# Opener

FUD vs Facts: What to Look for When Evaluating Cybersecurity Tools

Published by Axio

The psychology of fear plays a central role in the success rate of social engineering cyber-attacks. These hackers rely on eliciting an emotional response from their victims, creating a sense of urgency towards action, which often works. This tactic is commonly referred to as “Fear, Uncertainty, and Doubt,” or “FUD,” and it’s not relegated to use by bad actors alone. FUD is also a ploy leveraged by cybersecurity vendors to drive urgency during sales cycles with organizations. By using fear to frame cyber risk, sellers hope to push buyers into a quick decision, which may result in purchasing products that don’t meet business requirements. With various budgetary factors in the balance, CISOs need an unbiased way to look at their risk program to plan and secure security resources, and they can’t be responding to emotion and fear.

The current cyber threat landscape demands that security and risk leaders strive to make objective decisions based on facts. CISOs and execs must be able to identify the unique and relevant risks to their organization quickly and on an ongoing basis. They must also be able to continually evaluate the state of their cybersecurity controls and programs to ensure that protection against existing and emerging risks. When upgrades in cyber defense infrastructure are needed, security and risk leaders should exercise appropriate due diligence during their evaluation and decision-making processes.

Many business leaders are turning to Cyber Risk Quantification (CRQ) to follow through with this due diligence and get a scenario-based view into their risk profiles to better understand where to spend on cybersecurity.

At Axio, we specialize in CRQ and impact-driven decision-making. In this post, we focus on how CISOs should expand their focus when evaluating potential security vendors. Below are some pointers on how to remain focused on what you need and what questions to ask when evaluating new vendors and new technologies.

How does this vendor’s solution map back to my overall cyber risk strategy?

Securing budget is often a pressing challenge for security leaders. Preparation is key to avoiding wasteful spending, and CISOs need to understand, realistically, what their security team’s financial plan will look like. New technologies are constantly emerging to combat cyber risks, but not every security solution is worth your time or money. Before you begin evaluating potential vendors, you must establish the overall risk strategy and/or cybersecurity framework on which you’ve built your cyber program. Executives, board members, and CISOs must agree on the company’s overall approach to risk, and how new vendors will either complement or replace that strategy. A decision-making aid like Axio360 is the type of tool you need to get everyone on the same page regarding risk planning. Our system is set up to generate dynamic reports based on your company’s risk profile and translate the results into financial terms. Technical and non-technical leaders can use this data to identify areas of spending priorities before engaging with a vendor. You’ll be empowered to inform the vendor what technology you need, not the other way around.

Has the vendor’s solution been deployed successfully by my peers? Has it been tested in environments like mine?

To get a good measurement of your company’s cyber program, peer benchmarking is a crucial component. In our Board of Directors Guide, “Getting the Board Game Right,” we discuss how our platform can leverage peer group data to establish a baseline for your own risk profile and justify your spending decisions. Peer benchmarking should also be leveraged when assessing new security software. What works best for one business may not fit the requirements of yours. Part of your due diligence is researching beyond “best in breed” solutions and finding a tool that makes sense for your business and its specific needs. Sellers may cloud your judgment by pointing to examples of success stories with their products, but if these references come from companies that aren’t comparable to yours, this information is often irrelevant.

Is the product scalable? Will it introduce new risks into my environment?

Another deceptive hook from the FUD playbook includes the misassumption that you need “all the bells and whistles” for proper protection against cyber threats. However, a strategic cyber program leader knows that it’s not about 100% protection 100% of the time. For example, introducing a new product to your environment that uses privileged access creates additional attack vectors that must be managed. If you go with a product that doesn’t fit into your risk strategy, or if you don’t have the internal resources to manage it, this security product can pose more of a threat than a solution. Value from security software comes from knowing the ROI of different decisions and choosing the ones that address your business priorities. If you start with CRQ, you’ll already have a good idea of what specific requirements you need vendors to meet, and you can avoid wasting time and money on features you won’t be able to use effectively.


The urgency for cyber resilience is real, but emotional decision-making is never an optimal practice in any realm. Decisions influenced by FUD often cloud our judgment and lead us away from successful, long-term solutions. Selecting a vendor new to your organization is a risk, which is yet another factor to include in your mitigation plan. Here, we’ve explored some of the important questions you should weigh when considering potential software providers. To answer these questions, you’ll need to understand your own business and its risks first, which can be accomplished using CRQ. For an overview of the emerging CRQ market, first-hand user accounts, and guidance on how CISOs can start their CRQ journey, dive into Forrester’s recent report here.

Don’t allow FUD and social engineering to drive your decision-making, and don’t rely on fearmongering sales reps to dictate what you need. Avoid the pitfalls of FUD and start your software evaluations with quantification using Axio360. Then, layering that methodology throughout the process will help your team select the right controls for your environment. You need a quantified approach to your risk profile to know where to spend. Find out more by contacting our Sales team or requesting a free demo today.

Up Next

Cyber Risk Quantification