Get the FUD out!

by Perry Carpenter, More posts from Perry Carpenter

Fri, 2007-03-09 17:41

Ok-- for those who have yet to be exposed to the term, FUD is not one of those words that your mom would scold you for saying on Sunday morning; rather, FUD is an acronym for Fear, Uncertainty, and Doubt. Three words which, to date, seem to define the post-Y2k and post-September 11 world.
Think about it for a minute. A great percentage of our advertising, television shows, and news broadcasts are all about making you and me feel uncomfortable (que: Don Henly’s “Dirty Laundry”). When advertising gimmicks cause bomb scares, we are living in a world defined by FUD.

Bringing it closer to home, I think that we (as security professionals) should honestly ask ourselves if we are guilty of contributing to the problem. Have you been guilty of using scare tactics when requesting funding? If so raise your hand… I’m actually betting that if every security professional guilty of such tactics raises their hand at one time global warming will reach an all-time high and the resulting glacial melting will result in the death of thousands of polar bears who, frankly, don’t give a rip about security.

FUD is all about psychology and control. Over time the use of such tactics will serve to denigrate the security profession. Because of this, one of the major focuses of my column will be to call this stuff out. Security venders who use the FUD of the day (or try to create their own) need to be called out. For example, if I see one more “PCI compliance” product, I’m going to puke (but, just to be trendy, I may call it puke 2.0). Reasonable companies know that they have a lot work in front of them with respect to PCI – but no single product will help. More than anything, it is good old-fashioned security best practices like defense-in-depth and due-diligence which should always be in demand. Bypass the current FUD and go for the classics.

So, through this forum, I sincerely hope that I’m able to help clean the FUD off of your windshield. And since you’ll be able to see the road clearly, I’ll let you steer some of the discussion. If there is something that you’d like me to write about, let me know. If you think that I’m way off on something, call me out on it. It’s all about discussion and debate.

Let’s get this thing started…

-- Perry

buy a link »

Reader Feedback

Mon, 2007-03-19 19:52

Keeping the Balance

By Anonymous

Yes, I am very familiar with FUD, but have used it very sparingly due to the risk of losing credibility. Much of what I tell/warn my users about either already has happened to us, happened to a like-kind organization, or happened to us shortly after warning them.

It's no longer about telling war stories of impending doom to get someone to do something...or fund something. Things are more business-oriented now. Have we performed enough due dilliegence to adequately protect a given asset? What's the value of the asset? How much are we spending for securing this asset? Is it too much or too little? It's no longer the "security guy's" gut feeling as to whether we're doing the right thing.

Finding the right "balance" can be very tricky. However, most of these answers can come from your users (information owners). How critical is the data? How does the data impact your business if confidentiality, integrity, or availability were to fail? (Get dollar figures if you can.) Breaking down by CIA (confidentiality, integrity, and availability) will help users understand the business impact of security while helping you identify the solutions to fortify the security of your data. For example, a "high" ranking in confidentiality could mean that encryption should be required for assets with such a ranking. Once you receive the feedback from your users, create a matrix that maps protection measures to various levels of criticality based on CIA. (Get dollar figures for each security measure to ensure that what's being spent for security does not outway the value of your data.) Once the matrix has been created, have upper management approve it so it has "bite".

These suggestions are more conceptual than specific. However, these suggestions can put you well on your way to "managing risk", rather than "managing FUD".

» Reply | Report as spam