to be neurotic worrywarts in our private lives, it’s seldom a quality that’s admired in business. So why do so many security executives still rely on gloom and doom tactics to sell management on security investments?

Well, for one thing, it’s easy—there’s a wealth of scare stories to choose from. Most organizations still view security as a cost center, and it’s much simpler to make a dramatic “invest or else” argument than it is to connect security expenditures to the company’s bottom line with analysis and research. The term FUD was originally coined in the 1970s in reference to IBM’s marketing technique of spreading scary rumors about a competitor’s new product to dissuade customers from taking a “risk” by buying it. FUD relies on emotion, not reason, to make a sale (or prevent one). “If you’re having a [security] discussion where you’re talking about what happened to the other guy and not looking at it in terms of what it [realistically] means to your company, and it’s all about them and not about youthen you’re probably using FUD,” says Ken Tyminski, vice president and CISO for Prudential Financial.

Security executives and management experts agree that FUD is a short-term fix that destroys the security team’s credibility in the long term. Having witnessed FUD’s shortcomings firsthand, CSOs are developing more practical and realistic techniques for making the case for security.

Conjuring up the frightening specter of stolen customer information, a media maelstrom and a plummeting stock price may create a dramatic impact, but when CSOs call a crisis every time they need funding, they’ll find that management catches on quickly. “That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence,” says Jim Mecsics, vice president of corporate security for Equifax. “But when you approach corporate officers with the tactics of fear, you’re walking into a trap. Somebody will eventually say, ‘OK, show me where the real [emergency] is,’ and then your credibility is shot.” FUD is a particularly common tactic in the lower ranks of a security organization—among those who haven’t learned how to make a data-driven risk management argument. A CSO who doesn’t stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.

Mecsics has the stories that prove the point. Just after 9/11, he was working with a government organization that decided it needed to radically increase its manpower to cope with the concerns over terrorist threats. The organization set up a conference and during a period of three days hastily gathered input from all its field agents to take to the senior leadership. Instead of research and risk analysis, many of the agents’ arguments were based on guesswork and were rooted in the fear and uncertainty of Sept. 11. Mecsics says the organization’s management started asking questions and saw through the frenzy the security personnel were whipping up, and ultimately came to believe that the security team was simply trying to feather its own nest by capitalizing on the terrorist attacks. The net result was that the security team lost its credibility. In another organization, Mecsics says, senior executives were so frightened by the security group’s use of scare tactics that they became obsessed with concerns that the company would be irreparably harmed by a security event, and they lost the ability to look at the issue rationally. “They got worked into such a frenzy that it was like a runaway train,” says Mecsics.

FUD also wastes money. When CSOs buy and implement a security initiative based on fear, they’ll have a much harder time managing and assessing it based on merit and actual results. “You can end up spending money to put a solution in place that can demonstrate no value,” says Tyminski. “It can make the security program so expensive that people won’t believe in it anymore.”

But fundamentally, the problem with FUD is that it sets up a destructive pattern of communication between the CSO and management; it breeds mistrust and second-guessing. A CSO’s persistent use of FUD tactics will eventually color management’s view of everything he says and does, affecting their perception of his abilities and the security function as a whole. Do you want to be the business enabler who is always ready with ideas and who projects good security as a competitive advantage? Or the executive who always walks into meetings with a dire prediction to levy?

In place of FUD, CSOs offer the following strategies for communicating security risks and requirements.

1 Change Your Attitude

CSOs say the first step in banishing FUD is to lose the Chicken Little attitude yourself. Scare tactics are seldom necessary in discussions of security anyway. “With security, you don’t need to exaggerate the exposures because they really are scary enough already,” says Pat Schuler, a Minneapolis-based management coach and consultant who has worked with a number of Fortune 500 clients. Executives want a CSO to give a rational, factual presentation of the situation followed by his recommendations for the next steps to take. That information can cover the worst-case scenario, or risks associated with inaction, but without any unnecessary drama. Schuler recommends that CSOs condense information into bulleted items as a FUD-proof format for communicating a situation that executives can quickly and easily understand. “It can be empowering [for managers] if you give them all the information, make your recommendation and then instead of pushing harder, step back to let them make a decision,” says Schuler. “Nobody likes to be pushed up against a wall, and that’s when FUD really doesn’t work.”

As management’s filter for all the security information about viruses and hackers that floats over the transom, CSOs are tasked with providing a clear-eyed, steady-handed perspective on what each event or news item means to their companies. “Just the facts, ma’am. That’s the way I operatejust the facts, and no emotion,” says Mecsics. “I have to be able to cull out the bad and superfluous information.”

When all that senior managers hear from their CSOs is a succession of bad news, they will quickly learn to tune them out. Mecsics has witnessed situations where a security executive lost stature within his organization for always going into the boss’s office with bad news. Suddenly it becomes impossible for him to get on the CEO’s schedule, and he is pushed to a vice president to have his information vetted and filtered.

Lew Wagner, CISO at the M.D. Andersen Cancer Center at the University of Texas, suggests that security executives make a point of picking off some low-hanging fruit in the first year on the job to establish a flow of positive information to management. When the Bugbear virus started to wend its way through corporate networks last fall, Wagner made a point of letting managers know that even though two major institutions had been felled by the virus, their organization was protected. Wagner also created a site for all of his user community (including management) with tips for identifying security threats and guidelines for safe online behavior at work and at home.

2 Forge Connections

Communicating about security is particularly hard when the security executive is the only one doing the talking. CSOs say FUD is the last resort of those who haven’t forged critical executive partnerships and set in place education initiatives that broaden the base of security responsibility.

At Allstate, Assistant Vice President and CISO Kim Van Nostern works with a team of information protection governance officers who act as her security tentacles throughout the organization. “These 50 officers are responsible for making sure that security education and awareness is prevalent throughout our company,” she says. “Security is not just a one-person job; it’s a shared responsibility.” Too often, CSOs hesitate to delegate responsibility for security. They set themselves up as the resource for all security information within the company. Instead of spreading their knowledge, they choose to listen to the voice of self-preservation that whispers, If I’m the only one who knows what’s going on, they can’t fire me. But the ability to build consensus and delegate is critical to avoiding FUD and communicating effectively about security. Mecsics describes this approach to the CSO role as being an “advocate” rather than the “focal point.”

Absent a formal, distributed security group, CSOs can fashion their own informal one by partnering with key business unit leaders who will help spread the word about security and back up security initiatives with business unit support. To build these relationships, focus on not only helping fellow business executives understand what the security function can do for them but on ensuring that they see security as a help rather than a hindrance. CSOs who are always putting the brakes on business projects and lecturing about why things can’t be done, as opposed to providing solutions, earn a reputation as business disablers rather than enablers. That is why business units frequently try to circumvent the security process.

Adam Hansen, who heads up the security program at law firm Sonnenschein, recommends focusing partnership efforts on a few business executives. “Once a couple of forward thinkers jump on board with you, they’ll drag the rest,” he says. Pay particular attention to building a strong relationship with the audit group because when the CEO and CFO are pushing back on a necessary security expenditure and the CSO’s anxiety level is rising, the audit group can escalate the concern to the board of director level.

3 Educate and Deflate

When a CSO takes the time to educate management about security, it smooths the way for rational budget discussions and reduces the need for FUD. A big part of that education process is making sure management’s expectations from the security organization are realistic. Information security is of particular note in this regard. “I still think there’s some misconception about IT security and what it can accomplish,” says Marc Rogers, principal research scientist with the Internet Innovations Center at the University of Manitoba and director of information security services for Manageworx Infosystems. “There are so many interdependencies, and sticking a finger in one hole in a leaky dike doesn’t fix the other nine or 10 holes.” CSOs need to temper management’s expectations of security so that executives understand that a great firewall doesn’t fix everything; all the other pieces such as an intrusion detection system, password protection and antivirus need to be in place and functioning as a cohesive whole.

CSOs can help manage expectations by communicating continually about the company’s previous security investments so that management knows what is paying off and, more important, what isn’t, and why. While these conversations can be uncomfortable, they are necessary for business management to understand the real capabilities and limitations of various security measures. CSOs who track this kind of information and communicate it proactively to top management earn important credibility.

4 Speak the Language

CSOs need to talk to management in business terms. This is vitally important to the success of a security program for a number of reasons, but it’s also particularly critical to the goal of eradicating FUD. Talking to executives about “hacks” and “pings” might be effective at getting them all worked up, but chances are they’ll have no idea what to do with the information. “I worked at a place before where you dropped the word hacker, and the pocketbooks opened up,” says Hansen.

But the lawyers at Sonnenschein are technology savvy enough that the scare tactics don’t work there, and the only way to have a useful dialogue is to talk strictly in business terms. If there’s a vulnerability, Hansen translates it right into its corresponding business effect; for example, he’ll show that if a particular router goes down, an attorney who would normally bill 18 hours a day could only bill six. That gets management’s attention pretty quickly.

CSOs need to take themselves out of the security and technology world in communicating with executives. “I tease people that I’m not really in the security business. I’m in the risk management business,” says Tyminski. “When you take issues and threats and match them with what the business risk is, it gets you out of the FUD area.”

5 Play the Numbers

Meticulously gathered and maintained metrics will always make quicker work of convincing management of the need for a security investment than a scary story. CSOs who keep good metrics can drop the FUD and let the numbers do the talking. “Every tool I buy collects metrics, runs reports and keeps logs,” says Wagner. You could use general scenarios and still make an eloquent argument for e-mail filtering software, but “when you can tell an executive that you’re logging 150,000 spam a day, that really makes an impact.” At Sonnenschein, Hansen uses a tool from Catbird Networks to constantly gather information about network integrity, connectivity and application performance. The tool also stores all the information it gathers, allowing Hansen and his staff to do historical trend analysis and perform baseline comparisons.

Although numbers about security breaches and attacks have historically been sketchy, more precise figures come out every day. The more ammunition a CSO can gather from real-world cases and from his own organization, the better prepared he will be to make a compelling argument for funding. At Equifax, Mecsics has one employee devoted to checking government sites and intelligence sources to gather information that Mecsics can use to make his cases to management. (See “One CSO’s Toolkit for Executive Communication,”) When Mecsics walks up to the sixth floor to the executive suites, they know that he’s coming with reproducible information and validated dataas opposed to something he just saw on the evening news or heard from a security colleague.

Mecsics also uses a data-mining, mapping and spreadsheet technology called Compstat (developed by William Bratton’s staff during his tenure as New York City’s police commissioner) to identify and track security-related incidents within the company. Bratton used Compstat to find specific information about the criminal patterns in the city down to the precinct and neighborhood level so that he could better mobilize his officers to solve problems.

Mecsics uses it for the same purpose but is focused specifically on the company’s network and the issue of security. As problems and patterns are revealed, Mecsics and his team deploy resources to fight them. The process requires constant review of those tactics. If a month passes and nothing improves, then the team changes its approach. “We have a security staff huddle session once a month where we talk about major issues and do a mini-Compstat on all our major issues whether it’s fraud, governance or legal requirements,” says Mecsics. The technology not only enables the security team to get a jump on emerging problems but also to stay on top of longstanding issues so that nothing falls through the cracks.

Is there such a thing as good FUD? While most CSOs claim there is not, a few when pressed will admit that if used judiciously, FUD can be an asset. Hansen uses it for tabletop exercises to map out worst-case scenarios and measure the company’s level of preparedness for various situations. “In a tight economy, CSOs will be more likely to have success with the FUD approach, especially if they do have legitimate security exposures,” says management consultant Schuler. “Senior management is often better able to envision dire results than positive benefits.”

So a little fear can be healthy when the risks demand it, but painting a vivid picture shouldn’t be taken to the point of exaggeration. Schuler admits it is a fine line. FUD should be the weapon of last resort. When it’s overused or used carelessly, it can put a CSO’s career in jeopardy. “Our bosses are not used to emotions, and a CSO owes it to his profession to be a professional and make a business case,” says Mecsics. “Not to be the guy screaming, ‘Batten down the hatches!'”