February 10, 2009 - Volume 4, #14

Good Morning:
The reason we are all here is because throughout the past millions of years nature has adapted. As organisms, we have adapted as well. The things that didn't work got culled from the gene pool. Basically nature admitted it was wrong and adapted and survived.

Wrong. There is such a stigma to that word, but it's one of the most powerful words in the vocabulary. Because until you admit you are wrong, you cannot adapt and make yourself better. That's why I'm a big fan of wrong. The more times I'm wrong, the closer I am to being right.

Which is my constant rationalization for constantly screwing things up. As I discuss below (and in last week's Compliance is SO a Cost Center rant), there are times to be right and there are times to stay alive. Right now, for us security folks, it's about survival and that means we have to use tactics that may not make us feel great - but are probably the only chance we have.

Remember, you don't have to adapt. I think it was Deming that said, "It is not necessary to change. Survival is not mandatory." He was right.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Selling Fear

Give me a "F." Give me a "U." Give me a "D." What does that spell? That's right, fear, uncertainty and doubt. FUD FUD FUD.

I guess I have cheerleading on the brain. My 5 year old daughter is a cheerleader and she has a competition this weekend. So I'll be hanging out with over 50,000 of my closest cheerleading buds waiting for the 2 minutes she gets to do her routine. That will be the best 2 minutes of the weekend, but the good old fashioned F U D cheer got me thinking about how we security folks can "sell" our projects and agenda.

I spent many years trying to paint security in a positive light. It streamlines your business. It helps you roll out new business processes with trading partners. It allows you to me more mobile. It's all a load of crap. It's really just insurance, and the insurance folks have a much longer history of trying to sell the benefits of their stuff. To make life insurance a "positive" thing.

As anyone who's had to sit through a life insurance pitch knows, they do a pretty good job of convincing you some of the plans are really an "investment." They've had decades to refine their pitch. Yet, I wonder how many new Universal Life policies the insurance folks are selling nowadays.

I suspect it's not many because when everyone is tightening their belt, one of the last things on the list is an "investment" in some  insurance policy that will grow over time. So has the life insurance business gone away? 

I don't think so. I know most insurance brokers have morphed into financial advisors and have more in their bag than just life insurance, but play along with me. If there are any stand-alone brokers left, I suspect many will need to go back to selling fear, though I don't know this for a fact and I'm sure all my insurance buddies will tell me what an idiot I am. 

That's what I would do (which is maybe why I pimp security management software and not life insurance). Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen. So the customer can protect themselves for the least amount of money possible, which is likely a term life policy. Sure the assets are not growing, but most folks are more worried about making sure they have assets. 

Can you see the parallel with security? I sure hope so. So my good old FUD cheer can really be reduced to: Give me a "F!" Because uncertainty and doubt don't really come into play right now. It pains me to say it, but security projects need to driven by fear right now. Maybe it's fear of a compliance "problem." Maybe it's fear of a data breach. Maybe it's fear of some time in Leavenworth. Maybe it's fear of bad press. In today's environment pretty much any kind of fear is going to be your friend. Embrace the fear. Love the fear. It could save your backside. 

I know, this is making you sick. It's not why you got into security. You wanted to fight the bad guys. Not be a fear-mongering type. OK Brainiac, let's examine how we'd do it without fear. How about reducing staff through automation. I know a lot about that because that's what I do in my day job. It's not going to work because many staffs are already cut to the bone. I've had many conversations with folks and reducing staff is not enough to get a project through anymore. 

What about reducing risk? That's certainly something that every CEO and CIO are worried about. The words out of their mouths say they are worried about it, but economic turmoil increases an organization's tolerance for risk. It's all about resource allocation and when the decision comes down to funding a security project (which DOES NOT add value to the organization) or a new product, new facility, or maybe not cutting a bunch of heads, the security project is going to lose. 

That's why fear is maybe the only way to go nowadays. Get to know Ponemon's most recent data breach numbers. I can't believe I just said that, but it's all about living to fight another day. He says a breach costs $202 per lost record. I think those numbers could fertilize half of America, but your CEO and CIO don't know that. Use Heartland and TJX and Hannaford Brothers to make your points. Discuss the hundreds of millions will takes to clean up these messes. Talk about recent breaches. Put together a slide with breaches from just the last month and add up the numbers (at $202 per record, of course). Make the number at the bottom of the slide REALLY big. Ask your senior management how they look in orange (jumpsuits). 

That's right, get your Chicken Little on. Fear is a tremendous motivator. This is what I mean about adapting to your environment because in this kind of economy, it may be the only motivator we have. So stop being so proud and do what you have to do. And then go home and take a scalding hot shower, knowing what you did was for the greater good. Which is to ensure you don't get thrown under the bus.

Photo credits: "three" originally uploaded by Hil; “The Grim Reaper” originally uploaded by helico