Shostack + Friends Blog Archive


CSO’s FUD Watch

Introducing FUD Watch:”

Most mornings, I start the work day with an inbox full of emails from security vendors or their PR reps about some new malware attack, software flaw or data breach. After some digging, about half turn out to be legitimate issues while the rest – usually the most alarming in tone – turn out to be threats that have little or no impact on the average enterprise.

The big challenge for security writers is to separate the hot air from the legitimate threats. This column aims to do just that.

But for this to work, audience participation is a must.

I’m highly in favor of reducing the FUD. I hope that Bill Brenner’s efforts will help constrain and shame some of the worst of the FUD. However, it won’t go all the way. Bill admits that he’s working from opinion not data. In The New School, we talk about how we need data on how often various problems actually manifest. When we get that data, we won’t need as much audience participation. In the meantime, go mock the FUDsters.

One comment on "CSO’s FUD Watch"

  • B.K. DeLong says:

    Yeah, that was one of the contributing reasons we stopped the Defacement Mirror at So many vendors were pointing to defacements as a means for generating revenue and stirring up FUD about the insecurity of everything. We also had vendors utilizing the site for daily intelligence reports they resold as a service sans attribution.
    I suspect, however, it’s far easier to anecdotally call people out then back it up with data. It will be interesting to see how much pressure CSO will get from advertisers to do just that. Or whether they’ll be calling out specific vendors instead of focusing on bogus trends.

Comments are closed.