It’s always interesting to see newcomers find their own position on cybersecurity drivers, many of which we generally categorize as “fear, uncertainty, and doubt.” More commonly known as FUD, this emotionally charged strategy is commonly used by marketing and sales teams, polling groups, and public relations offices in nearly all industries. They’re trying to influence consumer perception of a product or priority by appealing to basic fear.
Personally speaking, when I see cybersecurity professionals that rely on FUD, I know it’s an indication of one of two issues. One, it’s someone new and fairly unversed in the industry, or two, it’s someone who really needs to work on improving their social persuasion and justification for the importance of cybersecurity.
If you’re in the first category, you’re a new player in the cybersecurity game – welcome! The cybersecurity industry needs you. As you’ll soon learn, FUD-based tactics are sadly commonplace, even cliched, in our industry. Some of these topics, like ransomware or advanced persistent threats, have been around for years, but some cybersecurity professionals keep noting such well-established vectors as new or newly worrisome. It’s like crossing a busy street on foot. Is it new? No. Is it something to be worried about? Yes, but for most of us over age 10, we know crossing the street can be dangerous and have already learned to look both ways first. We don’t make a big deal out of it, but for those that do, you’re sure to get weird looks from your soon-to-be-short-term friends. The rest of us are aware that the threat may exist, but it’s easily managed.
The same rings true for the world of cybersecurity. Once we’ve found a way to manage a known threat, there’s no need to fear it on a continuing basis. I’d encourage you, as a new member of our industry, to keep digging and improve your knowledge and experience with threats. We’ve all been where you are, at “the starting spot.” We all know that to level up your cybersecurity knowledge and chops, it takes practice, consistency, and work.
For those in the second category who have been around awhile and still highlight cybersecurity FUD, you’ve probably realized it has a diminishing effect. People start tuning you out when you repeatedly use FUD tactics because business is competitive, dollars are often scarce, and scaring people with cybersecurity FUD may work once or twice but will quickly become as effective as selling directions for crossing the street. This is true in all parts of business – IT, finance, human resources, technical support, sales, and the list goes on. If you can’t make solid business justifications based in facts, you’ll never get your agenda accepted by the organization you support.
You simply can’t rely on FUD tactics to be a long-term solution for convincing your clients that you deserve their trust. I’ve long held the position that effective cybersecurity leadership requires political savvy, and that need only increases as you advance in seniority. This is important: you can have the best idea in the world, but it won’t matter if you can’t persuade others to support it. If you don’t develop the capability to dive in and offer innovative solutions without using FUD, it will lead to feelings of frustration, resentment, and burnout in your career, in the company you work for, and in our industry.
While I never allowed myself to peddle cybersecurity FUD, I did learn that I needed solid arguments if I expected anyone else to trust my recommendations for their organization.
To rise above using simple tactics like FUD takes hard work, and I’m personally thankful for the tough love I received as I found my own place in our industry. In time, as you move from the “top technical cybersecurity resource” to a “businessperson with top-notch cybersecurity expertise” you’ll build the social toolkit for a role in cybersecurity, and your job will get markedly easier.
The result of this no-FUD approach? Expectations are clear, your job has a well-understood purpose, and your organization is apprised of its cybersecurity posture. There will be no surprises, making budgeting and all other planning easier. As you work towards this success, watch for opportunities to re-educate and for communications that need to improve. The key is not falling back on simple FUD tactics to get there.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.