Estimated Reading Time: 4 minutes
The time for FUD is over… Long Live FUD…
I’ve been known to say that ‘I’ve been in InfoSec since before it was cool’. After twenty years of being on the front lines, first as a consultant, then as the one responsible for implementing a strategy and building the programs, I’ve truly lost count of the times I’ve heard others using FUD to further their agenda and get the resources and budget they needed to accomplish their goals.
For those new to the term or the industry, FUD stands for Fear. Uncertainty. Doubt. – and it was the mantra of the early security vendors who were trying to sell firewalls and proxies into large enterprises who were just starting to understand this ‘new’ thing called the Internet. Back before security teams even existed, the security of the network fell to the one who knew the network the best – the network engineers. It wasn’t long before many of these engineers adopted the FUD strategy, telling their executives that the Internet was full of bad people and stuff we didn’t know about, so we needed firewalls… lots and lots of firewalls to protect us from the unknown.
Admittedly, these early owners of information security had little to work with. There was little, if any, business justification for the cost of these early security devices, so the only recourse many had was to strike fear into those with a budget, proclaiming the evils of the Internet without having any real justification, and with it, the idea of the Information Security Fear Monger came to be –and FUD became their most valuable tool.
These days, most successful CISO’s avoid the legacy definition of FUD at all costs. We rarely – if ever – rely on fear and scare tactics to justify budgets or increased levels of controls throughout the organization. Rather, we understand the organization’s appetite for business and technology risk, we articulate those risks in a way the business owners can understand and executive boards can support. We do this, in many ways, by redefining the meaning of FUD and continually reinforcing it throughout our teams and all levels of the enterprise. In today’s risk-centric world, the only way a CISO can truly be successful, both in their job and in their career, is to live by FUD 2.0 – Facts, Understanding, and Discussion.
Our jobs, as CISO’s, CSO’s, or CIRO’s, is to mitigate risk throughout the enterprise to a level that’s acceptable to the business owners and executive boards. Our job is not to deploy the latest security tool, gadget, policy, or service because we think it’s cool or lands in a certain upper-right-hand box in a chart, but because we understand the potential risk it mitigates, either today, tomorrow, or next year. We do this by gathering the facts of the actual threat, understanding how that threat could impact the organization and are able to articulate and have discussions with executives and business lines about how they could be impacted. It is our job to educate them, not scare them, thereby enabling them to make the right decisions by understanding the impact on the entire company.
Many times, however, the struggle is to translate the risk that you inherently understand to actual discussion points our business lines understand. How do you explain the actual risk of a targeted threat, a denial of service, the latest exploit kit, or any of the other things we see each day into something a typically non-technical person can understand? How does one articulate such risks to the person who has the responsibility to generate ever-increasing revenue for the company, that implementing anti-APT, or and inline IPS or WAF, will be aligned with – and further – their revenue goals? That is the true challenge in front of today’s CISO.
I often try to relate what I do on a daily basis to something that has a real-world equivalent, and the one I rely on most is, oddly enough, seat belts. All vehicles produced since 1966 included factory-installed seatbelts. Yet, while you couldn’t purchase a new car without them for 18 years, it took laws mandating their use in 1984 before passengers actually used them with some regularity. Looking at it from a pure risk perspective, what truly was the opposition? The risk of not wearing them had to be simple to understand, not like the complexity of today’s cyber environment. But if the life or death risk proposition that came with not wearing seat belts wasn’t enough to get people to wear them, are we really surprised when our executives don’t understand the risk proposition of the technological world we live in today?
Now, there is no doubt that all of the fear-mongering occurring in the press these days can be useful. Rarely a day, much less a week, passes without the announcement of this breach or that accidental private information disclosure. While the press seems to truly be having a field day with these news bites, today’s Security Executive finds value in leveraging the news as part of a thought-out awareness plan, using these as examples of the what ‘could’ happen and how the controls in place would help protect the enterprise from a similar situation. They aren’t positioned to scare – they are positioned to inform.
As an example, I recently had an opportunity to leverage the breach at P.F. Chang’s restaurants in such a way. P.F. Changs is a fairly popular lunchtime spot not far from our corporate offices. When we first heard whisperings of the breach, we began preparing an awareness bulletin to all of our employees about the issue. While the breach had nothing to do specifically with my company and impacted none of our corporate cards, it was going to impact my employees and I wanted to be sure they had all the information they needed to make decisions about canceling cards or not. Sure enough, when the official announcement from the restaurant chain came out that our local store had been impacted, almost 60 days after the initial announcement, several of my colleagues had already canceled their cards as a matter of course.
It’s this type of approach – one of understanding all of the aspects of what we do, and building relationships of trust and mutual respect – not one of fear-mongering and chicken-littling – that define today’s successful Security Executive. Our job, and indeed our long-term success, is dependent on our ability to gather the facts, understand the impact, and have those key educational discussions with our peers and executives alike.
F.U.D. is dead…. Long Live F.U.D.
Originally posted on SecurityCurrent.com.
Copyright © 2002-2020 John Masserini. All rights reserved.