Home » Security Leadership » Exec. Communication

The FUD Factor

Fear, uncertainty and doubt (FUD) may help scare your company into short-term compliance, but CSOs say that's a shortsighted strategy.

April 01, 2003 — CSO — To one degree or another, we all live with FUD—the cacophony of fears, uncertainties and doubts that plague daily life. Will my 401(k) account ever rebound? Did I leave the coffeepot on this morning? Am I really going to get a brain tumor from my cell phone?

But while we're all allowed to be neurotic worrywarts in our private lives, it's seldom a quality that's admired in business. So why do so many security executives still rely on gloom and doom tactics to sell management on security investments?

Well, for one thing, it's easy—there's a wealth of scare stories to choose from. Most organizations still view security as a cost center, and it's much simpler to make a dramatic "invest or else" argument than it is to connect security expenditures to the company's bottom line with analysis and research. The term FUD was originally coined in the 1970s in reference to IBM's marketing technique of spreading scary rumors about a competitor's new product to dissuade customers from taking a "risk" by buying it. FUD relies on emotion, not reason, to make a sale (or prevent one). "If you're having a [security] discussion where you're talking about what happened to the other guy and not looking at it in terms of what it [realistically] means to your company, and it's all about them and not about youthen you're probably using FUD," says Ken Tyminski, vice president and CISO for Prudential Financial.

Security executives and management experts agree that FUD is a short-term fix that destroys the security team's credibility in the long term. Having witnessed FUD's shortcomings firsthand, CSOs are developing more practical and realistic techniques for making the case for security.

Conjuring up the frightening specter of stolen customer information, a media maelstrom and a plummeting stock price may create a dramatic impact, but when CSOs call a crisis every time they need funding, they'll find that management catches on quickly. "That [approach] may work once or twice in a true crisis situation where the bad guys have come over the back fence," says Jim Mecsics, vice president of corporate security for Equifax. "But when you approach corporate officers with the tactics of fear, you're walking into a trap. Somebody will eventually say, 'OK, show me where the real [emergency] is,' and then your credibility is shot." FUD is a particularly common tactic in the lower ranks of a security organization—among those who haven't learned how to make a data-driven risk management argument. A CSO who doesn't stamp out FUD in his team creates as much of a problem as the CSO who uses it in personal conversations with senior executives.