Your cart is currently empty!
Is cyber security jargon leaving companies confused?
Within the cyber security landscape, there is no absence of “cyber security speak”, in fact, it can be quite the opposite. From terms such as phishing, vishing and whaling to cyphers, cookies and zero-days – the list goes on and on! In fact, the list can be so long that companies such as Advanced Network Systems have put together an A-Z list of cyber security jargon (and it’s forever growing). Feel free to check it out here.
Although every word has a unique reference to something relevant in cyber security, it can be extremely overwhelming to organisational leadership teams, excos and boards. As a result, key decision-makers are often left confused, resulting in a slow (or absent) adoption of business-critical cyber security decisions and investments.
According to an analysis conducted by CyberSec, more than 50% of companies analysed were reluctant to invest (or further invest) in cyber security; however, after the business case jargon was changed and a risk-based approach to cyber security was adopted, 100% of the same companies opted to make an investment.
However, the challenge doesn’t lie with cyber security lingo alone. The complicated (often creative) language used to name and describe technical vulnerabilities further fuels this problem.
For example, the May 2017 worldwide WannaCry attack – WannaCry was (and still is) a ransomware crypto-worm that exploits the EternalBlue vulnerability. EternalBlue is an exploit of Windows Server Message Block (SMB) protocol released by The Shadow Brokers.
Given this, one can quickly appreciate why this may be overwhelming and confusing for non-cyber security folk.
Owing to the how complex and technical some of the cybersecurity and vulnerability jargon can be, many cyber security professionals (irrespective of seniority) are trying to educate their business decision-makers, exco and boards on the lingo in the hopes of conveying the message (risk) as accurately as possible. Some cyber security professionals believe that by sticking to exact terminology it demonstrates their comprehensive understanding, competence and expertise on the subject matter.
However, the result is often not the intended one, often leading to uncertainty, indecision and further hesitation, which eventually results in disinterest. This means the attempt to facilitate awareness, buy-in, adoption or investment is lost and consequently the cyber security professional is also left frustrated and possibly demotivated.
So what now? The typical response to this type of situation is for the intended message to be over-simplified, or as some would say, put in layman’s terms. Even so, the importance or criticality is often lost and the result may very well be the same.
So what is the key to business alignment? A viable approach is to adopt a risk-based cyber security approach. This means that when it comes to making cyber security-related decisions, consider risk above all other factors.
A risk-based cyber security approach to cyber security is proactive rather than reactive. Risk-based cyber security teams are more concerned with reducing their organisation’s real or measurable exposure to cyber attacks and data breaches than they are about checking boxes or passing audits (though those remain worthwhile goals).
Finally, this approach is inherently realistic. The goal of a risk-based cyber security programme is meaningful risk reduction, not 100% security. That’s important, because this allows decision-makers, excos and boards to make pragmatic decisions about budget and resource allocation.
This article was published to the CyberSec Virtual Press Office at ITWeb