SoCal InfoSec Group
Cybersecurity breach incident response


News & Articles

FUD in security

As a new business owner, I can understand the motivation to use FUD - fear, uncertainty, doubt - as a selling tactic. Especially in the security industry. FUD appeals to the most primitive part of our brain, the amygdala. Unfortunately, this tactic has run its course in the security industry.

Thankfully, there are other methods to sell security. I've found success in helping business owners navigate the security market from the perspective of risk. Sure, a breach could negatively impact a business - from the bad PR to the halt in operations to the class-action lawsuit from investors or clients down the road. These are, no doubt, risks every company faces. But, just because they are risks, that doesn't tell the whole story as it relates to your business. To understand how something terrible can happen, and the probabilistic nature, you need to model real-world scenarios that use real-world intelligence - realistic and likely threats plus current vulnerabilities discovered during an assessment. This method is a systematic and effective way to help you understand your exposure. How else would you know how to protect yourself if not through an analysis of your risk?

When someone is trying to sell you their product, and you don't even understand what it does, or how it helps you, how do you decide if you buy it? Do I have something else that does this same thing? I don't know; In fact, I don't even know everything (Uncertainty and Doubt right there) on my network. If you are in a state of fear, uncertainty or have doubt about your protection, of course, you will buy it... as long as it has artificial-intelligence fed by machine learning which creates big-data that can be analyzed by the other artificial-intelligence to apply behavioral-analytics and anomaly-detection to hut for the advanced persistent threat in your converged cloud environment. I'm not sure I could fit any more buzz words in that sentence. You see, security vendors, they want to help. They were started by smart, driven people, that are on a mission to help secure the world. The problem, IMHO, they are solving technical problems with technical solutions without looking at the big picture. How does your new gadget help me earn or save money? How does it lower or eliminate my risk? If you can't have a conversation like that, what's the point in talking about security to a business owner?

Dana Margulies