University of Wisconsin–Madison

Moving beyond FUD, Part I

The CISO’s Perspective  2018 – June

At the University of Wisconsin-Madison, we know the higher education and research communities are, in practice and by necessity, an open and collaborative society driven by the need to share information without hindrance. Daily business practices have the potential to expose protected personal or healthcare information, sensitive or unpublished research, patentable discoveries and inventions, and large volumes of financial information. 

Seriously, what is FUD?

Communicating the practices and policies necessary to manage the risk of data loss may easily result in promoting fear, uncertainty and doubt. Also known as FUD, this type of communication is often thought to motivate users and data owners toward the “right” behaviors. Who among us has not used someone else’s pain to advance an important program?  We play to the fear, uncertainty and doubts of others to push our agenda forward. 

The Office of Cybersecurity is choosing to move in the direction of partnership as we inform and involve the community of faculty, researchers, staff and students, without FUD as the centerpiece.   

This CISO’s Journey:

It’s been a little over three and a half years since I left the high-speed, low-drag federal world of cybersecurity for that of higher education. During the transition I learned that some of the approaches to security awareness deployed in the federal sector had little sway in the educational environment.

Starting with basic blocking and tackling – routine cyber hygiene can be seen by some as interfering with teaching and research. Who knew? Learning to communicate to a wide and diverse audience within a distributed and customer-centric governance model takes finesse. Central control or even unified thinking runs counter to the higher educational culture. Not unlike corporate or other government work, influencers and culture change, and knowing who your influencers are, is of utmost importance. Those who influence the most may not want the publicity.

What’s in your program?

Describe in a couple of sentences how your information security program works. Avoid the abstract or empty sentences. “We protect information” is a good bumper sticker that screams for a succinct “how” statement. Add “we check for indications of compromise using industry leading tools” and you now have people wondering if their tool is an industry leader. From my recent experiences, communicating how your program works is one of the most important tasks for leaders.

UW-Madison’s next edition of our Information Security Program and Cybersecurity Strategy tells the story this way:

“Our community drives information protection through collaboration, education and innovation. We manage cybersecurity risk by enabling the people, processes and technology that will improve our future.

We value our community and our collective expertise. We use tailored frameworks to manage risk, tools selected by the community, and open exchange of ideas and strategies.” 

Then we add a few bumper stickers:

  • It’s all about the data!
  • We will lead the revolution in higher education cybersecurity.
  • Our work makes a noticeable impact in protecting research information and important data.

Let’s take a break now.  In my next CISO’s Perspective I will explore how FUD messaging works and the impact FUD can have on specific groups.  More importantly, I will answer the question of how we can create messages that are pertinent to changing cybersecurity behaviors without FUD.

Stay tuned!  Great things are going to happen (see, no FUD in that statement!!!).