IT shouldn't proclaim that the sky is falling, but Bill Detwiler thinks a little fear can be a powerful motivator for improving IT security.
In the above "60 Minutes" video, correspondent Steve Kroft spoke with former and current US government officials and private-sector security about the nation's vulnerability to cyber attack.
"If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker," Retired Admiral Mike McConnell told Kroft.
To most IT professionals, this revelation isn't, or at least shouldn't be, news. Before joining TechRepublic 10 years ago, I worked for a regulated utility—a power company. Even then, before anyone was seriously pushing a "smart grid" we were keenly aware of digital threats to our organization. But, just because IT is aware of a threat, doesn't mean the business is dedicated to addressing those threats. Corporate management is usually most focused on maximizing profit. (I am not referring to my former employer, but making a general statement about the disconnect that often occurs between IT staff and corporate leadership.)
In fact, this disconnect isn't confined to IT or even the corporate world. Whenever you have individuals or groups with different and/or competing interests, disconnects are common. Yet it is IT's job to help protect the organization from cyber threats, and in many cases the stakes are too high to allow a communication gap, lack of understanding, or just pure apathy to prevent good security.
Part of IT's security mission must therefore be to educate the greater community about relevant security threats and convince them to take or approve the necessary countermeasures. It's the second goal that's often the most difficult. Even your best descriptions of DoS attacks, rootkits, SQL injection attacks, social engineering, and all the other threats we face can fall on deaf ears unless you impress upon your audience the consequences of inaction. This is when fear can help.
Fear does not equal F.U.D (fear, uncertainty, and doubt)
Whether you're trying to convince senior management to ban USB drives or your three-year old not to touch the stove, fear is a powerful motivator. Yet, fear is a double-edged sword. If used inappropriately fear will win you more enemies than supporters and can undermine your ultimate goal of improved security. Therefore, I recommend the following guidelines:
- Avoid the hype. Be truthful and realistic. Don't make outlandish or unsubstantiated claims of IT destruction and massive financial loss, if the threats you're discussing aren't likely to cause such outcomes. Present the threat as you understand it, explain the likelihood of occurrence, and describe your organization's level of exposure.
- Temper fear with solutions. Once you've explained a threat, follow up with your best recommendations on how to mitigate it. You're goal is to motivate the audience into changing their behavior or giving their approval for an action, not merely to scare them. And, don't come in with an all or nothing plan. Be prepared to offer a range of mitigation options, which vary in scope and cost.
- Don't overuse fear. Remember the tale of the boy who cried wolf? If you constantly predict IT catastrophes that never materialize, your audience will eventually stop listening to you.
- Focus on an audience who can act. Narrowly target your message to those who can address the threat or have significant influence of those who can. Inducing fear in those who can't benefit from point 2 is counterproductive.
Is fear effective?
Yet, not everyone agrees that fear is an effective motivator. In April 2009, I published a ZDNet video on the possibility of a digital Pearl Harbor event. On the video, Bruce Schneier, noted cryptographer and Chief Security Technology Officer of BT Counterpane, suggests IT is better off avoiding fear as a motivator. "We're better as an industry, if we don't stoke fear, if we don't talk about the digital Pearl Harbor. People turn off from that," Schneier said.
I agree with Schneier's statement that IT shouldn't "stoke" people's fears unnecessarily—see all my above points. But, I still think a little fear can be a powerful motivator. And remember, all fear isn't created equal. Rationally explaining the negative consequences of not upgrading your network's intrusion detection system is a far cry yelling fire in a crowded theater. What do you think?