topic Re: The language of InfoSec in Career Discussions

The language of InfoSec

rslade — Tue, 09 Apr 2019 18:49:31 GMT

Ann Johnson, Corporate Vice President (Cybersecurity Solutions Group) over at Microsoft, is concerned that we are using too much jargon in information/cyber security work. People don't understand what we're talking about.

(Of course, "Cybersecurity Solutions Group" sounds like "marketing," so it's quite possible that Ann Johnson doesn't actually know what actual security people are talking about ...)

I do sympathize, in general. There are people in security, as in any field, who actually create jargon in order to hide the fact that a) they don't actually know what they are talking about, or b) they are only talking about the same stuff you are, but they want it to sound like they know a secret you don't. (See pretty much any episode of "Yes, Prime Minister." YouTube is your friend.)

However, as the psycholinguistics people note, if you don't have a word for it, you can't really think about it. We have lots of concepts that we have to know about, and which are important to the protect of the systems under our care. We have to have our infosec language.

And that is, after all, why I wrote the dictionary ...

Re: The language of InfoSec

rslade — Tue, 09 Apr 2019 19:28:49 GMT

So I'm talking about words and dictionaries and check that mine is still on Amazon, and note that someone, slanging mine, says that all you need is Google, "just enter DEFINE:word to be defined, and wallah," and realize that when she says "wallah" she actually is trying to use "voila,"and I find it hysterical that in trashing a glossary she doesn't know what word she is trying to use ...

Re: The language of InfoSec

canLG0501 — Tue, 09 Apr 2019 19:29:03 GMT

Interestingly enough, one of the keynote speakers at RSA highlighted the fact that we have 21st century issues, but we use 20 century terms to describe them and 19th century solutions.

Re: The language of InfoSec

CraginS — Wed, 10 Apr 2019 12:46:36 GMT

@rslade wrote:
...

However, as the psycholinguistics people note, if you don't have a word for it, you can't really think about it. We have lots of concepts that we have to know about, and which are important to the protect of the systems under our care. We have to have our infosec language.

And that is, after all, why I wrote the dictionary ...

Grandpa Rob,

As a colleague and mutual digital friend repeatedly reminded us in another (now extinct) forum we used to share, defining terms (words and phrases) must always take into account the context of usage. If only your dictionary were both definitive and authoritative. We in the security (computer security, network security, information security, information assurance, cyber security, cybersecurity) field are faced with a complexity of usage that usually needs both aspects. Definitive meaning must provide the precise, detailed meaning with connotations for the specific situation (context). The authoritative aspect refers to any legally or administratively specified rule that must be followed in that specific situation. (For example, a definitive Canadian law on corporate security responsibilities may be authoritative in Toronto, Canada, but not in Helsingborg, Sweden.)

My favorite example from a real-life experience in my own security (computer security, network security, information security, information assurance, cyber security, cybersecurity) career was with the word protocol. For the general public a protocol is a procedural guideline that tells what to do in a situation, but may not go into the fine details of exactly how to do the what. Physicians and nurses, for instance, have protocols on how to handle specific diagnoses, injuries, or illnesses. In the world of international diplomacy protocol refers to the formal procedures for credentialed diplomats (ambassadors, consuls, etc.) dealing with each other on official business.

In the technical side of our field, protocol brings very specific (well, sort of) meaning to the table in computer network management. However, I once watched two government officials engage in a loud table-pounding, yelling argument over network firewall management in which they were both arguing for the SAME THING!. They thought they were disagreeing because each was using the word protocol with a different contextual meaning, without either of them defining the word. One of them, a network engineer, was thinking of protocol as specifically the Assigned Internet Protocol Numbers as declared in the PROTOCOL field of an IPV4 packet header. The other, a network management specialist, was assuming the broader use of the same word in context of data services in TCP (IP Protocol 6) and UDP (IP Protocol 17) packets, many if which have the word protocol in their names, eg. FTP, HTTP, SMTP, etc.

This raucous display of unprofessional engagement I witnessed was an example of a quite literal case of the two being in violent agreement.

Re: The language of InfoSec

CraginS — Wed, 10 Apr 2019 12:57:32 GMT

@rslade wrote:
," and realize that when she says "wallah" she actually is trying to use "voila,"and I find it hysterical that in trashing a glossary she doesn't know what word she is trying to use ...

"Deck us all with Boston Charlie,
Walla Walla, Wash., an’ Kalamazoo!
Nora’s freezin’ on the trolley,
Swaller dollar cauliflower alley-garoo!"

Full search for references