FUD stands for ‘fear, uncertainty and doubt’. It is relevant in any discussion of IT security as
this is largely how the IT security vendors will try to sell you their high tech widgets.
The pitch hasn’t quite evolved to this stage yet, but it is similar to those used by insurance salesman
to try to sell you yet another life policy.
It goes like this.
"Buy piece of mind”, ’Be around for your grandkids", "Frolic in St Moritz while the rest of your (loser)
neighbours can’t pay for the upkeep of their trailer", etc.
It all comes down to your view of the world as to which pitch takes your fancy.
Are you a glass half full kind of gal, or a doom and gloom merchant? Are you a risk taker or risk averse.
In for a penny, in for a pound, or ‘let’s cover every base’.
This has been the norm for umpteen years and has generally worked a treat.
The elusive business case for IT security
Or should they wax lyrical about ‘the business case for IT security’, and how to get one up on the Jones (
Inc.) by being smarter, hipper, and worldly wise?
The problem with the latter approach is that it is a lot harder to articulate.
It is warm and fuzzy. It has a kind of huggable quality. Consequently to a lot of hard-nosed
CEOs and senior managers, it seems like a load of old fluff that can be dispensed with.
It simply doesn’t resonate the way – ‘if you don’t buy this, aliens will take your first born, and you
will all die’ does.
So it’s like a habit you can’t shake. You are used to singing the same song and it has worked well for you,
so why give it up. Especially to come up with a more complicated story you might not be able to carry off.
But concerns abound that users are tired of the same old doom laden refrain and unending dire predictions
that have yet to materialize. That they won’t keep buying unless more sophisticated messaging is used.
As a result, there is great headfry about in attempting to articulate the elusive ‘business case for
security’.
Is it enough for them to say, ‘if you don’t stop stepping in front of cars, you will soon be dead’?
Or should they say, ‘think of all the chances to make money (or save it, as the case may be) you will
miss if you are dead’?
Or what about, ‘think of all the market share your competitors will grab when you are dead’.
It’s subtle stuff, but watch out for it.
My own view is that there is indeed a fully fledged business case for security, but the various attempts
to define it are currently so tortuous that the vendors inevitably fall back on the old reliable –
fudding, and fudding some more.
FUD News
In other words, he embraces the use of FUD to persuade management to spend
the 3.5 percent of the IT budget on security alone that Gartner suggests is appropriate for the financial services sector- excluding disaster recovery and business continuity planning.
Laing was also concerned that management be responsible for disaster recovery and business continuity process generally, and that such critical functions not simply be left to the IT department.
These sentiments are of course laudable, but simply fudding away at management may not have the desired effect - many managers remain sceptical that the sky is really about to fall, and a new approach may be needed
