My Editorial: Q3 issue: Lost For Words

Written by

When my deputy Drew ‘shotgunned’ the Snowden story for his editorial, I thought we could perhaps both tackle the captivating case, in a similar showdown to that of the Point Counterpoint opinion pieces. Having shared our thoughts on the controversy, however, we realized our opinions are almost entirely aligned. So I gave our resident US citizen the honor, knowing he would articulate our opinion perfectly. He didn’t disappoint, so be sure to read his editorial blog.

Instead, I shall use my editorial to convey my discontent at the amount of clichés, analogies and similes cluttering the infosec industry.

Seven years reporting on this industry has left me amused, and sometimes strangely comforted, by the over-use of clichés by the industry’s professionals. More recently, however, the exposure has frustrated me and left me asking why, in an industry dominated by intelligent people, we can’t be more innovative and creative with our communications.

While I apportion the largest chunk of blame to the vendor community, I’m certainly not denying the end-user community, analysts and PR folk a piece of the cliché pie.

The idea for this editorial came to me as I sat at a roundtable event recently. Participants included mostly CISOs and CIOs, with a couple of vendor representatives also in attendance. Clichés were ferociously batted around the table as if it were a competition. Each over-used analogy worn like a badge of honor, reminding their peers that they are a soldier in the infosec battle.

I racked my brain to try and recall the last time I’d been privy to something brand new: an idea, concept, product or opinion relating to information security that was truly unique. I’m still thinking about it. Kevin Townsend’s article on the evolution of attack techniques (available online soon) also highlights a distinct lack of anything dramatically revolutionary from either the attack or defense communities. This is in stark contrast to the evolution and innovation very much present in information security’s extended family – technology and IT.

With that in mind, let me share what I consider to be the most over-used clichés and analogies in information security:

  • Comparing information security to cars and seatbelts.
    I don’t even need to expand on this one. I’m sure you’ve all heard it before.
  • Security is an enabler.
    When a CISO recently announced his ‘brand new idea’ to sell security to the Board “as an enabler, not as an insurance policy”, I couldn’t help but stifle a giggle. Yes, it’s logical and yes it makes sense, but it’s not revolutionary.
  • Closing the stable door after the horse has bolted.
    This is often pulled out of the bag to describe organizations that implement security after suffering a data breach, often prefaced with “too little too late”. Yes, maybe, but what’s the alternative? Continuing to leave the stable door open? Let’s be sensible.
  • Security vs. Privacy dichotomy
    This might have been a novel debate in 2001, but it has become a little stale. Bruce Schneier, I blame you!
  • It’s a cat-and-mouse game.
    Well, obviously. May I also introduce you to the ‘cat-and-mouse game’s relative, ‘black hats are always one step ahead’.
  • Humans are the biggest threat.
    Simply inspired.
  • Hackers used to be script-kiddies, now they’re cybercriminals looking to make a profit.
    If I had a pound for every time I heard or read this one.
  •  It’s all about protecting the crown jewels.
    What? Protect what’s important? How original!

These are just a selection. I could fill half of this magazine with the clichés I hear on a regular basis. My plea to the industry is this: I know that familiar analogies are relatable and comforting, but you can do better. Give us journalists something new to write about.

My pledge to you, our loyal readers, is this: I will endeavor to reduce the amount of clichés that we give page space – both in the magazine and on This is a creative, inspirational and forward-thinking industry, so let’s articulate that through the language we use and the stories we tell.

This summer, I will be attending Black Hat, Hacker Halted and the (ISC)2 Congress in Chicago to report live from these events. If you see me, make sure you say hello.

What’s hot on Infosecurity Magazine?