• United States




Trying to justify FUD is like putting lipstick on a pig

Nov 25, 20083 mins
Business ContinuityIT Leadership

I’m taking a break from my series on business continuity event management to address a growing problem—using anecdotes, often unsubstantiated, to build a business case on a foundation of fear.

FUD (Fear, Uncertainty, and Doubt) is increasingly used by politicians to get our attention and drive agendas.  Our security vendors use similar tactics when trying to get a foot in the door or convince management the sky will fall if the product on the table is not implemented.  In both politics and business, FUD-driven decisions are based on emotion rather than analysis.

In my opinion, FUD is any information provided for the purpose of evoking an emotional response.  If used to get someone’s attention, it can be useful.  However, if used instead of a financial-based business value analysis or a security risk assessment to justify a purchase, FUD crosses the border into the realm of bad management.

 In a blog post, Michael R. Farnum addressed this issue.  He wrote,

…it really comes down to “buyer beware” in every case.  Basically, you have to approach any sales meeting with a healthy dose of paranoia and skepticism.  Listen for signs of dishonesty or technical bull crap.  Don’t be dazzled by shiny new security stuff.  I have made that mistake, and it will get you into trouble.  It sucks having to think in this manner, but that is just the way it is if you want to make healthy buying decisions.

Source: How do you define FUD?, 25 November 2008

So how do you minimize the amount of FUD thrown around at a sales meeting?  Further, how do you make sure FUD drifting around the Internet doesn’t cause your CEO to come to work after a weekend of reading about the end of civilization as we know it, demanding Monday morning solutions for security and business continuity threats of seemingly mythical proportions?  Easy.  Educate yourself on the threats and the risks to your business before sitting down with a sales team.  And make sure you frequently share this information with your boss.

Threats to continued business operation exist.  They always will.  Our job is to understand them and ensure our continuity and security frameworks mitigate risk to an acceptable level.  These controls should also provide at least minimal protection from emerging threats. 

The best way I know to ensure I’m doing the right things and to communicate my actions to my boss is use of a controls matrix.  Building a controls matrix around a set of security requirements provides a clear picture of current state.  It also allows me to understand what controls I have in place to deal with a new requirement based on a new or modified threat.  Before I sit down with any security or business continuity solution vendor, I make sure I have a need based on analysis of risk and a review of the matrix.  I share this information with the solution provider’s account team, and drive discussion toward addressing my specific needs.  I don’t allow vendors to come in to sell me a solution I don’t already know I need.  I do my homework.

FUD is never a good reason to meet with a vendor, enter into a pilot, or ask for a bigger budget.  The informed manager is less easily swayed by tales of impending doom, and makes decisions which support a well-defined strategy.


Tom Olzak is an information security researcher and an IT professional with more than 34 years of experience in programming, network engineering and security. He has an MBA and a CISSP certification. He is an online instructor for the University of Phoenix, facilitating 400-level security classes.

Tom has held positions as an IS director, director of infrastructure engineering, director of information security and programming manager at a variety of manufacturing, healthcare and distribution companies. Before entering the private sector, he served 10 years in the U.S. Army Military Police, with four years as a military police investigator.

Tom has written three books: Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide. He is also the author of various papers on security management and has been a blogger for, TechRepublic, and Tom Olzak on Security.

The opinions expressed in this blog are those of Tom Olzak and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.