February 18, 2012 By Dan Lohrmann
Just in case you haven’t been paying close attention to tech headlines lately or you’ve been totally distracted by Jeremy Lin’s unexpected NBA exploits (also known as Linsanity) or you’ve become turned-off by the constant barrage of bad news related to computer hackers, this has been another bad week in the headlines for cybersecurity. Perhaps, somehow, you’ve missed the latest scary cyber news.
If this describes you, here is a mini-sample of the top news stories that the security industry has been hammered with over the past week:
Wall Street Journal – Chinese Hackers Suspected In Long-Term Nortel Breach
Excerpt: “For nearly a decade, hackers enjoyed widespread access to the corporate computer network of Nortel Networks Ltd., a once-giant telecommunications firm now fallen on hard times.”
Excerpt: “Jennifer Youngblood, a CIA spokeswoman, said on Friday night: "We are aware of the problems accessing our website, and are working to resolve them."
Anonymous claimed responsibility for shutting down the homepages of the Department of Justice and FBI last month in retaliation for the US government closing the controversial Megaupload filesharing websites.
Alabama state and Mexican mining company websites were also hacked on Friday. Web pages linked to Anonymous claimed responsibility for both attacks.”
I could go on, but I’m sure you see the trend. The chilling truth is that cyber headlines, often involving major breaches, are relentless. I keep thinking that things can’t get worse – but they somehow do. Over the past few years, we just kept hearing more and more frightening stories about hacker successes and sensitive data lost.
Bad FUD Defined
Competent security pros can easily keep your attention and can scare just about any audience with a well-selected sampling of these headline stories. Recent hacking incidents and the millions of dollars or reputations lost often make CNN and Fox News. Security professionals call an extensive focus on these stories “FUD,” which stands for “Fear Uncertainty and Doubt.”
Yes, other industries use this term as well – but in the security and technology circles, regularly repeating FUD headlines is viewed as a bad thing. Why? Aren’t these just factual news headlines from reputable sources? Yes, but used too often or as the main message in speeches, FUD can escalate the negative views of the security industry by not offering cyber solutions that work over time. FUD often creates opposite extremes – either a sense of hopelessness or an unsustainable excitement that blocks out all other discussion.
Put another way, FUD might be compared to the sports crazes of Tebowmania or Linsanity - the topic gets super hot and takes over all coffeepot discussions, but after a while, people get sick of talking about it. Eventually, the pendulum swings the other way. Perhaps the tide has already turned for FUD, because like an addictive drug, it takes more and more FUD to have an impact in 2012.
Truth be told, I have long been a critic of FUD, which can contribute to reason #1 that security professionals fail. I have seen FUD offer a short-term bounce to security programs around the country which can later become a “haven’t you fixed that yet” mentality from senior executives 6-12 months later. Our cyber defense goals need to address long-term strategic answers that improve cyber defense over years and not just day or months. A common joke in the security industry is that you want the CISO job right after a major FUD incident. You get the $$s and support – after the last person was removed.
Good FUD as a Starter
Now allow me to also offer some positive aspects to a small slice of FUD. True cyber stories that are hot off the press are great conversation starters - like as an appetizer before the main course for dinner. Remember – FUD almost always works for a brief moment. Audiences are usually intrigued by hot stories of cyber breaches or worse, especially if there is some new twist or a different channel that was used to gain unauthorized access. Advice: just don’t make the FUD the main point of your speech or end with “and your next if you don’t follow my advice.”
But while FUD usually works great to get a speech kicked-off or as an icebreaker with a person who knows very little about security, it should not be used as the main course. Just as financial advisors know what to say to clients after a bad day with big stock market losses, smart cyber pros will use that “teachable moment” to move onto what actions their company can (and needs to) take now. Advice: have that elevator speech ready for the next FUD to hit. Also, get to know “the rest of the story” so that you can keep the conversation going beyond the headline that is so popular.
One more point in the “good FUD” category: keeping track of the latest FUD is important for your career. Security pros need to be well-informed when asked “what happened” by friends and colleagues at home and work. You are the resident “expert” so a puzzled look about yesterday’s headline hack, while occasionally ok, is not an effective way to build confidence in your abilities. Advice: When this happens and you’re caught off-guard, read up on the incident quickly, because others will ask as well.
FUD Can Also Get Ugly and Personal
I remember a major breach that occurred back in the 90s that taught me a lesson. I was at a training conference on how to configure network firewalls and security controls. As I was eating breakfast before class and reading a front-page Washington Post article about a major breach to a colleague, he turned to me and said, ”Oh my gosh, that’s my website! I was sent here to this class to make sure we weren’t hacked.”
My two-day friendship ended when he was called away and never came back. I later heard he was fired.
The lesson – scary FUD headlines are real and can become very personal. I know several security pros – both leaders and analysts – that were “overcome by events” that were probably outside of their direct control. Nevertheless, we ignore FUD at our own peril.
All of us in the security industry are aware of the unexpected challenges that a career in cyber can contain. If management is looking for a scapegoat after a major incident, FUD can lead to changes that may not be well thought out or even helpful to defending the enterprise. Still, these cyber headlines can derail impressive careers if “perception becomes reality.” After the cleanup, management may say you should have known or stopped the incident from happening. Advice: develop a good relationship with your government agency’s Public Information Officer (PIO) who is trained to deal with the press. Work together as a team during cyber incidents. Sure, we want to stay out of the news, but prepare for the worst.
Bottom line, FUD is a complicated topic. FUD can be your friend or your worst enemy. It can light a fire under cyber initiatives, or end a career. It can influence decisions in the middle of a crisis. Regardless of the story, FUD is important to master – and that’s not just hype.
Any FUD stories to share?
Building effective virtual government requires new ideas and hard work. Security professionals need to be enablers of innovation. From helpful Internet training to defending cloud computing architectures to securing mobile devices, Dan Lohrmann will cover what's hot and what's not in protecting your corner of cyberspace.