• United States



Another Security Survey”Ś Just Say No.

Feb 07, 20073 mins
CareersData and Information SecurityIdentity Management Solutions

  I’m not usually a complainer, but I’m tired of receiving security surveys. They’ve become almost like spam, and in some ways worse. For a variety of reasons, I’ve gotten to the point where I just delete the e-mails or throw the official-looking, color glossy ones in the trash.

 For loyal readers, I’ll get back to cyber ethics next time, but I can’t resist a short blog to complain about the number of IT survey requests we receive. Since I know I’m not the only one getting these, I thought I’d better express my concerns. Here’s a few points to ponder:

1)       Most of these come via e-mail from companies I’ve never heard of nor hear from again. Who’s to say these aren’t bad guys? They may claim to represent someone else, but ….

2)       They often ask very detailed questions about incidents, vulnerabilities, architectures, tools, etc. My thoughts: I’m not going to tell you that. I don’t even tell some internal people about that stuff.

3)       They’re often marketing ploys to sell you something or get their foot in the door.

4)       Many times they offer you a free tee shirt, pen, or maybe even a $25 dollar Starbucks card. Please. Are you willing to give away “government confidential information” or even less important info for being entered into a drawing? Is this basically a sophisticated phishing technique? How many people bite?

5)       Sometimes they try to make you feel special to lower your guard. They may even offer you an exclusive “white paper” or free research for your time. Consider this (slightly modified) e-mail: 

“Dear Colleague,XYZ Research is conducting a short 3 minute online survey to learn how IT Professionals like you are managing their desktop systems and security. For your participation in this research poll we will send you a free copy of the final report prepared by XYZ Research.We are only sending this invitation to a small group of thought leaders who are senior executives and who have been referred to us for participation.”

I wonder how many people got the same message?

Now the hard part. I realize that my attitude is not good news for the “serious survey information seekers,” like the CSI/FBI Computer Crime Survey. How are certain organizations going to get real numbers and industry metrics? How are the “Think Tanks” going to tell us about industry security trends if we don’t fill these out?

There are exceptions, but not 1-2 a week!  My view is that you’d better know who you’re dealing with, what they’re doing with the info, and how this affects your job. Your name and information may not really be anonymous. Even with numerous caveats, I still think the risks are often too high to fill these security surveys out. I now answer very few.

I’d like to hear the vendor perspectives on these. Can we reach some type of truce? I doubt it, since CSOs are inundated with vendor e-mail and phone calls as well. I say these may be worse than spam, since they are more directed and sometimes require more thought before I hit the delete button. In reality, that’s now changing.  

 I’d really like to hear how you deal with these surveys and your reasoning for filling them out or not.


Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist and author. During his distinguished career, Dan has served global organizations in the public and private sectors in a variety of executive leadership capacities, including enterprise-wide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan State Government. Dan was named: "CSO of the Year," "Public Official of the Year," and a Computerworld "Premier 100 IT Leader." Dan is the co-author of the Wiley book, “Cyber Mayday and the Day After: A Leader’s Guide to Preparing, Managing and Recovering From Inevitable Business Disruptions.” Dan Lohrmann joined Presidio in November 2021 as an advisory CISO supporting mainly public sector clients. He formerly served as the Chief Strategist and Chief Security Officer for Security Mentor, Inc. Dan started his career at the National Security Agency (NSA). He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US / UK military facility. Lohrmann is on the advisory board for four university information assurance (IA) programs, including Norwich University, University of Detroit Mercy (UDM), Valparaiso University and Walsh College. Earlier in his career he authored two books - Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD For You: The Guide to Bring Your Own Device to Work. Mr. Lohrmann holds a Master's Degree in Computer Science (CS) from Johns Hopkins University in Baltimore, Maryland, and a Bachelor's Degree in CS from Valparaiso University in Indiana.

More from this author