CISO Lessons Learned – Acronyms & Jargon Are The Language Of Exclusion
IOC, APT, SIEM, Exfiltrate, DLP, NIDS Oh my!
Here’s a scenario you may have seen before – You’re in the organizational update meeting, everything is going well, people are engaged, and then you get the security update. The security team starts their update talking about DLP events, IOC’s and other arcane sounding things. People start looking at their phones, the unlucky ones without a phone start staring off into space wishing this meeting would end.
If the goal of a meeting is to communicate, then why do so many meetings with security people or technical people devolve into a stew of incomprehensible jargon and language that no reasonable non-technical/security person would understand?
Before I get too far, let me own the fact that earlier in my career, I repeated every acronym and technical jargon I heard. I generally attribute the use of fancy language, acronyms or industry-specific terms when in the presence of others (such as business leaders) to one of a few factors:
- Posturing – If you want to show you know what you are talking about, you may resort to using the pack language to confirm you are “in.” I’ve seen this (and done it when I first started) where I would use acronyms that I thought I understood but didn’t fully. Luckily, I worked with understanding individuals who had patience with me and helped me see the errors of my ways.
- Laziness – This seems to be the most common reason to use acronyms and jargon. It’s often easier to use shorthand, which is appropriate when the knowledge base of all is known. Too often, this common language between equally knowledgeable technology peers rolls over into business meetings with those who don’t have the same levels of knowledge. I’ve been in meetings with brilliant individuals, such as chief level executives. The technical people start talking, and you can almost see the disengagement happening.
- Lack of knowledge – I’ve seen this more rarely in that someone will use a bunch of jargon and acronyms, but they won’t truly understand what they mean. An example of this is where a senior leader who didn’t have in-depth knowledge in a subject was misusing the acronym with two knowledgeable individuals. When they received a gentle correction, the person went into overdrive to stick to their position, reinforcing that the speaker didn’t know the core concepts.
I talked to an astute business leader who was having a meeting with a large group of people. The security team came on to give their update and started spouting off jargon, and everyone on the call was thinking “what a clown, this person can’t even speak clearly.” The person asked me what one of the terms meant as the person kept using it. They said they were concerned with data exfiltration. I told the person that exfiltration meant someone was taking information outside the organization. When I told the person what it meant, their eyes rolled, and they were laughing at how ridiculous the security person sounded using a complicated word.
Another instance is when I heard someone say the following in a business leadership meeting: “IOC’s lead us to believe …..” I looked around the table, and I could see the leaders had no clue what the person was saying. The person could have easily said, “we have seen things that would seem to indicate….” If the security person had said the second version, no one in the room would have thought less of them or pigeonholed them as a tech only person, AND they would have understood what the person said.
I see many posts about how security leaders should report to the CEO or outside of Information Technology. Until we learn to communicate effectively and in plain English, we will continue to be viewed as another technology team.
I propose that we stop the madness and communicate using plain language! The more business leaders and non-technical/security people understand what you are talking about, the more relevant you become.
I’d love to hear your thoughts, where I’m off base or counterpoints.