Too many questions from too many people. The surveys just keep rolling into CIO and CISO mailboxes - along with those tempting offers. I must get at least five survey requests a week.
Does this sound familiar? "We'll enter you in our drawing for a free (something), if you fill out our 15 minute survey." Or have you seen this one, "The first 25 people to respond will get a $25 gift card to (somewhere)."
What do I do? I almost always delete them. You should to - unless you know who you're really dealing with and have a good reason to answer. Here's why:
1) First, and most important, do you really know where your precious data is going? Many of these surveys come from marketing firms or companies that we have never heard of before. Even if the request supposedly comes from a reputable company, are you sure that they are the ones asking the questions? Better to be safe than sorry.
2) How is the information really going to be used? Most requestors claim that your information will remain anonymous and will not be tracked back to you. How do you know that this true? I know of examples where this was not the case. What assurances do you have?
3) What information are they asking you to provide? I've received surveys asking detailed questions about network architectures, the versions of security products we use, even the frequency of patch updates on firewalls or actual IP addresses implemented. We don't even give out some of this information to our own staff, why would I want to give this information away for a free cup of coffee? Might this request be coming from a hacker? Even if it isn't, could it be used by someone at that company who has less than good intentions?
4) Is this just a marketing ploy to get your contact information? A few years ago, I filled out a few surveys - only to receive phone calls from salespeople who asked about the data I had provided. When I answered any questions with a less-than-perfect response, I was "enlightened" into how their new product would solve all of my problems.
Once I asked, "What happened to the anonymity I was promised or the statement that the data was just going to be used in aggregate for determining national trends?" There was silence on the other end of the phone, along with a denial that anything wrong had happened.
5) Finally, might filling out the survey cause a conflict of interest? Government employees are not allowed to take gifts from vendors (above a nominal amount of say $10-$15.) Could that free game you receive for the survey be an ethical violation? Check out your government rules.
Before I end this piece, I want to add that some surveys are definately worth the time and attention. In Michigan, we take extra time and pay close attention to surveys from organizations like the National Association of State CIOs (NASCIO). For example, their Strategic Cyber Security Survey provides valuable data from a trusted source. Other surveys from organziations like the FBI are worth the effort as well. I am not against all surveys, since we need the national data and overall metrics to improve.
I also fill out general information on a few selected magazine applications or other forms where I know where the data is going and how it is being used - but I am careful. In fact, our own Government Technology Magazine is a trusted source that should be taken seriously.
Bottom line, when it comes to filling out security surveys coming by email from unknown sources, my advice hasn't changed in several years. Just say no. There are better uses of your time.
What are your thoughts?
Leave a comment