The Fear, Uncertainty, And Doubt Model Is No Longer Working

The fear, uncertainty, and doubt Model is no longer working.jpg

Garry Kolb, business information security manager for a large financial services organization, talks to Sean Martin, editor-in-chief for ITSPmagazine. During their conversation, the two talk about raising awareness and getting the attention of the business with respect to information security in the context of the business.

FUD (fear, uncertainty, and doubt) used to be a successful way to raise awareness and get the attention of the business for cybersecurity need. However, there’s no longer any uncertainty—it’s pretty obvious that we’re constantly under attack. And, unless the business erroneously doubts they are a target, this leaves us with the fear element which can get very old and create a situation of “crying wolf.”

This model will only take us so far as an industry. Security needs to become part of the DNA for the business. We need to look at how we enable the business to operate securely. We need to focus less on the threatscape and focus more on the business, to make it easy for the business to operate securely.

For example, when the engineering team wants to use a chat program—one that makes them work smarter while slacking off less—what does that procurement process look like?

  • Does the engineering team get to use the application without any involvement from procurement?
  • If procurement is involved, is a blind eye turned to security such that the dev team can use this tool that they simply “cannot live without it!?”
  • Does the procurement process move forward full steam ahead only to get blocked when security gets their eyes on it?
  • Or, is there a way to approach this situation as an opportunity where everyone wins?

A large part of what Garry does in his role is assess new applications being requested and/or introduced into the environment to make sure they meet the security requirements defined by the organization. His goal is to mitigate the risks associated with 'Shadow IT' and find a way to embrace new technology, securely.

For the chat application, as one example, Garry looks at how its secured; how people access it. Garry approaches the program with a goal of becoming part of the procurement team; to become part of the RFI/RFP (request for information/price) process.

More specifically, Garry has implemented a application security assessment process whereby he has inserted the appropriate security requirements directly into the process. Now, Garry’s team gets a view into the security posture of the vendor and their product/service before they even hit the door.

The risk associated with turning a blind is mitigated.

The risk of Shadow IT is mitigated by partnering with the engineering team.

Everyone wins—even the chat app vendor—as the engineering team can use the app they want and the security team knows they are doing so with the information security program requirements built in.


Listen to the podcast