- Last Week As A vCISO
- Security Through F.U.D (Fear, Uncertainty, and Doubt)
Security Through F.U.D (Fear, Uncertainty, and Doubt)
Security through F.U.D is not my style and is not a style I encourage with my employees, nor how I like to sell security. In this post, I will try to:
Point out how to detect these tactics
Why they are not the best way to “sell” security
What a more modern approach towards security is.
Fear, Uncertainty, and Doubt explained
Edward Bernays, the architect of modern marketing, propaganda, and the field of public relations, used his uncle’s theories in psychoanalysis, Sigmund Freud, among other notables to tap into the motivations of humans. To summarize, he transformed marketing messaging from that of utility and benefit, to that of power and fear of missing out. For a more extensive detail of his legacy, which we still live with today, checkout the documentary The Century Of The Self.
Back to security… whether it’s a security engineer, CISO, or salesperson trying to sell you the next best thing... is the predicate of the sentence an emotion evoking statement?
Now let’s be honest, fear, uncertainty, and doubt are real things in business. If you are the CEO of a company, you want assurance that there isn’t a massive hole in your application leaking customer information. That’s basically Fear of The Unknown. A security professional’s job is to demystify and add clarity to the unknown using data.
Just like stereotypes, security FUD statements are very generalized, sometimes absolute, and always evoking a negative emotion:
If you don’t have a security team, you’re likely to get breached
Without EDR, you’ll become a victim of ransomware
Not having a WAF is a big risk to your business
Why FUD is bad
Ok, so now you know how to detect a FUD statement. Why are they so bad? Isn’t getting security important and going to make me feel better at night?
Yes and no.
Although we want you to have good security, we are also not in the drug business. Drug’s will attack a symptom and make you “feel” better, but they may now always get to the root of a problem.
TL;DR: FUD is bad because it’s not based on data and context.
Yes, we want you to be more secure, but we also want you to make a good decision based on data and context. Additionally there are a LOT of security issues that need to be addressed, so which one is the most important?
Don’t get me wrong, in security sometimes we have to stand our ground and prove a case. We may inject a little fear, but it will (better be) based on real data, past incidents at the organization, industry trends, etc. In essence it's a threat modeling exercise and the output is “risk”. That risk is then communicated, and if the business wants to own that risk, sure… but now they are responsible for it.
A more modern and data driven approach to security
So now you know how to identify FUD, and why it’s not the best primary tactic. So what is?
Just like your business, data is king.
Security risks must be backed by data and context.
Let’s take the statement:
“Without EDR, you’ll become a victim of ransomware”
This statement is quite loaded! 🙄 It assumes so much and speaks in absolutes.
A better statement would be to explain the BENEFIT of the security item, instead of relying on fear of it not being there.
Here is a better statement:
“Since everyone has Admin on their machines combined with the fact that they are not managed, nor have any anti-malware mechanism, they are more susceptible to a ransomware attack. Considering you don’t use cloud storage and backup mechanisms, a ransomware attack would have a larger impact on your systems.”
So here, we explain the vulnerabilities, context, and risk factors already present and the impact of an exploited attack. Now of course, EDR or anti-malware is just ONE way to solve this, but there are other ways to reduce the impact of a ransomware attack.
Here’s another example:
Your company has a history of malware on their machines. Although none of them were ransomware, the likelihood of one being ransomware is much higher for your organization.
In this instance, we didn’t even talk about EDR. There is a precedent (data) and so that factors into the assumption statement.
Security through FUD conclusion
Yes, security is important. We as security professionals want you to take the right steps to secure your environment. However, beware of those using primarily FUD tactics (internally or externally) to drive security.
You are a rational person, and should be spoken to rationally.
You’re not a four year old when I have to say I’m going to call your teacher if you don’t do X, Y, or Z (yes, sorry, I do have to use this tactic sometimes with my kid 😂)