Had a short but interesting twitter exchange with @securityincite@Gillis57and @essobi(Mike Rothman, Gillis Jones andnot sure (sorry!!)respectively) about usingFear,Uncertainty andDoubt when talking IT security services. @Gillis57initially asked, ‘Question: We discuss FUD constantly (and I agree that it's too prominent) But isn't security inherently built upon fear?’ I sent an‘09 Rothman article(@securityincitesaid it was ‘old school’ but still has some great comments) about that very topic. Soon, @essobichimed in with, ‘Our foundation shouldn't be fear, it should be education. 😄,’ @Gillis57responded, ‘So, look. I agree wholeheartedly, but why do people need to be educated?’ @essobianswered, ‘imo? Bad programming/exploitable logic processes. we need to raise the bar or lower expectations.’ @Gillis57added, ‘I really don't think we need to keep selling fear, but denying that we are a fear based industry isn't helping.’ @securityincitewizdom’d with, ‘Fear is a tactic like anything else. Depends in situation, context, catalyst. And use sparingly.’ And Iconceded that, ‘splitting hairs but I try to talk about risk rather than fear - what's the risk if...which often generates fear.’
Most of the time when we talk about security there is a fear factor because we are talking about risk. Risk is the potential for something Bad happening and typically those things scare or make us uncomfortable. Often when vendors talk about things like protection, benefits, etc, it’s measured in terms of numbers, stats, performance…metrics.
Security is also about Peace of Mind; a feeling that you have. Those military people who can get some good sleep even with bullets flying over their heads have peace of mind. Even in a very high risk, dangerous, vulnerable and insecure environment, they feel secure.
I saw an article about the difference betweenselling insurance and the lottery – Fear vs. Dreams. Maybe we should discuss IT Security in terms of how it has made an IT guy’s life better? I think it would be cool if ‘security’ case studies included a side bar or something with a quote that brags, ‘Now that we have this solution installed, I’m able to attend my daughter’s piano recitals.’ ‘I’m able to get a good night’s sleep knowing that our web site is ok/won’t get paged at 3AM/won’t have to work for 16hrs.’ Adding to the quality of life over and above the usual ROI/TCO/performance/$$.
How it may have enhanced life.
How it gave peace of mind.
How it Reduced Stress.
How it allowed someone to be home for dinner.
How it allowed someone to enjoy the weekend, do that Science Fair thing with the kid, take a longer vacation…
It might be cool for the industry (and the general public) to read how another’s life improved when security is deployed along with all the breaches and headaches. Ultimately, that’s what we are all chasing as humans anyway – that harmony, balance, peace of mind, quality of life, family, love…the cores of our being rather than what we do for a job – even though our work does have a lot to do with quality of life. I also think that education is part of our duty. Not in the ‘Knights of the Roundtable’ duty but if someone needs our security expertise and is willing to learn, sharing (and ultimately, awareness) is important to ensure a more informed public. That is simply being a good internet citizen. And yes, fear does have it’s place especially when someone is not getting it or ignoring that others are at risk.
We frequently talk in terms of rational thinking ($$/performance) when security is quite often about an emotional feeling. That’s why some often use FUD to sell security:Fear: emotional,Uncertainly: more emotional than rational,Doubt: gut feeling with little data. But instead of tapping those negative emotions, we should shoot for the Feel Good emotions that provide safety and security. The Dream.