Another Security Survey”Ś Just Say No.

  I’m not usually a complainer, but I’m tired of receiving security surveys. They’ve become almost like spam, and in some ways worse. For a variety of reasons, I’ve gotten to the point where I just delete the e-mails or throw the official-looking, color glossy ones in the trash.

 For loyal readers, I’ll get back to cyber ethics next time, but I can’t resist a short blog to complain about the number of IT survey requests we receive. Since I know I’m not the only one getting these, I thought I’d better express my concerns. Here’s a few points to ponder:

1)       Most of these come via e-mail from companies I’ve never heard of nor hear from again. Who’s to say these aren’t bad guys? They may claim to represent someone else, but ….

2)       They often ask very detailed questions about incidents, vulnerabilities, architectures, tools, etc. My thoughts: I’m not going to tell you that. I don’t even tell some internal people about that stuff.

3)       They’re often marketing ploys to sell you something or get their foot in the door.

4)       Many times they offer you a free tee shirt, pen, or maybe even a $25 dollar Starbucks card. Please. Are you willing to give away “government confidential information” or even less important info for being entered into a drawing? Is this basically a sophisticated phishing technique? How many people bite?

5)       Sometimes they try to make you feel special to lower your guard. They may even offer you an exclusive “white paper” or free research for your time. Consider this (slightly modified) e-mail: 

“Dear Colleague,XYZ Research is conducting a short 3 minute online survey to learn how IT Professionals like you are managing their desktop systems and security. For your participation in this research poll we will send you a free copy of the final report prepared by XYZ Research.We are only sending this invitation to a small group of thought leaders who are senior executives and who have been referred to us for participation.”

I wonder how many people got the same message?

Now the hard part. I realize that my attitude is not good news for the “serious survey information seekers,” like the CSI/FBI Computer Crime Survey. How are certain organizations going to get real numbers and industry metrics? How are the “Think Tanks” going to tell us about industry security trends if we don’t fill these out?

There are exceptions, but not 1-2 a week!  My view is that you’d better know who you’re dealing with, what they’re doing with the info, and how this affects your job. Your name and information may not really be anonymous. Even with numerous caveats, I still think the risks are often too high to fill these security surveys out. I now answer very few.

I’d like to hear the vendor perspectives on these. Can we reach some type of truce? I doubt it, since CSOs are inundated with vendor e-mail and phone calls as well. I say these may be worse than spam, since they are more directed and sometimes require more thought before I hit the delete button. In reality, that’s now changing.  

 I’d really like to hear how you deal with these surveys and your reasoning for filling them out or not.