“Jargon” follow-up: InfoSec and the MBA

February 24, 2010 by · 2 Comments

Nomenclature is simply a way to name things that are used in communication.  Every profession has their own taxonomy that allows them to understand and identify “things” that are specific to their area of expertise.  This has a downside.  Those outside of “the club” have difficulty understanding the terms and principles that come naturally to the “initiated”.

For information security professionals working in business environments, the ability to translate InfoSec into terms understandable to other business professionals is essential to success.  The lack of this skill often leads to a misunderstanding of risk that essentially leads to an unnecessary exposure.

To overcome this, I have found it useful to set foot into the world of accounting, finance, economics, organizational behavior, marketing, and logistics by earning my MBA.  While certainly not an expert in any of the fields mentioned, I have been initiated into their ranks through education.  This at least provides an opportunity to build a bridge between security and business functions because I am able to communicate, at least partially, using their “language” rather than forcing them to learn mine.

So, “jargon” can be useful.  It certainly allows more efficient communication between peers.  Even more important, learning other “professional languages”  creates an opportunity to translate your terms and principles into something understandable to others.   I’m convinced that this skill provides value by creating more “aha” information security moments across multiple business disciplines.

I’d be remiss if I did not provide a plug for my alma mater.  The University of Nevada part-time MBA program was nationally ranked #21 by Business Week, and #5 in the West.  Go Pack!

Filed Under: Business and Security · Tagged With: , ,

InfoSec targeted for use of “jargon” – Blah!

February 24, 2010 by · Leave a Comment

Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature.  Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.

“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”

- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.

This isn’t some malicious attempt to create a mystical club with secret words and handshakes.  Industry specific terminology helps those professionals within that industry communicate clearly with each other.  Isn’t this also true in finance, medicine, law, software design, architecture, etc?

Former U.S. Homeland Security Secretary Michael Chertoff had this to say:

Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”

I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered.  I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”.  Isn’t this what they are paid for?  It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.

Having “experts” come out and say things like “plain language is vital” is nothing new.  In any awareness or education campaign, the content of the message must be audience appropriate.  If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective.  That’s a no-brainer.

Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.

Filed Under: Awareness and Education · Tagged With: , ,

Cyber Shockwave – A Bust

February 23, 2010 by · 1 Comment

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”


As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

Filed Under: Awareness and Education, National and State Privacy/Security Law, National InfoSec · Tagged With: , , , , ,