What we have here is a failure to communicate.
I think I'm going to start all my hot takes with that quote from Cool Hand Luke from now on, because the inability of most security folk to communicate with non-security folk is tearing apart our political and social and economic fabric. The people who govern our lives and who will shape the future of our world do not understand information security. Unless we break out of our cozy in-clique exclusionary slang, that can only end badly--for all of us.
It doesn't matter how great the research is, or the pentest, or the report, or your new security policy if no one reads it or understands it. When politicians make bad laws because they don't understand cryptography, society suffers. When random retirees start pouring their nest eggs into ICOs (because "crypto"), society suffers. When rank-and-file employees ignore security policies because they don't understand them or find them too restrictive, business suffers.
Security without communication is worthless. You can scream yourself blue in the face, but if no one groks what you're saying, then you're wasting your time.
Information security is an unintuitive discipline, in many ways backwards from how we think about security and power and threats in meatspace. Worse, the security community has developed its own slang over the years that deliberately excludes outsiders. All fields do this, of course, and if infosec were metalworking or plumbing or air traffic control, that would be fine and dandy. Ordinary people don't have a pressing need to understand the inner workings of those fields.
The human race has moved online, and information security affects everyone now. It used to be we lived in the "real world" and "went online." Now we live online and visit the "real world." Soon even that will fade, until the only "real world" left will be quaint amusement parks that offer the unplugged experience, the same way pioneer villages today let you sample candle-making or blacksmithing in a Fun Obsolete Technology That Makes You Feel Superior kind of way.
Which brings us to the inspiration for today's hottest of takes, the Cyber Security Style Guide, a solid attempt to bridge the communications gap, and establish a shared vocabulary we can build on. Created by technical editor Brianne Hughes, of security consultancy Bishop Fox, the style guide is the real deal, and you should read it and use it and maybe mail a copy to the Associated Press (AP) while you're at it. While it's no magic potion, it is a good first step in a journey of a thousand miles.
First thing I did when I downloaded a copy was search for "dark net." This was my litmus test: a bullshit definition and I would walk. But the style guide gets it bang on:
dark net or Dark Net
This nebulous term, along with "dark web‚"
and "deep web," are written and used
inconsistently to refer to online black
markets. Better to call it the black market or
specify the site or service in formal writing.
Related: Tor, I2P
For those of us who understand just how important Tor is (*cough* less I2P *cough*) to journalists, it's great to see standardized documentation that demands precision. Words matter, and if mainstream reporters knocked off the magic wand words we'd all be better off as a society.
"In general, I'm an advocate for plain language and making sure people are getting the point," Hughes says. "The danger of technical writing is that you get so lost in the jargon that you lose the point."
Hughes has a masters degree in linguistics, and says that, until recently, infosec jargon has developed haphazardly. It's time now, she argues, for us to start thinking about security language in a more purposeful way.
"There's a real gap between the people who find zero days and the people who are affected by them," she says. "The guide is more aimed at the people who are writing about the technical things, it's for security researchers, but also for tech journalists who take that message to the general public. With the style guide I'm really trying to sort of close that gap."
Can I high-five you through the internet, Brianne? Consider yourself high-fived. Send high-fives in her general direction, everyone.
Information security is the central political question of our times, and most people don't understand this bizarre and unintuitive landscape. That's got to change, and that's only going to change if we break down barriers in communication between security haves and security have-nots.
That probably means climbing down from the linguistic hill you're prepared to die on. Talking LOUDER AND MORE SLOWLY in what might as well be a foreign language is NOT AN EFFECTIVE COMMUNICATION TECHNIQUE. SI EMPIEZO ESCRIBIR EN MAYUSCULOS AHORA ME ENTIENDEN MEJOR? EH? EH??? IDIOTA.
Use their words, not yours
Effective communication is about using language already present in another person's mind. It's about living off the land. The style guide's definition of the much loathed "cyber-" prefix makes this point clear:
Industry professionals don't use this prefix,
but it's helpful when informing the public,
as in the title of this document. For many
users, "cyber" on its own invokes cybersex,
not hacking. https://willusingtheprefixcyber
If you insist on dying on the cyber hill, then you do everyone a disservice. The point is not the words, amigo, the point is The Thing Itself, and whatever linguistic tokens help communicate The Thing Itself to your audience are the right words to use.
For too long, the security field has cultivated and valued technical prowess above all else. But we do not exist in a vacuum. Security work has massive consequences for the rest of society, and we have a responsibility to communicate those consequences to our fellow humans.
"The way that you write, it's not an afterthought. All security researchers are also writers," she says. "Enjoy that title instead of grumbling that you could be getting a shell somewhere."
Amen to that.