Cyber Buzzwords and why some should change!
I decided to address buzzwords in the same spirit of collaboration as my previous article, CISO Manifesto: Rules for Vendors — 2022 Edition. If you have worked in the cybersecurity field for the last decade, you know about buzzwords; those adjectives Marketing and Sales swear will bring in revenue. Of course, buzzwords age over time, and eventually, customers see them negatively.
The following article will address some of the more well-known buzzwords, why they are disliked and try to provide alternatives. I hope this discussion will lead to a better understanding between CISOs and their security vendor partners so we can make changes where possible. So please sit back, strap in, put your seat belt on, and let’s have a fun ride. Who knows, maybe by the end of our chat, we will have some new buzzwords for RSA or Blackhat this year.
· Buzzword — yep, this important-sounding attention-grabbing word gets on our nerves. As soon as we hear “buzzword,” we immediately cringe because we expect some technical jargon used to impress us. I think my main point here is only to use technical words when needed — the core point to remember is to know your audience and use the language they understand.
· Zero-Trust — this buzzword is a network architecture and security framework for not trusting users/roles. Today, however, it is used for a tremendous amount of security solutions that have nothing to do with delivering applications/services to authenticated users and devices. It’s time to stand up and say enough! If your technology isn’t related to zero-trust, stop using it to grab sales because I will let you in on a secret. CISOs know what zero-trust is, and we can tell when you are trying to sell us something that has nothing to do with this domain. In misusing it, you damage your credibility. I have no alternative buzzword for zero-trust, just a wish for it to be used appropriately.
· AI/ML — Artificial Intelligence and Machine Learning. Everything today seems to have one of these, if not both, integrated into its technologies or operating services. Ten years ago, the use of AI or ML was a differentiator, but in today’s cybersecurity industry, it is assumed everyone is using it, including cybercriminals. This buzzword becomes annoying because we expect you to mention it; however, after a brief mention, you don’t need to say it over and over again repeatedly. AI/ML is considered to be a standard technology for cybersecurity. Please use this buzzword with discretion.
· Military-Grade Encryption/Controls — I love this buzzword. Having served in the military, I can tell you firsthand that most military-grade cyber technologies are just commercial items purchased off the shelf and upgraded to work in various military environments. Along with this use of technologies, the deployed security controls are based on NIST, just like the commercial industry, and most of the installed encryption mechanisms are similar to what is used in the private sector. So there are no special military-grade items to be purchased commercially. I think what is amusing with this buzzword is that it gives an air of technical superiority like the military has these amazing secret teams developing special encryption or security controls just to be sold on the open market. Now I am not saying there aren’t special teams within the military that create new technologies because I am sure they exist, but what they develop is kept internal, and you won’t see it at a booth with some cool swag at RSA <grin>. Again, the truth is that many private and publicly traded companies develop the military’s technologies, so this buzzword isn’t accurate. An alternative to military-grade may be to use a new definition: “Developed for the military but now available for your company.” Something along those lines differentiates your technology without having to use inaccurate depictions.
· Bank-Grade Encryption/Controls — similar to the previous military buzzword, here again, is another description of a technology, encryption mechanism, or security control common in industry that may also be adjusted for regulatory environments. I’m not too fond of this buzzword’s use because it’s inaccurate. The buzzword makes it sound like a whole class of “Bank/Financial Services” technologies are only available to that industry when we all know that’s not the case. The technologies used here are relatively the same in all other business sectors, except they may require different configurations, modules, assessments, policies, etc., to meet regulatory or compliance regimes. So nothing new here, don’t fall for the hype. Instead, find you a vendor/partner who understands your problems and is focused on helping you select the technology your business needs for success.
· Single Pane of Glass — this buzzword annoys me because it’s blank; there is nothing there if you look at an empty pane of glass. Now I know I am being too literal, that the original description was associated with computer monitors and how you would need to look at multiple screens to see all of the required data. Of course, I don’t think security systems today generate less data; I believe systems today generate even more data to be reviewed by CISOs and their teams. This data and intelligence collection growth require the security analyst/engineer to drill down into more dashboards, searching for clarity. So the concept that all operational information needed to make decisions is just on one screen/panel/dashboard — one single pane of glass — is not believable, and CISOs and their teams know it. An alternative to using this buzzword would be to use descriptors like this dashboard is for cyber-operations, this executive panel is the CISOs point of view, and this panel is for analysts and research. Instead of using the “single pane of glass,” let’s use multiple ones where each is unique to a specific role or task. They can stand alone or integrate to support each other in protecting the business — that is more realistic and relates to how CISOs run their security programs.
· 100% Secure — I have ranted about this numerous times; nothing in cybersecurity is 100% secure. Use this buzzword at your peril. Every CISO I know who hears it laughs and then proceeds to delete the offending salesperson’s email. I am sure there are some great adjectives to describe how effective your technology is, so why ruin it by declaring you are perfect. Remember your audience, CISOs are paranoid, cynical, jaded, tired, but not stupid, so be honest and don’t get caught in the 100% trap. Some alternatives to this buzzword: “Our solution provides superior service, Our solution offers exceptional coverage, Our solution gives you four times the average uptime.” The point here is to get away from absolutes; you can still point out how great your technology is without painting yourself into a corner.
· Next-Generation — every time I hear this buzzword, I think of Star Trek <grin>, not cybersecurity. I know the intent is for customers to believe this is the newest technology on the market and we need to buy it to replace an existing product. But honestly, technologies change so fast, and many are now platforms that provide the latest plug-and-play service modules. So everything is “next-generation” or close to it, which is why this buzzword induces yawns and indifference from potential customers. As a CISO, I want alternatives such as: innovative new services I will receive if I use your technology or new methodologies I may deploy to reduce my company’s risk exposure.
· Bulletproof — really? Why are we shooting security technologies? I never could figure out why this buzzword was used to describe how tough security technologies are to malware. This buzzword is like saying it’s 100%, I find it laughable, and as a CISO, I am not interested. Please get your marketing team to be more creative; I will help you here <grin>. Some alternatives could be “hardened” or “resistant to malware/ransomware.”
· Blast Radius — really? Now we are blowing up security technologies. This buzzword is FUD speak; it is supposed to be scary and drive customers to action. Unfortunately, it’s not. I have sat in presentations when the salesperson used this buzzword with another “Left/Right of Boom.” Both describe the impact or the before/after-effects of an incident. This military jargon confuses customers who have no context to its meaning, and when used multiple times in a sales pitch, the customers just shut down and ignore the salesperson. Unless you are selling to a CISO for a military contractor or the military itself, this buzzword isn’t practical. Some alternatives could be describing how the technology reduces “business impact’” or improves the prevention of “operations reduction.” I like those alternatives much better, and they make sense.
· Best of Breed — and now we are purchasing animals. Whenever I hear this used by a vendor, I want to ask them, “So what other breeds are available?” It’s like I am here to buy a new puppy or a kitten. I know this term became popular with several consulting organizations, but it’s inappropriate when discussing technology. I think another way to differentiate your solution from competitors would be to use terms such as “domain leader,” “best technology in its class,” or “leading technology used by Fortune 100 CISOs.” I believe we can do better than this buzzword which I would like to fade away.
· Blockchain — just like AI/ML and Zero-trust, this buzzword is used everywhere, especially when it’s time for a company to raise its next round of funding. Just throw in a couple of blockchain adjectives coupled with advanced AI/ML and end it with “facilitating zero-trust,” and you have a winner <grin>. This buzzword is so overused it’s now a meme; when I hear it’s being used in cybersecurity technology, my first thought is too complicated for my team to manage. My second thought is that it is too complex for me to explain to my CFO or my board of directors. Companies need to use this word, especially when talking with investors or consulting organizations. However, I would suggest using it sparingly.
· Future-Proof — I equate this buzzword to using the “100% secure” descriptor; we are perfect; we know the future. It’s already a given that the field of cybersecurity is continually changing and the threat and vulnerabilities faced by the professionals in our field escalate even faster. So how can you stand in front of a customer and say your technology is future-proof? I build my security program’s budget and strategic plan in 18-month cycles. I continually review it and incorporate updates every six months because I can’t predict the future, and I will not even try it. This buzzword is another case of FUD speak to scare the CISO and security professionals into purchasing so they don’t have to worry about maintaining their cyber hygiene. “Our technology can predict the future; we know what types of attacks will get through because of our unique predictive analytics that uses blockchain,” <grin> sorry, I couldn’t help myself. Some alternatives for this buzzword: “Present focused, future aligned” or “Predictively accurate.”
· Dark Web monitoring — this final buzzword is a fun one. The dark web is sexy; it’s excellent FUD speak that can be used to scare resources right out of the budget to pay for new technology. Unfortunately, many of those who manage the CISOs budget don’t know that this technology is focused on problems like account takeover, identity theft, financial fraud, and searching for possible leaked corporate information. This type of monitoring is a minimal subset of the more extensive controls and issues a CISO must manage. I hate hearing this buzzword used to sell technologies/services that have nothing to do with monitoring the above specific problems. I believe it will be some time before this buzzword fades away. I have no alternatives here but instead, warn buyers to understand the problem they are trying to solve and the options they have to manage its resolution.
There you are, a nice collection of buzzwords and some alternatives. The hope for this article was to describe those that I felt should be changed and those that should fade away. I know there are so many more being used by companies, and I want to say if you are worried about the message your brand portrays to your customers, I suggest you ask for some help. Buzzwords can be highly positive and drive interest in new technology, or they can become extraordinarily harmful and toxic to your brand. I hope this article will begin a discussion to generate some change. Please share your thoughts and those buzzwords you hate or would like to see changed in your feedback to this article. As a community, let’s work together, and I look forward to seeing you all at RSA/Blackhat/Cyber Week this year.