We are pleased to announce that there will soon be a new look for the Ascension Risk Management Website.  We engaged the services of a graphic artist to come up with a logo.  This artist also came up with a very nice, simple and straightforward website design for us.   We are going through the final design and content reviews now and hope to have the site up and online within the next two weeks.  (Our blog design will stay the same.)  In the meantime I thought that I’d share with you the new logo. 

Fear, Uncertainty, and Doubt has been the staple of security vendor’s sales pitches since our industry began.  To most of us, including me, this is a definite turn off.  Any vendor who leads off with a FUD sales pitch typically either gets shown the door or is told to stick to answering my technical questions.  Personally it has been my opinion that if you have to resort to FUD then you really don’t have anything that I want to buy. 

That said, imagine my surprise when I was meeting with a potential client and he keeps asking me questions about whether an attacker could do this and whether an attacker do that.  Let’s call him “Jim.”  Jim is concerned with protecting his company’s information but appeared to be stuck with a 90’s notion of information security.  He knew to be wary of email attachments but was floored when I told him about phishing. He was still operating on the premise that it is alright to open an email and attachments from someone that you know or trust (like his bank).  I was taken aback somewhat as I found myself answering his questions.  Every attempt I would make to steer the topic around to the benefits of being proactively secure as opposed to reacting to FUD were unsuccessful. 

I was faced with a big decision here – do I give in to the dark side and embrace FUD as the way to “sell” this client or do I take the high road? 

What did I do?  Well I think I took the middle road – I switched the topic from worst case to acceptable risk.  Jim doesn’t work in a regulated industry so talking about regulatory compliance wasn’t a tactic I could use.  I could have switched to governance but this is a small business so the formalized processes so often found in governance models would have been drastic overkill here. 

“Acceptable Level of Risk” is applicable in just about all situations.  In this case I believe that it was the best tactic especially since the meeting I was having with him was suppose to be about how he could help me out rather than what I could do to help him out.   Jim was very concerned with protecting the privacy of his client’s information.  I was able to turn the conversation around to something akin to “Yes all of these things could happen but what is really important is to determine the level of risk your comfortable with so that we can determine what controls are appropriate for your environment.” 

Now I know some of you out there are wondering what rock this guy has been living under for the last ten years but I’m not so sure that he is all that uncommon.  We live with the concepts of risk and information security on a daily basis but many other people don’t and don’t pay it much attention until they are confronted with it.  Until my conversation with him, Jim had no cause to doubt that what he had been taught ten years or more ago wasn’t still valid.  In this respect I believe that we need to become “educators” in the sense that we need to inform without scaring people. 

In this case FUD opened the door but it wouldn’t have kept that door upon if I hadn’t tried to avoid it so much.   It did give me the opportunity to educate Jim on what can happen and how to go about assessing the risk associated with how he handles his client information.   My preference is to have a conversation on the merits of information risk management rather than the ramifications of ignoring information risk management but I guess that as a small business owner myself, I should take any opportunity that is presented to me.

This is more of a request for comments than a real post.  I was having a conversation a few days ago with a friend of mine and the subject turned to ethics.  We talked about the importance of making ethical decisions and behaving in an ethical behavior within our field.  I then raised a question that honestly I don’t know the answer too:  Does one’s culture influence ethical decisions? 

Now I’m relatively certain that certain ethical decisions transcend culture but do they all?  My friend didn’t seem to think so but from his reaction I could tell that he had never really given it any thought.  My feeling is that culture probably does influence what one considers ethical behavior.   

According to the Merriam Webster Dictionary, the English definition of Ethic is

Main Entry: eth-ic

Pronunciation: \ˈe-thik\

Function: noun

Etymology: Middle English ethik, from Middle French ethique, from Latin ethice, from Greek ēthikē, from ēthikos

Date: 14th century

1: plural but sing or plural in constr : the discipline dealing with what is good and bad and with moral duty and obligation

2a: a set of moral principles : a theory or system of moral values <the present-day materialistic ethic> <an old-fashioned work ethic> —often used in plural but singular or plural in construction <an elaborate ethics><Christian ethics>

2b: plural but sing or plural in constr : the principles of conduct governing an individual or a group <professional ethics> 

2c: a guiding philosophy

2d: a consciousness of moral importance <forge a conservation ethic>

3 plural : a set of moral issues or aspects (as rightness) <debated the ethics of human cloning>

Now looking at these definition, my feeling is that one’s cultural perspective will heavily influence what is considered ethical behavior.  I think it is important to get to the get some more information about this as the modern workplace has workers from many different cultures and perspectives.  In order to effectively institute security awareness and training programs (and by extension promote a culture of security ) we need to take the background and culture into account. 

As I continue my own research I am interested in what you think.  You can post your thoughts here or you can email them to me.  (gmckee@ascensionriskmanagement.com) I’ll collect the comments and put them together with the results of my research in a future blog post.