Scare Tactics Don't Work Anymore

Anyone involved in Cyber security knows that scare tactics are part of the job, a new exploit is discovered, a cyber attack or some hack happens somewhere in the world and you see everyone from security vendors to cyber security staff jumping on the bandwagon and using it either to sell new security products or to acquire new products depending on which side of the fence you sit. I am not saying this to criticize or to say it is wrong to use such tactics, and while they never were my favorite, I know that as a security professional I have used them on multitudes of occasions especially when no other option proved effective, either to stress a need or to get special attention to a serious gap. At the end of the day getting hacked is a scary and serious affair something that should never be taken lightly.

Why I think that such tactics do not work anymore is because of two simple reasons: the first being that no one seems to be ahead of the cyber threat "security breaches keep happening" and the second is how much overused these tactics have become.

A scare tactic in essence is reactive, an approach that is either driven by fear and therefore not well planned or driven by the presence of known gaps in the security infrastructure that are not being addressed until something bad happens which is even worse. That is why I believe that instead of focusing on scare tactics security professionals should start focusing on approaching cyber-security as a foundation for every business, ensuring that gaps are covered based on proper and well communicated risk assessments. Security professionals should educate management and staff about having good security practices and instilling security as part of the job, a need that should be there always and not simply as a response to fear. We know that there is no silver bullet, even with the most advanced appliances in place security incidents keep happening and a good security program relies on a combination of security layers with many things done right in order to be effective and not one or two controls that are implemented overnight.