What Works with Security Risks: The Carrot or the Stick?

February 22, 2011 - 5 Comments

We just wrapped up an intense focus on security at RSA in San Francisco this past week. Thousands of IT professionals gathered from near and far to discuss the latest advances, trends, and concerns around securing our businesses. All happening against a backdrop of political unrest, from Dubai to Egypt and even to Wisconsin–projected on to the internet for all to see. At the same time, The New York Times reported that the Canadian government had been hit by a cyber-attack in early January that created an internet blackout for nearly two months. It got me thinking: As the world becomes smaller—or we gain visibility into events and occurrences not possible before—how does that impact our spheres of influence? And if cybercrime is your domain, how does this shape your thought process or approach?

Interestingly, I had the pleasure of sitting on a panel at RSA, which included Jeff Moss, Director and Founder of Black Hat and DefCon and member of President Obama’s Homeland Security Advisory Council; Tim Wilson, Editor in Chief, Dark Reading; and Eric Aarrestad, VP of Marketing, WatchGuard. Jeff provided rich commentary on the business of cybercrime from the criminals’ perspective—what’s in demand, what gets noticed, etc. And Tim provided the balance to that equation, offering a view into what his readers mostly want to know about: What are the latest threats. Makes sense, but the problem with that is that it sets up your security posture as reactive, rather than strategic.

As the conversation evolved, the kernel of discussion became this: What’s the best way to help organizations understand their security risks and what they can do about them? Do you play up fear (the stick), or do you play up enablement (carrot)? From Cisco’s perspective, we believe in enablement. It’s an interesting debate—especially as we find ourselves more and more in the cloud, and working with an increasing number of connected devices, be it tablet, smart phone, or even our refrigerators.

As IT consumerization proliferates and more and more devices cross the chasm between work and home, cybercriminals are going to find more opportunities. And that’s why we need to think about and implement security upfront, embedded throughout the network. But even more importantly, we need to unite—across organizations and industries—to identify real ways to combat the threats. If we leave the business of fighting cybercrime to individual solutions, we’re doing our customers and our businesses a grave disservice. It’s time to get aggressive and create a united front so that we truly can approach security from a posture of strength and enablement.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. A united front is actually something that could work. If we are to avoid total chaos on the security front, it really does begin with the big players. We should have the ambition to make cybercrime a thing of the past, and for that to be even remotely likely, a concerted effort is not just preferable, it’s necessary.

  2. I couldn’t agree more. I feel to a large extent though that the capitalist model makes it really difficult for experts in this field to join together. I think examples like the Conficker Working Group, a part public, part private international collaboration needs to be the norm. That, and corporations and other organizations in the tech sector need to be made privy to the kinds of architecture level best practices in the tech security world that can be implemented early on so that there aren’t glaring security holes in new products.

    Great post though! I would loved to have had a chance to sit in on that panel!

  3. Security risks is one of the big threat facing by the technical world now a days. To share the knowledge between the techs the gatherings are very important and at the same time debates in transparent way will helps a lot.

  4. Nice thought provoking article. Unfortunately, in reality it is a mix of carrot and stick that becomes walk of the life.

  5. I agree with your views, enablement will increase security in the long run. However there’s always new methods threating business so no one can be sure %100