‘There is no terror in the bang, only in the anticipation of it’. Alfred Hitchcock said that…. He knew a thing or two about evoking fear. Fear is often used to will people into taking action that they otherwise wouldn’t – for example fear-based messaging has been used for years (who knew that before Listerine, no one was worried about bad breath…no one). When it comes to fear-based messaging… security is no exception. Based on a potentially disastrous outcome (which may be low in likelihood), fear is often used to obtain support from boards and executives. Fear has been used as a big lever that is pulled until executives throw their hands in the air and throw resources at you. Not every company is visibly under attack each and every day, so fear inducing stories have been seen as essential to sketch a big scary monster in the minds of those who are influential in order to have them recognise a need for action.
But fear needn’t be what drives your information security agenda. This is like fearing drowning every time you step into water despite being a competent swimmer. In fact, feeling fear in water often leads to a greater likelihood of something going wrong. It is the same in business. Focussing on fear distracts us from identifying the true threat and calmly addressing it.
In order to achieve a balance, a different emotion must be leveraged. The opposite of feeling fear is in fact feeling secure (or so the thesaurus tells me). This is what we are after. In this day and age, we shouldn’t have to use fear to propel our organisations to be more secure. We should be focussing on feeling more secure based on a healthy approach to risk and a true awareness of where our accepted exposures lie. I’m not suggesting that we only see sunshine and rainbows and pretend that bad things don’t happen to good businesses. What I am suggesting is that empowering our business with honesty about the risk position and the support you need to identify, isolate and resolve security concerns could be the valuable injection your security agenda needs. Isn’t it time we focussed on the rewards of being more secure instead of constantly making our Board fearful in anticipation of the ‘bang’?