Poor communication is a security flaw. Time to patch. Credit: Thinkstock What we have here is a failure to communicate.I think I’m going to start all my hot takes with that quote from Cool Hand Luke from now on, because the inability of most security folk to communicate with non-security folk is tearing apart our political and social and economic fabric. The people who govern our lives and who will shape the future of our world do not understand information security. Unless we break out of our cozy in-clique exclusionary slang, that can only end badly–for all of us.It doesn’t matter how great the research is, or the pentest, or the report, or your new security policy if no one reads it or understands it. When politicians make bad laws because they don’t understand cryptography, society suffers. When random retirees start pouring their nest eggs into ICOs (because “crypto”), society suffers. When rank-and-file employees ignore security policies because they don’t understand them or find them too restrictive, business suffers.Security without communication is worthless. You can scream yourself blue in the face, but if no one groks what you’re saying, then you’re wasting your time. Information security is an unintuitive discipline, in many ways backwards from how we think about security and power and threats in meatspace. Worse, the security community has developed its own slang over the years that deliberately excludes outsiders. All fields do this, of course, and if infosec were metalworking or plumbing or air traffic control, that would be fine and dandy. Ordinary people don’t have a pressing need to understand the inner workings of those fields.The human race has moved online, and information security affects everyone now. It used to be we lived in the “real world” and “went online.” Now we live online and visit the “real world.” Soon even that will fade, until the only “real world” left will be quaint amusement parks that offer the unplugged experience, the same way pioneer villages today let you sample candle-making or blacksmithing in a Fun Obsolete Technology That Makes You Feel Superior kind of way. Which brings us to the inspiration for today’s hottest of takes, the Cyber Security Style Guide, a solid attempt to bridge the communications gap, and establish a shared vocabulary we can build on. Created by technical editor Brianne Hughes, of security consultancy Bishop Fox, the style guide is the real deal, and you should read it and use it and maybe mail a copy to the Associated Press (AP) while you’re at it. While it’s no magic potion, it is a good first step in a journey of a thousand miles.Words matterFirst thing I did when I downloaded a copy was search for “dark net.” This was my litmus test: a bullshit definition and I would walk. But the style guide gets it bang on:dark net or Dark Net This nebulous term, along with “dark web‚” and “deep web,” are written and used inconsistently to refer to online black markets. Better to call it the black market or specify the site or service in formal writing. Related: Tor, I2PFor those of us who understand just how important Tor is (*cough* less I2P *cough*) to journalists, it’s great to see standardized documentation that demands precision. Words matter, and if mainstream reporters knocked off the magic wand words we’d all be better off as a society. “In general, I’m an advocate for plain language and making sure people are getting the point,” Hughes says. “The danger of technical writing is that you get so lost in the jargon that you lose the point.”Hughes has a masters degree in linguistics, and says that, until recently, infosec jargon has developed haphazardly. It’s time now, she argues, for us to start thinking about security language in a more purposeful way.“There’s a real gap between the people who find zero days and the people who are affected by them,” she says. “The guide is more aimed at the people who are writing about the technical things, it’s for security researchers, but also for tech journalists who take that message to the general public. With the style guide I’m really trying to sort of close that gap.”Can I high-five you through the internet, Brianne? Consider yourself high-fived. Send high-fives in her general direction, everyone.Information security is the central political question of our times, and most people don’t understand this bizarre and unintuitive landscape. That’s got to change, and that’s only going to change if we break down barriers in communication between security haves and security have-nots.That probably means climbing down from the linguistic hill you’re prepared to die on. Talking LOUDER AND MORE SLOWLY in what might as well be a foreign language is NOT AN EFFECTIVE COMMUNICATION TECHNIQUE. SI EMPIEZO ESCRIBIR EN MAYUSCULOS AHORA ME ENTIENDEN MEJOR? EH? EH??? IDIOTA.Use their words, not yoursEffective communication is about using language already present in another person’s mind. It’s about living off the land. The style guide’s definition of the much loathed “cyber-” prefix makes this point clear:cyber- Industry professionals don’t use this prefix, but it’s helpful when informing the public, as in the title of this document. For many users, “cyber” on its own invokes cybersex, not hacking. https://willusingtheprefixcyber makemelooklikeanidiot.com/ Related: cybersecurityIf you insist on dying on the cyber hill, then you do everyone a disservice. The point is not the words, amigo, the point is The Thing Itself, and whatever linguistic tokens help communicate The Thing Itself to your audience are the right words to use.For too long, the security field has cultivated and valued technical prowess above all else. But we do not exist in a vacuum. Security work has massive consequences for the rest of society, and we have a responsibility to communicate those consequences to our fellow humans.“The way that you write, it’s not an afterthought. All security researchers are also writers,” she says. “Enjoy that title instead of grumbling that you could be getting a shell somewhere.”Amen to that. Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe