Cyber security buzzwords and buzz phrases are a dime a dozen. Used to simplify complex terminology or boost sales and marketing campaigns, buzzwords are an inescapable reality for an innovative and fast-paced industry like information security.
However, such terms are not always helpful and can be inaccurate, outdated, misleading, or even risk causing harm. For example, a buzzword that exploits fear, uncertainty and doubt to maximise a profit-led agenda can be damaging, while a legitimate, once-useful term may become outdated, with continued use and reliance upon it hampering more evolved understandings of the root issue.
Here are the 11 cyber security buzzwords and phrases that should be laid to rest in 2021.
- Zero trust
- Whitelist and blacklist
- AI-powered security
- Cyber 9/11
- Digital transformation
- People are the weakest link
- Cyber security awareness
- Cyber kill chain
Despite being one of the most used terms in discussions around common cyber attacks, ransomware is technically an inappropriate definition no longer fit for purpose, says Charl van der Walt, head of security research at Orange Cyberdefense. “It’s hard to escape mentions of ransomware in the current news agenda, but while it suffices to describe the overarching subject, it falls short of wholly capturing what is in fact a complex and evolving issue.”
Ransomware’s real meaning is getting lost in translation, and it is now being used to define a far wider set of cyber attacks than its real definition -- malware that holds the data of a computer to ransom -- encompasses, van der Walt says.
“This creates confusion between malware that does encryption, general malware that’s used by ransomware actors, and the ransomware actors themselves. At the centre of ransomware is the act of extortion and cyber criminals see companies as easy targets for extortion -- you only have to look at data suggesting how many companies now pay ransom demands as proof.”
As this threat evolves, van der Walt proposes a new term: cyber extortion (or Cy-X). He says this better encapsulates the history, current form, and potential future of this crime wave, as well as making the distinction between extortion as the crime and ransomware as the tool used to commit it.
2. Zero trust
Zero trust describes a “trust nothing by default” approach to securing users and devices. It has become one of the biggest marketing buzz terms of the last few years, exacerbated by the mass shift to remote working and subsequent need for more effective methods of security for remote network access. However, for Quentyn Taylor, director of information security at Canon Europe, the term zero trust is too amorphous.
“It’s impossible to know if you’ve actually reached it, and indeed I don’t believe anyone has or could do. What annoys me an awful lot about the concept is that a lot of people talk about it as if it’s new, when in reality we’ve been talking about deperimeterisation for years. Zero trust is just a new marketing term for what we’ve been attempting to do for a long time.”
Paul Baird, CTSO UK at Qualys, agrees, adding that zero trust is fine as a concept, but as a buzzword, it is overused and under-delivered. “It is constantly used out of context, which has just created confusion within those that are responsible for implementing it. Zero trust is an ideology covering people, process, and technology. It is not a product that you can just buy off the shelf.”
3. Whitelist and blacklist
The terms whitelist and blacklist date back to the some of the earliest days of cyber security. Associating “white” with good, safe, or permitted, and “black” with bad, dangerous, or forbidden, the phrases are still commonly applied to allow or deny use or access relating to various elements including passwords, applications, and controls.
Cyber security consultant Harman Singh thinks the terms need urgently replacing because of harmful racial overtones associated with them, suggesting allow lists and deny lists serve the same purpose without potentially damaging connotations linked to ethnicity and race.
“This is such a small yet significant, change” he tells CSO. “The NCSC made this conscious change last year to avoid racial tone. Still only a handful of companies in the industry have thought about doing this. Why don’t we all follow this example to stamp out such terms?”
In a blog post, Emma W, head of advice and guidance at the NCSC, wrote: “You may not see why this matters. If you’re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making.”
One of the few companies that has taken this step is Microsoft, addressing non-inclusive language as a barrier to maintaining and developing diversity within cyber security.
“A recent report published by UK Finance, EY and Microsoft found that making changes to non-inclusive language in cyber security and the broader workplace can go a long way in supporting diversity,” says Microsoft chief security advisor Sarah Armstrong-Smith. Microsoft therefore no longer accepts or refers to whitelists/blacklists on technical forums, opting for allow and block lists instead.
4. AI-powered security
Furor surrounding the potential of artificial intelligence (AI) and machine learning technology to transform cyber security has been fever-pitch for the best part of a decade. While you’d be hard pressed to find a security leader who does not recognise and acknowledge the growing importance of automation in modern information security, the plethora of security vendor sales pitches waxing lyrical about the latest AI- or machine learning-powered solution are wearing a little thin.
“Nowadays, regardless of the solution, most security vendors are quick to mention that their product is smart and integrates AI and machine learning to power decision-making processes. They seem to believe that’s what we want to hear, when it really sounds like they’re filling a bingo sheet without understanding how their solution actually works,” says Guillaume Ehny, CISO at gohenry.
“Unfortunately, the statement never goes beyond that one sentence. When asked for more information about their model, the answer is almost always that ‘it’s a black box in the engine, it works on its own, and we don’t even need to worry about it.’ I understand that an AI/machine learning-assisted product can be an advantage and deserves to be mentioned, but the way it’s communicated is rarely doing any favours.”
5. Cyber 9/11
The term cyber 9/11 was first coined in the wake of the coordinated terrorist attacks against the United States by militant Islamist group al-Qaeda on September 11, 2001. The phrase refers to the hypothetical threat of terror-related cyber attacks that have the potential to cause significant and widespread implications including fear, violence, injury and death.
Predictions of such incidents have yet to materialise baring a small handful of cases, and for Taylor, cyber 9/11 and other similar cyber security references to major news events should not be used. “It dishonours the people who were affected by these incidents in real life. In addition to this, these kinds of terms are often bandied around as pure hyperbole.
"Thankfully, we have not yet seen a cyber security incident that had the same level of impact as either this [9/11] or any other event that certain commentators like to attach to. The sooner we can move away from attempting to link cyber incidents to real world incidents that have resulted in significant loss of life the better, and the more seriously our industry will be taken as a result.”
6. Digital transformation
While digital transformation is very much a buzz phrase of the modern cloud-driven era, Matt Rider, vice president of security engineering at Exabeam, thinks any reference to digital transformation is merely describing what organisations have been doing for the last 50 years.
“The fact is, transformation is nothing new. Everything is always evolving, continuously transforming. This term isn’t a sudden epiphany that’s taken the industry by storm.”
Flashback to the early 1900s and the industrial revolution, where Henry Ford modernised assembly line production. His knowledge of emerging technology and transformational leadership inspired a new way of working, Rider adds.
“This was a technological step-change that had a monumental influence and changed the world of work as they knew it at the time. The organisations I have seen be successful have the right culture, not the right tools. If you’re not ‘digitally transformed’ by now, you’re out of the game. I vote we all hop off the digital transformation bandwagon.”
Security information and event management (SIEM) defines software products and services that combine security information management (SIM) and security event management (SEM). As an acronym and a product offering, SIEM is peddled by seemingly countless cyber security vendors.
However, Forrester security and risk analyst Allie Mellen says it has a long legacy in compliance and doesn’t necessarily represent where SIEMs are today.
“SIEMs are now focused on threat detection and response, incorporating security user behaviour analytics (SUBA) and security orchestration, automation, and response (SOAR) to address each step of the incident response lifecycle. At Forrester, we call them security analytics platforms to better represent what they do: perform security analytics on data and serve as a platform with connections to third-party offerings for response.”
8. People are the weakest link
A concept trotted out at pretty much every security conference around the globe, referring to people as the weakest link in a security chain needs to stop, says Nigel Phair, chair of CREST Australia and director, Cyber Security Institute at the University of New South Wales.
“People are the greatest strength to information security and protecting corporate networks and the data which resides on them. Naming and shaming people has not worked and never will. Since there is no technical silver bullet to solving online crime, we need to bring employees along on the journey, explaining to them why certain controls are in place and their role in protecting an enterprise.”
9. Cyber security awareness
Improving cyber security awareness across an organisation is a high-priority goal for many CISOs. But the term is being misused, says Ravi Srinivasan, CEO of Votiro. “The term cyber security awareness has created a narrative that users are to blame for security incidents and encourages organisations to build out security strategies rooted in their education and training to detect (and ultimately prevent) cyberthreats,” he tells CSO.
However, today’s attacks are sophisticated and constantly evolving, and even the most security conscious businesses find it difficult to stay ahead of them. Instead, security and IT leaders need to adjust their enterprise security strategies to focus on the business they operate globally.
“In lieu of cyber security awareness, I would suggest promoting ‘cyber security vigilance’ and encourage organisations to enhance collaboration amongst employees and their employers, business and IT leaders, private and public sector entities to work collectively towards thwarting cyberthreats.”
10. Cyber kill chain
As the digital realm becomes ever more entwined with the physical, there has been a growing trend for military-style lexicon in relation to cyber, and none more so than the cyber kill chain. This phrase describes the various stages of a cyber attack and is often linked to advanced persistent threats (APTs).
“I’m not sure this is totally appropriate and could lead us into heavier language used to try and make dull topics more interesting,” says Leanne Salisbury, senior manager for threat intelligence at EY. “Plus, I think there is potentially something wrong with this for veterans (especially those who have actually seen live conflict and have actual war stories) when they are asked to share their experiences about a project in a corporate setting with civilians.”
Acronis cyber security analyst Topher Tebow says serious thought needs to be put into how the term hacker is used in today’s landscape, and while it does not necessarily need to be eradicated entirely, incorrect usage of it does. “A hacker is simply someone who can find a way around normal applications of a given item, process, or piece of software to achieve a desired result.”
The problem with this word is that it is often used to describe a cyber criminal, when there are thousands of hackers who hack for the greater good, Tebow adds. “Instead, we need to consider the implications of what we are saying, and use terms like attackers, cyber criminals, and malicious actors instead of calling a bad actor a hacker.”
In defence of cyber security buzzwords
While experts agree that many cyber security buzzwords and buzz phrases should be laid to rest or replaced, Ed Tucker, senior cyber security director at Byte and former European CISO of the year, argues that a lot of the problems stem from the way buzzwords are used, rather than the terms themselves.
“One of the biggest problems we have is not the buzzwords -- they’re just a part of being in a commercialised industry -- but lazy usage and the lack of contextual understanding and practical application of buzzwords. This perpetuates the theme that buzzwords are just that.”
He concludes that the industry needs to do a better job of seeing beyond the buzzwords that are so often used and delve deeper into the concepts and where, when, and how they become applicable.