February 10, 2009 - Volume 4, #14
Good Morning:
The reason we are all here is because throughout the past millions of
years nature has adapted. As organisms, we have adapted as well. The
things that didn't work got culled from the gene pool. Basically nature
admitted it was wrong and adapted and survived.
Wrong. There is such a stigma to that word, but it's one of the most
powerful words in the vocabulary. Because until you admit you are
wrong, you cannot adapt and make yourself better. That's why I'm a big
fan of wrong. The more times I'm wrong, the closer I am to being right.
Which is my constant rationalization for constantly screwing things up.
As I discuss below (and in last week's Compliance is SO a Cost Center
rant), there are times to be right and there are times to stay alive.
Right now, for us security folks, it's about survival and that means we
have to use tactics that may not make us feel great - but are probably
the only chance we have.
Remember, you don't have to adapt. I think it was Deming that said, "It
is not necessary to change. Survival is not mandatory." He was right.
Have a
great day.
Technorati: Information
Security [1], CSO [2],
Security
Mike [3], Internet
Security [4]
 [5] |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6] |
Selling Fear
Give me a "F." Give me a "U." Give me a "D." What does that spell? That's right, fear, uncertainty and doubt. FUD FUD FUD.I guess I have cheerleading on the brain. My 5 year old daughter is a cheerleader and she has a competition this weekend. So I'll be hanging out with over 50,000 of my closest cheerleading buds waiting for the 2 minutes she gets to do her routine. That will be the best 2 minutes of the weekend, but the good old fashioned F U D cheer got me thinking about how we security folks can "sell" our projects and agenda.
I spent many years trying to paint security in a positive light. It streamlines your business. It helps you roll out new business processes with trading partners. It allows you to me more mobile. It's all a load of crap. It's really just insurance, and the insurance folks have a much longer history of trying to sell the benefits of their stuff. To make life insurance a "positive" thing.
As anyone who's had to sit through a life
insurance pitch knows, they do a pretty good job of convincing you some
of the plans are really an "investment." They've had decades to refine
their pitch. Yet, I wonder how many new Universal Life policies the
insurance folks are selling nowadays.
I don't think so. I know most insurance brokers have morphed into financial advisors and have more in their bag than just life insurance, but play along with me. If there are any stand-alone brokers left, I suspect many will need to go back to selling fear, though I don't know this for a fact and I'm sure all my insurance buddies will tell me what an idiot I am.
That's what I would do (which is maybe why I pimp security management software and not life insurance). Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen. So the customer can protect themselves for the least amount of money possible, which is likely a term life policy. Sure the assets are not growing, but most folks are more worried about making sure they have assets.
Can you see the parallel with security? I sure hope so. So my good old FUD cheer can really be reduced to: Give me a "F!" Because uncertainty and doubt don't really come into play right now. It pains me to say it, but security projects need to driven by fear right now. Maybe it's fear of a compliance "problem." Maybe it's fear of a data breach. Maybe it's fear of some time in Leavenworth. Maybe it's fear of bad press. In today's environment pretty much any kind of fear is going to be your friend. Embrace the fear. Love the fear. It could save your backside.
I know, this is making you sick. It's not why you got into security. You wanted to fight the bad guys. Not be a fear-mongering type. OK Brainiac, let's examine how we'd do it without fear. How about reducing staff through automation. I know a lot about that because that's what I do in my day job. It's not going to work because many staffs are already cut to the bone. I've had many conversations with folks and reducing staff is not enough to get a project through anymore.
What about reducing risk? That's certainly something that every CEO and CIO are worried about. The words out of their mouths say they are worried about it, but economic turmoil increases an organization's tolerance for risk. It's all about resource allocation and when the decision comes down to funding a security project (which DOES NOT add value to the organization) or a new product, new facility, or maybe not cutting a bunch of heads, the security project is going to lose.
That's why fear is maybe the only way to go nowadays. Get to
know Ponemon's most recent data breach numbers [7].
I can't believe I just
said that, but it's all about living to fight another day. He says a
breach costs $202 per lost record. I think those numbers could
fertilize half of America, but your CEO and CIO don't know that. Use
Heartland and TJX and Hannaford Brothers to make your points. Discuss
the hundreds of millions will takes to clean up these messes. Talk
about recent breaches. Put together a slide with breaches from just the
last month and add up the numbers (at $202 per record, of course). Make
the number at the bottom of the slide REALLY big. Ask your senior
management how they look in orange (jumpsuits).
That's right, get your Chicken Little on. Fear is a tremendous
motivator. This is what I mean about adapting to your environment
because in this kind of economy, it may be the only motivator we have.
So stop being so proud and do what you have to do. And then go home and
take a scalding hot shower, knowing what you did was for the greater
good. Which is to ensure you don't get thrown under the bus.