Bill Brenner, Senior Editor over at CSO Magazine has a great Podcast where he covers a recent security gathering in Boston, MA.  The one that captured my attention is a summary of some Forrester Research study on the increase in security spending.  According to their research, and I’m just going on the information from the Podcast,  I haven’t read the paper yet, FUD has fueled an approximate 10% increase in information security budgets – a 2% increase over last year. 

If you have the time – and you only need seven and a half minutes – it is worth your time to listen to Bill Brenner’s Podcast. 

Fear, Uncertainty, and Doubt has been the staple of security vendor’s sales pitches since our industry began.  To most of us, including me, this is a definite turn off.  Any vendor who leads off with a FUD sales pitch typically either gets shown the door or is told to stick to answering my technical questions.  Personally it has been my opinion that if you have to resort to FUD then you really don’t have anything that I want to buy. 

That said, imagine my surprise when I was meeting with a potential client and he keeps asking me questions about whether an attacker could do this and whether an attacker do that.  Let’s call him “Jim.”  Jim is concerned with protecting his company’s information but appeared to be stuck with a 90’s notion of information security.  He knew to be wary of email attachments but was floored when I told him about phishing. He was still operating on the premise that it is alright to open an email and attachments from someone that you know or trust (like his bank).  I was taken aback somewhat as I found myself answering his questions.  Every attempt I would make to steer the topic around to the benefits of being proactively secure as opposed to reacting to FUD were unsuccessful. 

I was faced with a big decision here – do I give in to the dark side and embrace FUD as the way to “sell” this client or do I take the high road? 

What did I do?  Well I think I took the middle road – I switched the topic from worst case to acceptable risk.  Jim doesn’t work in a regulated industry so talking about regulatory compliance wasn’t a tactic I could use.  I could have switched to governance but this is a small business so the formalized processes so often found in governance models would have been drastic overkill here. 

“Acceptable Level of Risk” is applicable in just about all situations.  In this case I believe that it was the best tactic especially since the meeting I was having with him was suppose to be about how he could help me out rather than what I could do to help him out.   Jim was very concerned with protecting the privacy of his client’s information.  I was able to turn the conversation around to something akin to “Yes all of these things could happen but what is really important is to determine the level of risk your comfortable with so that we can determine what controls are appropriate for your environment.” 

Now I know some of you out there are wondering what rock this guy has been living under for the last ten years but I’m not so sure that he is all that uncommon.  We live with the concepts of risk and information security on a daily basis but many other people don’t and don’t pay it much attention until they are confronted with it.  Until my conversation with him, Jim had no cause to doubt that what he had been taught ten years or more ago wasn’t still valid.  In this respect I believe that we need to become “educators” in the sense that we need to inform without scaring people. 

In this case FUD opened the door but it wouldn’t have kept that door upon if I hadn’t tried to avoid it so much.   It did give me the opportunity to educate Jim on what can happen and how to go about assessing the risk associated with how he handles his client information.   My preference is to have a conversation on the merits of information risk management rather than the ramifications of ignoring information risk management but I guess that as a small business owner myself, I should take any opportunity that is presented to me.

Apparently it will all be over in less than three years.  Wow.  That is some statement to make.  Apparently the media doesn’t mind making it though.  They report that we will run out of IP addresses by early 2011. 

In two of the reports that I’ve read (one on Foxnews.com and the other on The Times Online) portray a digital doomsday rapidly approaching.   We will run out of IP addresses and everything will come crashing to a halt.  Apparently there is even a countdown clock located on the Net. 

Now this may be so, we may run out of IPv4 addresses but statements like this strike me as irresponsible.  (Especially since this does not appear to be what the report actually says – It appears to be straightforward and level-headed but I haven’t read all of it yet though.) 

I’m not a big fan of the FUD approach (Fear, Uncertainty, and Doubt).  I don’t think that anyone should try to scare someone into action even if the result is a good thing.   You put your creditability on the line every time you make a prediction such as this.  Look at the Y2K non-event.  It cost an estimated $300 billion dollars worldwide and it is debatable whether or not it was really worth it?  Now I don’t want to open up that debate again.  What I am concerned about is that messages like this tend to derail us from what is really important. 

Should we plan for a conversion to IPv6?  Of course we should but this is not foreteller of doom that the media seems to want to make it out to be.  You can be sure that product vendors will soon pick up the war cry and fan the flames of FUD. 

Life, and business, is a balancing act between risk and reward.  Let’s incorporate these concerns into our plans so that we can deal with them in an ordered and structured way rather than through emotion and panic.