A few months ago, I was talking about penetration testing with an industry colleague at a conference, when he said something that made me realize how fast the jargon in our industry changes.
“So you do penetration testing. But we have a Red Team.”
It got me thinking about how we all talk to clients, and how we can build trust with the C-suite. Red Teaming grew out of penetration testing. And quite often those two terms are used to mean the same thing, even if they aren't. Most of our clients don't really know that, and that can be a problem.
The industry has a jargon problem. Cybersecurity is complex, but it is very necessary. If we can't ensure the general public understands us, it's unlikely these folks and the organizations they work for will take our advice.
A few years ago, a group of automated intrusion tools marketed as comprehensive penetration testing solutions became available. All of a sudden, IT directors looking for penetration testing would get one bid for a service that costs $10,000 and another for $50,000. The difference? A cursory glance wouldn't distinguish the two, and your standard IT director didn't know either. What it came down to was basic cybersecurity principles: automated intrusion tools would neither evolve to mimic cutting-edge threats nor hold up against a hacker with a diverse toolkit. But IT managers weren't privy to the differences. Jargon and imprecisely defined techniques made the two indistinguishable to even the most trained eyes.
To differentiate themselves, security companies offering customized, in-depth cyber intrusion testing began marketing their services as Red Teaming, cleaving themselves from physical security. And then, penetration testing became synonymous with less expensive, automated tools.
But penetration testing isn't the only piece of jargon that has changed. We've seen incident responders relegated to reactive roles reading logs, while “threat hunting” now refers to the pro-active detection function. With the rise of new technology and evolving attack-vectors, many companies need virus protection and endpoint detection and response. However, what many IT directors miss is that there might be significant overlap between the two.
Steeped every day in the language and tools of our trade, it's easy for us to understand the distinctions, but our colleagues outside of the space often miss the nuances of what technology combats which threats and when a new tool is just a rebrand. This has been going on since the early days of computing, and it isn't limited to the security space.
These subtle differences in our language confuse clients, which is compounded by a level of abstraction in the services we provide. We plug vulnerabilities our clients didn't know they had, and we protect them from attacks that they might never know even happened. But if members of our community are juggling the jargon our own industry has invented, how can we expect end-users to know exactly what they are buying?
Your average CIO isn't always an expert in this field, and they tend to be more concerned with making sure the IT department helps the company grow. CIOs usually need to turn to a cybersecurity partner, and they don't know who to trust. We've all heard a skeptical executive say, “You're just making things up to sell more.”
What does this all add up to?
I have pretty simple advice. If you are a cybersecurity professional, speak plainly. Do everything you can to be transparent. Layout options, not hard recommendations. In an industry often billed as selling snake oil, build trust.
If you are a CIO, keep the big picture in mind. How will you measure how secure you are? How will you establish a baseline? And how will you measure improvement? When it comes to security, how can you explain to the CEO that you've done everything within the firm's means to be secure? What, exactly, are the risks if you accept most of a vendor's recommendations but find some too expensive or the harm too unlikely?
The cybersecurity industry has significantly raised awareness of security concerns, but it risks public trust with convoluted marketing. It isn't enough that we are able to secure the biggest companies in the world. We need to win the public's trust so they let us do it.