Cybersecurity Outreach. PHOTO: Cybercrime Magazine.

We Should All Be Able To Speak The Language of Cybersecurity

Let’s avoid hyper technical or sensationalistic terms, and become more inclusive

Ann Johnson

Seattle, Wash. – Aug. 24, 2019

As the cybersecurity industry has evolved, one dynamic has remained consistent: our industry-“speak”. We use a language that is very unique, difficult for new folks to understand, and oftentimes just plain sensationalistic. While any industry has its own technical terms, our language can also be a barrier to recruitment for many. This should be of concern to all of us in cybersecurity as we look to become more inclusive, rather than exclusive.

Language often reflects and supports a culture. Culture is defined by language norms and values of its people. It is easy to become conditioned to the way we speak and use terminology. As we look to how we can encourage industry growth and maturity, we should strive to evolve the way we use our industry’s nomenclature to be more open and consider how we’re defining and shaping our industry’s culture through language. The exciting thing is, the opportunity is right before us, because cybersecurity is constantly evolving.

There are many examples of words that are part of the InfoSec culture — words that do not easily translate to people without a deep industry background. My approach is to avoid hyper technical or sensationalistic terms, and to create a language baseline that is simple and inclusive. Then, I put it to the test: Is the cyber language we’re speaking something my family can understand? Are there other terms we could use to simplify unique technical terms? Can we all agree to search for new words and try them out?

Let’s consider terms like sandboxing, detonation chamber, whitelists, blacklists, and so forth. While each have specific purposes, we should ask ourselves: Are there different ways of saying the same things or defining these terms? What would the synonym be for “blacklist” and would “filtering known bad sites” or “risk lists” suffice?



We must also examine and test whether ways that are more easily understood help to make the industry appear more open and accepting to a broader, more diverse audience or talent population. This is not a matter appearing politically correct – it is a matter of being pragmatic and understanding we will not solve the talent shortage in cybersecurity if we do not make some fundamental changes to the industry. One of the simple changes we could make is to make our common industry vernacular less intimidating.

Testing the waters, I fielded this very topic about whether our industry terms are terrifying and/or confusing to those not in the industry. While many shared examples of cyber terms we should explore, there was agreement that most of our vernacular leans to weaponized or militaristic language.

As a technology professional with 30 years of experience working for companies that are not pure security focused, I have spent many hours creating glossaries and explaining InfoSec language to my colleagues. Quite often there are raised eyebrows and snickers at some of the things we consider common language — as well as questioning and commentary on how unique security people are. I have no issue with uniqueness or deep skills, but that does not mean everything the industry does needs to be unique. The days of security by obscurity are dead.

The cyber insiders club we have created for ourselves is not what makes us special. What makes us special is that we are required to adapt quickly, evolve, and grow. If we don’t, we will become extinct. Bad actors are continually changing and modernizing their tools and methods. They recognize the evolution of InfoSec as an opportunity of scale. By allowing more people to easily understand the fundamentals of security and take an active role in shaping its culture, we can and will build better defenses. Imagine how much easier your job would be if you didn’t spend the first 30 minutes of every InfoSec-related meeting developing a common understanding of language.

If we are to truly influence and shape our industry’s culture, I am asking everyone in the industry to examine how and what we communicate, how we can make cybersecurity easier to understand by the language we use. Thus we will become more open and inclusive. We can do so much if we embrace change and growth, and open our arms to those who have so much to contribute, but who may not “speak” our language.

This article originally appeared on the Microsoft Security Blog.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.


Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.