Posted November 14, 2017
Dear reader, decrypt the following sentences:
“JAR-GO! is an experienced, industry leading, award winning information-security company that’s in a breed of its own and expanding globally. We provide a range of leading edge solutions, from the bespoke to the holistic that have been recognised with multiple annual rankings and several industry prizes.
We leverage powerful and state-of-the-art technologies to build flexible, reliable, convenient, and secure systems, like military grade encryption, best-of-breed, fully integrated, layered technology that is mature and poised to fill the gaps and weaknesses of other security systems in order to provide our customer’s unified insight and control over web, social, and mobile exposures.”
Naturally, JAR-GO! does not exist. However, the internet is awash with similar statements. In fact, JAR-GO!’s elevator pitch is a collage of some of the worst offenders we’ve come across. Although this kind of fluffy language is nothing new, in the realm of cybersecurity this verbal tick has a particularly nasty effect: it makes security even harder to achieve.
We live in a curious time where cybersecurity has never been more important and yet we are bombarded by news articles reminding us just how bad some of us are at it. Despite this free and constant advertising, the fundamentals of cybersecurity are not well known. Why is this? My hunch is that cybersecurity is still seen as something best left to the experts due to all the pretence around the subject. The industry has taught the uninitiated that there’s nothing they can do about it. At Cyberlight Security we think jargon is such a threat to cybersecurity that we’ve made it our mission to explain security in plain language. That’s because jargon causes some nasty problems.
The Effects of Jargon
Specifically, jargon mystifies a field that so desperately needs clarity, making good cybersecurity look much harder than it is. Whilst perfect security is nigh unobtainable, robust habits that dissuade most attackers are surprisingly straightforward to learn and implement. Yet the current deluge of buzzwords communicates the opposite, encouraging many to give up before they even begin, hoping the experts will solve matters instead. But security cannot be completely outsourced: I cannot stand behind your shoulder and tell you which of your emails is a phishing attempt and I cannot create and protect your secure passphrase for you. Only you can do that. Nevertheless, by obscuring the truth with convoluted sentences, part of the industry is teaching consumers that they should leave the field alone entirely.
A natural consequence of not knowing the fundamentals of cybersecurity is that one cannot tell the difference between a good product and a dud. Thus, it’s possible to batter the customer with enough buzzwords to beat them into submission. How would they know any better? As a result, consumers can surround themselves with insecure or suboptimal products whilst still feeling a false sense of security. This is an ideal scenario for criminals to exploit.
However, don’t think such problems are limited to the individual consumer. In fact, there’s a dismaying number of contradictions within the business world alone: we have companies providing compliance services for the upcoming GDPR that don't protect visitor’s internet traffic with an encrypted connection (something that you can often get for free), companies offering encryption ‘solutions’ that are not open to an independent security audit, and prominent cybersecurity firms that still advocate astoundingly mediocre password policies. Recently, I’ve even been notified by two large institutions that I need to change my passwords as part of their periodic password policy, an outdated practice that has been scrubbed from official standards. Clearly there needs to be a return to the basics of security. By using fuzzy language, the industry makes everyday cybersecurity seem harder than it is, prevents consumers from discerning which products work and leads to security companies overlooking basic practices. With all these shared downsides, why is jargon still used?
Why People Use Jargon
An easy answer would be the cynical viewpoint: keep consumers feeling helpless so they buy products out of desperation and can’t spot a mediocre product before purchasing. But I disagree. It’s understandable why people want to use jargon, given that everyone wants to represent their product in the best possible light. It's only fair. In fact, I’ve struggled with it myself. You’ll notice in my blog bio I’m an “encryption specialist” now. It used to be “encryption expert”, but ‘expert’ is a label others give to you. Whether it’s an author bio, slipping into legalese when drafting contracts or talking about ‘military-grade encryption’, it’s easy to lean on the autocomplete feature nestled in our heads – we all know how to talk like a stereotypical businessman.
Moreover, it’s difficult to avoid jargon because it requires a certain amount of vulnerability - a confidence to state not just what your product can do, but what it cannot. It seems counterintuitive to sabotage your own sales pitch, even if doing so means consumers better understand the benefits of your product. For instance, Cyberlight Security does not provide technical service like penetration testing (hacking to check for vulnerabilities) or forensic analysis (checking what went wrong after a hack). We provide cybersecurity training that every employee can understand and implement on a daily basis. That’s it. It’s not comfortable to tell you that we can’t solve all your problems, but there are some surprising upsides.
The Benefits of Clarity
For Consumers
Naturally, consumers stand to gain the most from clearer language. They’ll understand cybersecurity concepts more regularly, meaning better decision making. Customers can stop wasting money on products that solve a problem they don’t have or one that isn’t important to them. They can adopt simple habits and use free tools that are more suited to their situation than expensive products that hook them into an unnecessary subscription programme. But the inverse is also true: consumers will be able to discover vulnerabilities they were never aware of before and find products that can address these issues. Ultimately this will save them a lot of time and energy they would have otherwise spent recovering from a preventable setback.
For Businesses
When consumers are better informed, they know what specific problems they face and can seek out solutions to address them. Thus, people may buy new products because they now know that multi-factor authentication is different from their password manager or that anti-malware software is distinct from the anti-virus that’s pre-installed on their computer. On a broader scale, when cybersecurity is demystified, people who think they’re ‘too small to be a target’, those who aren’t purchasing security products at all, will actually understand what risks they’re running. They‘ll seek out solutions to shield themselves rather than relying on a false sense of security. Additionally, in a field where everyone is an award-winning, certified, industry leader deploying 'military grade encryption' it can be tough to stand out. Stripping out the nonsense means website visitors know exactly what sets a business apart from the competition.
For Everyone
To use an analogy, if I don’t wash my hands, you’re more likely to get sick. It makes sense then for us to prevent such a basic hygiene lesson from being lost in an avalanche of pharmaceutical jargon. This dynamic also exists in the world of cybersecurity. Demonstrations of this fact include WannaCry and the 2016 Dyn DDoS attack, which exploited poorly secured devices to spread malware and shut down portions of the Internet, respectively. At the root of both disasters were two equally simple lessons: (1) updated software is more secure and (2) the cheaper the product, the more likely the vendor is skimping on security. The more we publicise these truths, the more likely others will heed them and deny the criminals their tools.
Sadly, it’s unlikely that jargon’s effects will ever fully go away. Yet there are still actions we can take as individuals to combat jargon.
Shining a Light on Jargon
As a consumer, it’s heartening to know that the information is already out there. One can seek out sources that explain the fundamentals in a way that grandma could understand. One excellent example of this is the Sideways Dictionary, a website that explains the ever-expanding security vocabulary in relatable analogies. With these basic concepts in the tool belt, one can more easily evaluate whether a product can actually help or not.
Additionally, it’s possible to find online consumer communities, where people are already discussing whether certain ideas are secure or just a marketing gimmick. For instance, researching password managers on the privacy board of Reddit led me to this excellent article on why new ‘stateless’ password managers, which produce passwords by feeding certain information into an algorithm rather than pulling them from a database, aren’t as convenient or secure as they seem.
Moreover, beware the refrain that something “just works”. If a product is missing basic concepts in its explanation that could signal something’s wrong. Ask how it works and demand a coherent answer. It’s easy to forego such a process, but there’s less pain in doing the research at the start than cleaning up the mess after an attack.
Wrapping Up
To reiterate: jargon is information pollution in a field where clarity is paramount. It discourages consumers from taking their security into their own hands, hampers their ability to distinguish good products from poor ones and even leads to poor business practices. It’s hard for vendors to be concise about what they can and cannot do, especially when they’re so passionate about their products, but we could gain so much more as consumers, businesses and members of society from plain language.
Co-founder, encryption specialist and fitness enthusiast.

Leave a Reply

Your email address will not be published.

Scroll to top