In 2014, fear was one of the biggest factors in creating change. Let’s take Ebola for example. We are in no way diminishing the seriousness of Ebola, but in terms of numbers, it is far from one of our biggest health issues. The population’s fear drove the government and organizations to commit a massive amount of resources to containing and curing the sick.
How about the Sony hack? Yes, it was a massive hack, but some might argue that it was the fear of North Korea’s involvement that caused people and the government to care, not the size of the hack or the leaked content.
Let’s face it; fear motivates people to get things done. So should you employ fear to get things done at your company?
Bad: Risk management driven by fear
People fear immediate threats more than anything else; while this is necessary for survival, it is not a good for business strategy. How can a business ever thrive or profit if it is only reacting to immediate threats?
Businesses need to think about the long term. Using fear as the driving factor at your company may keep you in business, but it probably won’t make you an innovative, respected or profitable company.
Good: Fear as a motivator
It sounds depressing, but sometimes you need to showcase the bad in order to get to the good. Take the Sarah McLachlan animal cruelty commercials—we all know them, but we may not like to watch them because they are so sad. But, for that same reason, they work! In a year and a half, those commercials raised $30 million dollars.
So how can you apply this to the information security industry? Make it personal. The fear of threats that are imminent to employees and stakeholders who don’t comply with security protocol and invest in security can cause people to act. Show them the stats on how a company hack can affect them personally and immediately follow up with how they can protect data. Inform them that it is no longer about IF you get hacked, but WHEN and how much damage occurs.
The dislike of investing in something as intangible as cyber security can turn people into procrastinators. That intangibility fools them into thinking security can wait and even allows them to just forget about it all together. Your job is to keep security top-of-mind and employing a bit of fear can be one productive way to do that.
What are other tactics that you use when it comes to driving home the importance of risk management?