Terms that Information Security Professionals Need to Purge from their Vocabularies
I’ll be the first to admit that I lean towards being a contrarian. That aside, I need to get something off of my chest—some of the terms that we information security professionals use are truly pathetic to the point that hearing them yet another time will invariably make me sick. Here are a few of them:
- Cloud computing. This abominable term represents nothing new at all. For many years scientists have had “grid computing” in which they have obtained network access and then connected to services and databases available elsewhere, the location of which is unknown to them. Not all that long ago Google coined the term “cloud computing” to describe exactly the same functionality. Come on, Google, give credit where credit is due. Worse yet, however, “cloud computing” has become a kind of “catch all” term to describe what in effect occurs when users use the Internet. Anyone who knows anything about Internet security knows that you can implement risk control measures only to the degree that you have control over them. Naturally, you cannot control what happens in “The Cloud,” oops, I mean “The Grid.” Hilariously, cloud computing has become a major term in recent and upcoming information security conferences. I propose that a reverse indicator of the goodness of an information security conference is the absence of presentations and panel sessions with the word “cloud computing” in their titles. If you believe this, you will certainly not want to attend the RSA Conference this year!
- Provisioning. OK, users need authentication and other credentials, and if their requests are legitimate, they receive them. Additionally, their credentials need to be updated. Granted, something or someone gives these credentials to them, but calling the process “provisioning” is simply taking things too far. Technically, provisioning means the process or act of providing, and in the computing world many things are provided to users, processes, computers, and the like. Provisioning is thus a pseudo-meaningful term that mostly consists of security product vendor marketing hype. It is in reality nothing more than additional fluff in a lexicon that already contains much too much of it.
- Best of breed or best practices. I’ve already complained about these clichés in a previous blog entry, so I will make this short. Not only are these terms unabashedly arrogant, but they also speciously imply that a certain or status that by definition can be and/or has been obtained only by a select few is a condition or status that everyday entities such as information security practices within an organization should or must obtain.
- World class. Somehow, information security professionals love to use this hyperbole in describing what they have achieved and/or what they intend to achieve in their security practices and organizations. Unfortunately, this term in effect is little more than a metric that is devoid of any possible measurement method. Using it constitutes hand waving to the nth degree, something that is likely to eventually cause tennis elbow.
I could keep going, but I think you see my point by now. Information security is a superb and fascinating field that is filled with outstanding professionals. Unfortunately, despite their excellence, too many of them have fallen into the trap of using words that mean little or are misleading. It is time for all of us to clean up our professional vocabularies!