With expensive and damaging cybercrime on the rise, companies and organizations across the globe are constantly trying to improve their security stance. As a result, many security vendors have taken advantage of this vulnerability with a FUD approach. The FUD strategy, standing for fear, uncertainty and doubt, is a scare tactic that plays on a prospect’s fears to win a sale. The sales pitch often includes lines like “there are bad things in your network or application” or “this product is your only hope.” The security industry is ripe for FUD tactics as the costs of cybercrime is skyrocketing. The costs are rising because companies are hiring more and more security engineers but the “scale out” approach isn’t efficient as you can never hire more manual resources than the automated attacks that the hackers are launching.
If companies give into the FUD, they’ll continue to buy more and more point solutions in search of the “right one.” This is essentially the same approach as trying to lose weight by purchasing quick fixes, instead of putting together a targeted plan on how to move the needle. Here are four best practices on how to avoid FUD and build security with confidence, assurance and resiliency.
Too few cybersecurity vendors practice transparency. They don’t give users a look beneath the hood of their technology and often overpromise on capabilities. Cybersecurity isn’t some sort of black magic yet security vendors have been treating it that way, framing their product as the sole solution to all the fear, uncertainty and doubt. By not providing this transparency, everyone loses out with a lack of education and improvement. Transparency enables organizations to have full visibility into their software development life cycle – meaning which tools are integrated into what part of the pipeline, if there are any vulnerabilities found and what they are, and recommendations on how to rapidly remediate them. With full transparency and visibility of the whole situation, organizations can protect themselves with confidence, assurance and resiliency rather than falling into FUD.
Incorporate Security In At Every Stage
The software development life cycle needs to have security tests built in at every stage, from code commit to application delivery. Putting implicit checks into place increases overall confidence that your code and application are much more resilient to application security attacks. This also increases assurance, as everyone knows exactly what tests were performed and what the results were in real-time. Instead of taking the insurance approach, where you simply hope that nothing bad ever happens, take the assurance route by being proactive with your application security testing.
Know Your Strengths and Weaknesses
Most security professionals can’t confidently answer the following question: how secure are we really?
If you don’t have the answer to this seemingly simple yet fundamental question, your security team is working blindly, which puts your company, its reputation and its customers at an unnecessarily increased risk. All organizations should do a full examination of their security processes and vulnerabilities to uncover their security strengths and weakness. Without this knowledge, there is no confidence, assurance and resiliency.
Understand that Security Isn’t a One-Size Fits All
There is no one cybersecurity solution that will be a perfect fit for every company. Each organization has unique security needs, strengths and weaknesses and a good security plan should take all of those factors into account. Too many companies have fallen into the FUD trap that “tool X” or “package Y” will be the solution to every security need. Cybersecurity isn’t a silver bullet so organizations need to do their research to figure out what the best security plan for them entails and not fall into the one-size-fits-all security package built on FUD.
Selling products on the basis of FUD is a scam and security vendors who are guilty of inducing FUD need to make it right. The current state of cybercrime has rightfully put the security industry on edge but we are not helpless and cybersecurity tools shouldn’t been seen as an enigmatic quick fix. Leave FUD behind and build security with confidence, assurance and resiliency by demanding transparency, incorporating security at every stage, knowing your strengths and weakness, and understanding that security isn’t one-size-fits-all. We have access to the best cybersecurity technology but each organization needs to build a personalized security plan built on confidence and assurance to ensure their resiliency.
Copyright 2010 Respective Author at Infosec Island