Fear, uncertainty, and doubt (better known as FUD) has been a marketing and sales tactic since people have been buying things from each other. Why? Because it works. I don’t care how logical or methodical we think we are, we have all bought things based on emotions and we will continue to do so as long as there is commerce.
Salesmen and marketers will continue to appeal to fear. It’s relatively easy and certainly cheaper and quicker (at least in the short term) than trying to sale something on its merits. Especially in the security industry where good quality metrics, return on investment data, and other hard data can be nearly impossible to come by. Intuitively a lot of us know when we’re being “sold a bill of goods” and we can improve on that intuition by educating ourselves or by utilizing trusted peers or sources to vet out a lot of the FUD that exists. The challenge is to not move forward with the purchase even after we’ve realized we’re being had. That can be harder than one would think; Jeffrey Gitomer says it best “people don’t like to be sold but they love to buy”.
There’s an even darker side to FUD, however. People, especially in information security circles, have begun to throw the label around inappropriately and indiscriminately. And, much like being called a communist or a fascist in political debate, it has become a weapon that results in shutting down legitimate debate and discussion as well as smearing those trying to bring up very real and very dangerous risks or threats.
This might result in a company doing nothing to address a very real issue which, to my mind, is even more insidious than spending money on something that might not be real. If money is unknowingly spent on something to fight FUD then it’s true that money and time might be lost. If, however, money is not spent on something real because it has been labelled FUD, then not only is the threat unaddressed but when the threat is realized the time and money dealing with said threat will still be lost.
What’s the moral of this post? Just this; it’s important not to be swayed by FUD, regardless of whether it’s being used as an appeal to fear or as a smear tactic. Or it could be that this entire post is nothing but one big exercise in FUD itself. That’s up to you to decide.