New Cyber Security Style Guide aims to bridge communication gap
“What we have here is a failure to communicate.”
It would be good to start all missives with a quote from “Cool Hand Luke”, as it so aptly highlights the inability of most security folk to communicate with non-security folk, which is tearing apart our political, social and economic fabric. The people who govern our lives and who will shape the future of our world do not understand information security. Unless we, as information security professionals, break out of our cosy, in-clique exclusionary slang, it can only end badly — for all of us.
It does not matter how great the research is, or the pen-test, or the report, or your new security policy if no one reads it or understands it. When politicians make bad laws because they do not understand cryptography, society suffers. When random retirees start pouring their nest eggs into ICOs (because “crypto”), society suffers. When rank-and-file employees ignore security policies because they do not understand them or find them too restrictive, business suffers.
Security without communication is worthless. You can scream yourself blue in the face, but if no one cops what you are saying, then you are wasting your time.
Information security is an unintuitive discipline, in many ways, backwards from how we think about security and power and threats in meat space. Worse, the security community has developed its own slang over the years that deliberately excludes outsiders. All fields do this, of course, and if infosec were metalworking or plumbing or air traffic control, that would be fine and dandy. Ordinary people do not have a pressing need to understand the inner workings of those fields.
Real world and online
The human race has moved online, and information security affects everyone now. It used to be we lived in the “real world” and “went online.” Now we live online and visit the “real world.” Soon even that will fade, until the only “real world” left will be quaint amusement parks that offer the unplugged experience, the same way folk parks today let you sample candle-making or blacksmithing in a “fun obsolete technology that makes you feel superior” kind of way.
Which brings us to the inspiration for today’s diatribe, the “Cyber Security Style Guide” — a solid attempt to bridge the communications gap, and establish a shared vocabulary we can build on. Created by technical editor Brianne Hughes, of security consultancy Bishop Fox, the style guide is the real deal, and you should read it and use it and maybe mail a copy to the Associated Press while you are at it. While it is no magic potion, it is a good first step in a journey of a thousand miles.
On first downloading, the term tested was “dark net.” This was the litmus test: a bad definition would not bode well. But the style guide gets it spot on:
dark net or Dark Net
This nebulous term, along with “dark web‚”
and “deep web,” are written and used
inconsistently to refer to online black
markets. Better to call it the black market or
specify the site or service in formal writing.
Related: Tor, I2P
For those of us who understand just how important Tor is (less I2P) to journalists, it is great to see standardised documentation that demands precision. Words matter, and if mainstream reporters knocked off the magic wand words, we would all be better off as a society.
“In general, I’m an advocate for plain language and making sure people are getting the point,” Hughes says. “The danger of technical writing is that you get so lost in the jargon that you lose the point.”
Hughes has a masters degree in linguistics, and says that, until recently, infosec jargon has developed haphazardly. It is time now, she argues, for us to start thinking about security language in a more purposeful way.
“There’s a real gap between the people who find zero days and the people who are affected by them,” she says. “The guide is more aimed at the people who are writing about the technical things, it’s for security researchers, but also for tech journalists who take that message to the general public. With the style guide, I’m really trying to sort of close that gap.”
This is to be applauded, and encouraged.
Information security is the central political question of our times, and most people do not understand this bizarre and unintuitive landscape. That has got to change, and it is only going to do so if we break down barriers in communication between security haves and security have-nots.
That probably means climbing down from the linguistic hill on which some seemed prepared to perish. Speaking louder and slower in what might as well be a foreign language is not an effective communication technique, despite its comic effectiveness.
Use their words, not yours
Effective communication is about using language already within the grasp of another person. It is about living off the land. The style guide’s definition of the much loathed “cyber-” prefix makes this point clear:
Industry professionals don’t use this prefix,
but it’s helpful when informing the public,
as in the title of this document. For many
users, “cyber” on its own invokes cybersex,
not hacking. https://willusingtheprefixcyber
If one insists on dying on the cyber-hill, then it does everyone a disservice. The point is not the words, the point is The Thing Itself, and whatever linguistic tokens that help communicate The Thing Itself to your audience, are the right words to use.
For too long, the security field has cultivated and valued technical prowess above all else. But we do not exist in a vacuum. Security work has massive consequences for the rest of society, and we have a responsibility to communicate those consequences to our fellow humans.
“The way that you write, it’s not an afterthought. All security researchers are also writers,” Hughes says. “Enjoy that title instead of grumbling that you could be getting a shell somewhere.”
IDG News Service