It’s common for the C-suite to look at cybersecurity efforts, and, more broadly, the security field itself, with fear, uncertainty, and doubt (FUD). It isn’t surprising, considering that every time we turn on the TV or read a headline, there is news of another massive data breach, regulatory fine, or consumer concern related to cybersecurity. While we in the cyber field may get frustrated with our peers’ constant state of fear when discussing cyber activities and projects, we also haven’t done ourselves any favors. Scare tactics can be persuasive, and so in some cases we may even find ourselves contributing to FUD.
If you’ve been in the technology field for some time, you’ve inevitably seen security leaders advocate for their respective projects, initiatives, and funding using these FUD tactics — crying wolf about the next ransomware incident or customer data leak. We also see FUD tactics utilized by security vendors, particularly after high-profile data breaches, swooping into target tech leaders, claiming their product and offering would have prevented “insert latest data breach.”
FUD Tactics Damage
These FUD tactics often do more harm than good. They can spur reactionary investments in random technology or tools that don’t fit into the broader organizational cybersecurity portfolio. Those then become bespoke tools that the team now needs to manage in isolation as well as try to integrate with. These bespoke tools address a random threat that the organization hasn’t even threat-modeled itself against to see if it is pertinent.
Even worse is when the C-suite becomes immune to the FUD tactics. They stop listening, being concerned with, and being informed by the CISO and the cybersecurity team. They fall into a sense of viewing cyber as Chicken Little, and, eventually, the specific risk being raised may be pertinent but fall on deaf ears.
A Better Way
There is a much better way to communicate with the C-suite when it comes to security projects and initiatives. It is communication that revolves around using real, actual data based on methodologies such as risk assessments and threat modeling. Present this data in business terms that the C-suite can understand; for example, revenue loss from a breach on the prevention side, or customer experience enhancements with a data access control framework on the business enabler side, to show the impact and metrics they would be concerned with.
Another challenge due to the FUD tactics is the security team getting viewed as the “office of no.” Our technology and business peers think any new project or effort brought to our attention will be met with a great no — “that’s insecure,” “that isn’t compliant,” and “we can’t do that.” This leads to security being sidestepped and avoided at all costs.
A better way forward with the C-suite involves security being aware when it’s settling back into FUD tactics. When this happens, it’s time to work on shifting the paradigm again: Instead of having a stereotypical fit about why something can’t be done and why it’s wrong, security professionals must start offering solutions rather than problems, which is a better way to get a business to “yes.” This isn’t to say security professionals shouldn’t communicate real risks, metrics, and data, but they should be accompanied by actionable solutions and ways forward.
This paradigm shift leads to security being viewed as an enabler and a partner in leading to secure business capabilities and outcomes, rather than as an impediment. Making this shift will help the C-suite be more welcoming of security. This shift builds rapport and trust, as well as creates situations where security is brought in early on projects and initiatives rather than begrudgingly engaged at a project’s end as a check-the-box or necessary evil. This shift makes us genuine partners, not a parasite feeding on FUD.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: