Navigating the language of cybersecurity is like trying to win an argument with someone you love. You must be open-minded, kind-hearted and committed. You cannot win by starting out with the assumption that you are right. You must learn what changed since you last engaged on the topic – and accept that you may be ... out of date.
I know this because years ago I started out on a fool’s errand – to write a dictionary of cybersecurity terms. It seemed like a good idea at the time. I only wanted to cover the most commonly used terms and I already had a lot of the content from my first book (Cybersecurity for Beginners). How much additional work could writing a dictionary be?
As my Dictionary reaches its fifth edition, I felt it was worth sharing the most valuable insights on what drives the continuous changes and tips for understanding what to learn – and what you may not need to bother with.
Tip 1: The Double Post-It Note Method
I love continuous learning, but I am not a fan of learning a term or acronym that someone invented for a single meeting or that is used exclusively in his, her or their organization. This is because my brain has limited space.
Years ago, I met someone who would answer the phone, tell the caller that he would “get right on it,” scribble a note on a yellow post-it and slap it on a pile. Then he would leave it there.
I asked him, “I thought you were going to get right on it?”
He said “I will… if he calls again, I move it to my second pile of notes. Those are the ones I actually put into action.”
I was quick to point out that there was no second pile of notes.
Correct – he always actioned those immediately.
He told me: “The thing I have learned is that about 90 percent of my post-it notes never make it to pile 2.”
Although I have not used that approach in most of my professional life, I confess I do use it with cybersecurity terminology. I have to run into a new term a few times before I will look to research and add it into my knowledge bank.
Tip 2: Use Your Intuition
If you use the term blacklist in any public speech about cybersecurity, you will hear the small but palpable drawing in of breath. People may understand you, but this is an age of inclusivity, and that term has been replaced. At first it was replaced by the term blocklist.
The first thing to note here is that people will still need to know what the outdated term meant for a while – because any text written pre-2018 is likely to include the legacy term.
I am a big fan of inclusivity but the second thing to note is that blocklist is also now being displaced by the term disallowlist. Why? Because there is an opposite to blocklist, which is now called an allowlist and also had a non-inclusive predecessor.
Where does intuition come into this? Simple. You just have to ask yourself if the term includes a potentially divisive or non-inclusive word such as “man.”
You may not think this is a big deal but trust me when I say that if you want to present to any international audience or write something that stands the test of time, it is an important thing to know and do.
Tip 3: Recognize Transient Terms
Unfortunately, I am not permitted to swear in ISACA articles, but let me say that I have a strong dislike for transient terms – especially those made up by research organizations. That said, they have a purpose (and usually a lifespan).
A good example of this is the term FWaaS (Firewall-as-a-Service). In the case of FWaaS:
I used to have a firewall. Then I had to learn about advanced firewalls, web gateways and then secure web gateways – but now data is everywhere, and security now talk mostly about FWaaS – and why? Because for most organizations, the secure perimeter has expanded from inside an internally managed network to include a complex series of external and cloud locations. FWaaS is still a firewall, but it’s one you can place anywhere … or nearly anywhere … or at least in a lot more places than a traditional firewall. However, FWaaS also feels like a transitional term because of the “as-a-service” component. Besides, isn’t FWaaS basically a term for a software firewall that you rent?
We need to know these terms because they can be important for many years, but my experience is that most of them die off as they are superseded by a term that feels 100 percent right.
In Summary
I hope that helps you to know what cybersecurity terminology to learn and what can be parked. These are the insights I have gathered through my years of updating a dictionary of cybersecurity terms. They’ve helped me to work out which terms are:
- New and genuinely helpful, which progresses the discipline of cybersecurity.
- Transitional and will likely be replaced as the topic matures.
or - An unhelpful acronym or made up for a meeting, organization or marketing campaign.
Meanwhile, I am hopeful that I can leave the new edition of the dictionary in its fifth iteration for at least another three years.
The Cybersecurity to English 5th Edition is now available.