Having spent nearly two decades in the cybersecurity industry representing some of the top technology and service providers, I’m no stranger to the various sales techniques that vendors use to convince prospective clients to invest their time, resources, and shrinking budgets into cybersecurity products and services. Although most will frown upon the use of FUD (fear, uncertainty, and doubt), a quick glance at their social media posts suggests that the practice is still alive and well.
Most cybersecurity presentations I’ve seen (and many I’ve given) include the “obligatory slide” that outlines many of the prominent cyber breaches. In my own social media feeds, I see dozens of articles that begin with:
- XYZ company was hacked, here are top 5 things you should do to avoid being in the news.
- Are you monitoring your (insert any part of your network here)? Well, you should be, because…
- Change Your Password, (insert your favorite social platform) was just hacked.
While I’m sure cybersecurity vendors and their prospective clients would agree that FUD is not the optimal approach, we can see that vendors still engage in this practice.
So, why is FUD still happening?
The explanation (excuse?) I offer is simple: FUD is part of the business case. Here’s what I mean by that:
FUD is effective because it accurately reflects how informed people feel when we see what we do in the market today. Just as a compelling business case is based on reality but requires expert explanation. Effective marketing (read: convincing) evokes an emotional response in people. Investment decisions aren’t always made by people who understand the risks of cyber threats; they may know there are risks, but can’t answer the how likely, how often, what cost, what compliance issue, questions. Ultimately, when we describe a situation that evokes FUD, what we are really doing is qualifying the risk in a way that “non-cybersecurity people” can understand.
We don’t cite examples of breaches to induce fear specifically – we state the facts so that you can understand that this could happen to you. If we’re doing a good job, you will also understand what the risk is, what the potential impact could be, and most importantly how to reduce those risks/impact. The next level is to add why the risk is greater now than it was before.
It is not fearmongering to call out that organizations are indeed getting breached in alarming rates – sure, I chose the word ‘alarming,’ but people need to understand that the difference between the number and sophistication of breaches a few years ago, versus what is happening now. Would that happen if I just stated the number of breaches this year? The percentage increase since last year? That the rate of increase is also increasing? Often, people are only aware of the ‘big’/’famous’ breaches that are notable enough to make the news. Yet, according to the latest Ponemon study, more than 50% of small and medium sized business are going to experience a breach in the next 12 months. Of these, 75% of these breaches will come from outside the company. Moreover, of those that do experience a cyber breach, there is an 80% that they will be impacted again in the following 12 months.
That’s not FUD folks; it’s the facts. The reality we live in.
Uncertainty & Doubt
I treat uncertainty and doubt almost interchangeably in this case, but (again) the idea here is not to instill uncertainty for the sake of sales opportunities – it is to enable you to question your current security posture. As a leading MDR vendor in a competitive market, the biggest competitor we face is not another provider, but the client doing nothing. Wrong decision. Ask the 50% of SMB’s who will experience a cyber breach this year.
This does not mean that cybersecurity tools and services don’t offer business-enabling, operational and transformative benefits. But the predominant reason to secure your environment is still to detect and thwart cyber-attacks. You just can’t afford not to.
…And that’s what I mean by using FUD as part of a business case. Fear is the natural response when faced with a threat, and the emotional way to convince somebody that these risks are worth mitigating. That’s the real benefit that cybersecurity companies bring your organization - risk mitigation. What value does a service that mitigates risk offer if the consumer of that service does not understand the likelihood of a risk occurring? It’s too easy to do nothing, to say “Oh, it won’t happen to me…” when you don’t know the answer. Informed FUD can help you attribute the potential cost of that risk coming to pass. This is why people talk about the increasing cost of a breach - so that you can compare it to the cost of a cybersecurity solution.
Ultimately what I’m saying is that, yes, sometimes we ‘use’ FUD – in the form of examples of real-world breaches that we bring up to inform your decision. By doing this, we risk having you feel the emotions behind the acronym. You should understand that the reasons we do so are all to better equip you to make a sound business decision. And the best 'proof’ that I can offer is the documented examples, and the data about them, that extend beyond the headlines.
I am not saying that cybersecurity vendors have ‘carte blanche’ because our intentions are good – we need to act responsibly in terms of how and to whom we are presenting this information. The onus remains on vendors to ensure people don’t panic, and to encourage prospective clients to evaluate their solutions based on clear, established criteria, and the ever-changing world out there.
So, with FUD defended: I am saying that my warning for you to protect yourself (or else you’ll get hacked!) still holds true. There is enough evidence for the industry to confidently say that it’s not if you get breached, but when.
Fortunately, services exist that detect and respond to such breaches; so you can focus on your core business. Coincidentally ( 😊 ) ActZero offers just such a service. Contact us to find out more.
Cyber Armageddon is coming folks… brace yourselves!