As I scroll through yet another barrage of doom-and-gloom cybersecurity headlines, I can’t help but feel a knot forming in my stomach. It’s not the threats that bother me—they are part of our daily reality in this field. No, what’s getting under my skin is how these threats are being packaged and sold.
This reliance on fear, uncertainty, and doubt (FUD) is not just an anecdotal observation; as Kevin Townsend highlights in his SecurityWeek article1, it’s a pervasive issue eroding the foundation of trust in our industry.
As a security leader in the trenches for over two decades, I’ve seen my fair share of trends come and go. But this one—the increasing use of scare tactics in cybersecurity sales—feels different. It feels personal. And it’s high time we had an honest conversation about it.
Let’s face it: fear sells. It’s a tried-and-true marketing tactic to sell everything from insurance to air purifiers. But in cybersecurity, where trust and partnership are paramount, this approach is not just ineffective—it’s downright harmful.
Vendors who rely on fear, uncertainty, and doubt (FUD) to drive their messaging are not just doing a disservice to their potential clients. They’re eroding the very foundation of trust that our industry is built on.
Think about it: how can we expect to build meaningful, collaborative relationships with our clients if our first interaction is based on scaring them?
Here’s the thing: cybersecurity is important. Critical, even. But it’s not about playing on people’s fears but empowering them. It’s about giving organizations the tools, knowledge, and confidence they need to navigate the digital landscape safely and securely.
As security professionals, our job isn’t to terrify executives into buying the latest shiny tool. It’s to understand their unique challenges, assess their risks, and work together to develop practical, effective solutions.
When we resort to scare tactics, we’re not just pushing potential clients away—we’re reinforcing the stereotype of the paranoid security professional who cries wolf at every shadow.
Instead, we need to be bridge-builders. We need to communicate the realities of cybersecurity honestly and actionably. We need to be partners, not prophets of doom.
So, what can we do about this? As security leaders, we have a responsibility to change the narrative. Here are my suggestions:
- When discussing security solutions, emphasize the positive outcomes—improved resilience, better decision-making, enhanced customer trust—rather than dwelling on worst-case scenarios.
- Use real-world examples and clear, jargon-free language to help stakeholders understand security concepts and risks.
- Every security solution is flawed. Be upfront about what your product or service can and can’t do.
- Share stories of security done right and show how good security practices lead to better business outcomes.
As I wrap up this post, I reflect on why I entered this field. My aim continues to be to serve, protect, and help organizations take informed, risk-based action based on knowledge, experience, competence, and earned trust. What about you?
References:
- Townsend, K. (2024, February 14). Beyond the Hype: Questioning FUD in Cybersecurity Marketing. SecurityWeek. https://www.securityweek.com/beyond-the-hype-questioning-fud-in-cybersecurity-marketing/