I have been to many corners of the IT Security world. Operations, Audit, Penetration Tester, Risk, Enterprise, SMB, Federal. You name it, and I have fortunately had the opportunity to be a part of it. I am certainly not the authority in any or all of them, but it has been a fun twenty years.
When I got involved on the side of the business where I had to sell or do presales, the phrase “Fear, Uncertainty, and Doubt” came up a lot. I have to say it is a phrase that I despise, and I will tell you why. But first a story or two. ?
I have had the opportunity to work with manufacturers of hardware and software and engage with their marketing and sales teams. And they have given me the advice on more than one occasion that “You will make more sales in security if you scare your customers into believing that they are going to get attacked and hacked, and their data is going to be stolen and sold on the dark web.” Create Fear, Uncertainty, and Doubt – FUD.
I have an issue with this line of thought. There is a fundamental flaw with FUD and I refuse to use the tactic. I won’t try to convince my clients that they should be scared of some unknown group of hackers, that there is no way that we can resist their attacks, and that my proposed solution is flawed because no solution is “100%”. If I tell them it’s ”not if but when” they get hacked, but that it’s the best we can do right now, then I am putting myself into the same category of those that are experiencing “fear, uncertainty, and doubt”. (Think about that if the next time you get on an airplane the Captain starts telling you all the ways that the plane could crash.) I have to be honest with you, I look forward to the challenges each and every day. I do this because I like to solve problems.
I didn’t get involved in the practice of Information Security to wake up in fear every day. If I thought that I couldn’t make improvements and give good advice to my clients, manage risk and improve their security, I would quit this career and find another. I understand that there are some very bright people out there who make it their business to attack and take advantage of people and companies every day. The world has a lot of sharp corners. With regard to those of us that sell products and provide services, it’s not a reason to take advantage of a client that is putting their trust in us to give them good advice.
I have been in the room when a company has been hijacked with ransomware and they are literally unable to conduct business, and the account manager or sales team suggests that they upgrade the firewall or the network, fully knowing it’s the wrong suggestion. That’s a recipe for disaster and ethically wrong.
Be the professional who is known for giving the right advice. Be the person who says that what they do or sell isn’t the right approach for every situation. Be the person who gets paid for doing the right things, and then be the person who gets invited back. And do it fearlessly, with conviction, and confidence.