Cybersecurity buzzwords and buzz phrases are a dime a dozen. Used to simplify complex terminology or boost sales and marketing campaigns, buzzwords are an inescapable reality for an innovative and fast-paced industry like information security. However, such terms are not always helpful and can be inaccurate, outdated, misleading, or even risk causing harm. For example, a buzzword that exploits fear, uncertainty and doubt to maximize a profit-led agenda can be damaging, while a legitimate, once-useful term may become outdated, with continued use and reliance upon it hampering more evolved understandings of the root issue.Here are the 11 cybersecurity buzzwords and phrases that should be laid to rest in 2021.RansomwareZero trustWhitelist and blacklistAI-powered securityCyber 9\/11Digital transformationSIEMPeople are the weakest linkCybersecurity awarenessCyber kill chainHacker1. RansomwareDespite being one of the most used terms in discussions around common cyberattacks, ransomware is technically an inappropriate definition no longer fit for purpose, says Charl van der Walt, head of security research at Orange Cyberdefense. \u201cIt\u2019s hard to escape mentions of ransomware in the current news agenda, but while it suffices to describe the overarching subject, it falls short of wholly capturing what is in fact a complex and evolving issue.\u201dRansomware\u2019s real meaning is getting lost in translation, and it is now being used to define a far wider set of cyberattacks than its real definition\u2014malware that holds the data of a computer to ransom\u2014encompasses, van der Walt says. \u201cThis creates confusion between malware that does encryption, general malware that\u2019s used by ransomware actors, and the ransomware actors themselves. At the center of ransomware is the act of extortion and cybercriminals see companies as easy targets for extortion\u2014you only have to look at data suggesting how many companies now pay ransom demands as proof.\u201dAs this threat evolves, van der Walt proposes a new term: cyber extortion (or Cy-X). He says this better encapsulates the history, current form, and potential future of this crime wave, as well as making the distinction between extortion as the crime and ransomware as the tool used to commit it.2. Zero trustZero trust describes a \u201ctrust nothing by default\u201d approach to securing users and devices. It has become one of the biggest marketing buzz terms of the last few years, exacerbated by the mass shift to remote working and subsequent need for more effective methods of security for remote network access. However, for Quentyn Taylor, director of information security at Canon Europe, the term zero trust is too amorphous. \u201cIt\u2019s impossible to know if you\u2019ve actually reached it, and indeed I don\u2019t believe anyone has or could do. What annoys me an awful lot about the concept is that a lot of people talk about it as if it\u2019s new, when in reality we\u2019ve been talking about deperimeterization for years. Zero trust is just a new marketing term for what we\u2019ve been attempting to do for a long time.\u201dPaul Baird, CTSO UK at Qualys, agrees, adding that zero trust is fine as a concept, but as a buzzword, it is overused and under-delivered. \u201cIt is constantly used out of context, which has just created confusion within those that are responsible for implementing it. Zero trust is an ideology covering people, process, and technology. It is not a product that you can just buy off the shelf.\u201d3. Whitelist and blacklistThe terms whitelist and blacklist date back to the some of the earliest days of cybersecurity. Associating \u201cwhite\u201d with good, safe, or permitted, and \u201cblack\u201d with bad, dangerous, or forbidden, the phrases are still commonly applied to allow or deny use or access relating to various elements including passwords, applications, and controls.Cybersecurity consultant Harman Singh thinks the terms need urgently replacing because of harmful racial overtones associated with them, suggesting allow lists and deny lists serve the same purpose without potentially damaging connotations linked to ethnicity and race. \u201cThis is such a small yet significant, change\u201d he tells CSO. \u201cThe NCSC made this conscious change last year to avoid racial tone. Still only a handful of companies in the industry have thought about doing this. Why don\u2019t we all follow this example to stamp out such terms?\u201dIn a blog post, Emma W, head of advice and guidance at the NCSC, wrote: \u201cYou may not see why this matters. If you\u2019re not adversely affected by racial stereotyping yourself, then please count yourself lucky. For some of your colleagues (and potential future colleagues), this really is a change worth making.\u201dOne of the few companies that has taken this step is Microsoft, addressing non-inclusive language as a barrier to maintaining and developing diversity within cybersecurity. \u201cA recent report published by UK Finance, EY and Microsoft found that making changes to non-inclusive language in cybersecurity and the broader workplace can go a long way in supporting diversity,\u201d says Microsoft chief security advisor Sarah Armstrong-Smith. Microsoft therefore no longer accepts or refers to whitelists\/blacklists on technical forums, opting for allow and block lists instead.4. AI-powered securityFuror surrounding the potential of artificial intelligence (AI) and machine learning technology to transform cybersecurity has been fever-pitch for the best part of a decade. While you\u2019d be hard pressed to find a security leader who does not recognize and acknowledge the growing importance of automation in modern information security, the plethora of security vendor sales pitches waxing lyrical about the latest AI- or machine learning-powered solution are wearing a little thin.\u201cNowadays, regardless of the solution, most security vendors are quick to mention that their product is smart and integrates AI and machine learning to power decision-making processes. They seem to believe that\u2019s what we want to hear, when it really sounds like they\u2019re filling a bingo sheet without understanding how their solution actually works,\u201d says Guillaume Ehny, CISO at gohenry. \u201cUnfortunately, the statement never goes beyond that one sentence. When asked for more information about their model, the answer is almost always that \u2018it\u2019s a black box in the engine, it works on its own, and we don\u2019t even need to worry about it.\u2019 I understand that an AI\/machine learning-assisted product can be an advantage and deserves to be mentioned, but the way it\u2019s communicated is rarely doing any favors.\u201d5. Cyber 9\/11The term cyber 9\/11 was first coined in the wake of the coordinated terrorist attacks against the United States by militant Islamist group al-Qaeda on September 11, 2001. The phrase refers to the hypothetical threat of terror-related cyberattacks that have the potential to cause significant and widespread implications including fear, violence, injury and death.Predictions of such incidents have yet to materialize baring a small handful of cases, and for Taylor, cyber 9\/11 and other similar cybersecurity references to major news events should not be used. \u201cIt dishonors the people who were affected by these incidents in real life. In addition to this, these kinds of terms are often bandied around as pure hyperbole. Thankfully, we have not yet seen a cybersecurity incident that had the same level of impact as either this [9\/11] or any other event that certain commentators like to attach to. The sooner we can move away from attempting to link cyber incidents to real world incidents that have resulted in significant loss of life the better, and the more seriously our industry will be taken as a result.\u201d6. Digital transformationWhile digital transformation is very much a buzz phrase of the modern cloud-driven era, Matt Rider, vice president of security engineering at Exabeam, thinks any reference to digital transformation is merely describing what organizations have been doing for the last 50 years. \u201cThe fact is, transformation is nothing new. Everything is always evolving, continuously transforming. This term isn\u2019t a sudden epiphany that\u2019s taken the industry by storm.\u201dFlashback to the early 1900s and the industrial revolution, where Henry Ford modernized assembly line production. His knowledge of emerging technology and transformational leadership inspired a new way of working, Rider adds. \u201cThis was a technological step-change that had a monumental influence and changed the world of work as they knew it at the time. The organizations I have seen be successful have the right culture, not the right tools. If you\u2019re not \u2018digitally transformed\u2019 by now, you\u2019re out of the game. I vote we all hop off the digital transformation bandwagon.\u201d7. SIEMSecurity information and event management (SIEM) defines software products and services that combine security information management (SIM) and security event management (SEM). As an acronym and a product offering, SIEM is peddled by seemingly countless cybersecurity vendors.However, Forrester security and risk analyst Allie Mellen says it has a long legacy in compliance and doesn\u2019t necessarily represent where SIEMs are today. \u201cSIEMs are now focused on threat detection and response, incorporating security user behavior analytics (SUBA) and security orchestration, automation, and response (SOAR) to address each step of the incident response lifecycle. At Forrester, we call them security analytics platforms to better represent what they do: perform security analytics on data and serve as a platform with connections to third-party offerings for response.\u201d8. People are the weakest linkA concept trotted out at pretty much every security conference around the globe, referring to people as the weakest link in a security chain needs to stop, says Nigel Phair, chair of CREST Australia and director, Cyber Security Institute at the University of New South Wales. \u201cPeople are the greatest strength to information security and protecting corporate networks and the data which resides on them. Naming and shaming people has not worked and never will. Since there is no technical silver bullet to solving online crime, we need to bring employees along on the journey, explaining to them why certain controls are in place and their role in protecting an enterprise.\u201d9. Cybersecurity awarenessImproving cybersecurity awareness across an organization is a high-priority goal for many CISOs. But the term is being misused, says Ravi Srinivasan, CEO of Votiro. \u201cThe term cybersecurity awareness has created a narrative that users are to blame for security incidents and encourages organizations to build out security strategies rooted in their education and training to detect (and ultimately prevent) cyberthreats,\u201d he tells CSO.However, today\u2019s attacks are sophisticated and constantly evolving, and even the most security conscious businesses find it difficult to stay ahead of them. Instead, security and IT leaders need to adjust their enterprise security strategies to focus on the business they operate globally. \u201cIn lieu of cybersecurity awareness, I would suggest promoting \u2018cybersecurity vigilance\u2019 and encourage organizations to enhance collaboration amongst employees and their employers, business and IT leaders, private and public sector entities to work collectively towards thwarting cyberthreats.\u201d10. Cyber kill chainAs the digital realm becomes ever more entwined with the physical, there has been a growing trend for military-style lexicon in relation to cyber, and none more so than the cyber kill chain. This phrase describes the various stages of a cyberattack and is often linked to advanced persistent threats (APTs). \u201cI\u2019m not sure this is totally appropriate and could lead us into heavier language used to try and make dull topics more interesting,\u201d says Leanne Salisbury, senior manager for threat intelligence at EY. \u201cPlus, I think there is potentially something wrong with this for veterans (especially those who have actually seen live conflict and have actual war stories) when they are asked to share their experiences about a project in a corporate setting with civilians.\u201d11. HackerAcronis cybersecurity analyst Topher Tebow says serious thought needs to be put into how the term hacker is used in today\u2019s landscape, and while it does not necessarily need to be eradicated entirely, incorrect usage of it does. \u201cA hacker is simply someone who can find a way around normal applications of a given item, process, or piece of software to achieve a desired result.\u201dThe problem with this word is that it is often used to describe a cybercriminal, when there are thousands of hackers who hack for the greater good, Tebow adds. \u201cInstead, we need to consider the implications of what we are saying, and use terms like attackers, cybercriminals, and malicious actors instead of calling a bad actor a hacker.\u201dIn defense of cybersecurity buzzwordsWhile experts agree that many cybersecurity buzzwords and buzz phrases should be laid to rest or replaced, Ed Tucker, senior cybersecurity director at Byte and former European CISO of the year, argues that a lot of the problems stem from the way buzzwords are used, rather than the terms themselves. \u201cOne of the biggest problems we have is not the buzzwords\u2014they\u2019re just a part of being in a commercialized industry\u2014but lazy usage and the lack of contextual understanding and practical application of buzzwords. This perpetuates the theme that buzzwords are just that.\u201d He concludes that the industry needs to do a better job of seeing beyond the buzzwords that are so often used and delve deeper into the concepts and where, when, and how they become applicable.