FUD stands for fear, uncertainty, and doubt. Gene Amdahl is credited with originating the term (see here for more info). In the security space, we like to say that "FUD sells." I have come to the recent conclusion that FUD actually doesn't sell. In the security space, what sells is RAL, or regulation, annoyance, and loss. Let's look:
- Regulation - many new regulations spawn at least some routine spending on consulting to evaluate the enterprise and develop some notion of compliance. Regulations provide the framework and the teeth to actually get folks to consider the implications of security. They also tend to drive people who focus on them towards a "least common denominator" method of security which may be effective at protecting against the threat of regulatory fines but often will not protect against the threat of compromise.
- Annoyance - heck, who doesn't hate spam? Spam, worms, viruses - all very common in today's networked world. People spend money on them because they are annoying.
- Loss - it often takes an attack to wake up an enterprise. This is unfortunate, but true.
All of these things provide "comfort food" in some sense to enterprises who struggle with the notion of FUD - that is, that you just never know how, when or where your risks are with any degree of certainty (we can do a heck of a lot better than we are doing today, however). In general, RAL is reactive and tactical.
11:09:12 PM 
|
|
