In business meetings, when a cybersecurity professional is asked to speak, the invitation is often prefaced with a request to avoid idioms and acronyms. Cybersecurity is rich in acronyms – whether they are used to describe a particular technical term or to exhibit a person’s credentials, there is no shortage of abstruse groupings of letters to make the “uninitiated” weep.
The same is true in cybersecurity writing. In fact, entire sentences can be constructed using as many acronyms as words. For example: “The NIST CSF corroborates CISA, ISO, and ISACA models, and addresses GDPRWhat is GDPR?The General Data Protection Regulation (GDPR) is widely regarded as the world's strictest security and privacy law, promulgated by the European Union (EU) to regulate any organization that..., NYS DFS, and CCPAWhat is CCPA?The California Consumer Privacy Act, Enacted on 28 June 2018 and effective as of 1 January 2020 (CCPA) is one of the most significant pieces of privacy legislation... requirements.”
This is easily solved by borrowing a technique that has long been used in other established professions, such as legal and medical documents: the full name is spelled out, followed by the acronym in parentheses, such as “General Data ProtectionWhat is Data Protection?Data protection refers to the practice of safeguarding sensitive information from unauthorized access, disclosure, alteration, or destruction. It involves implementing policies, procedures, and technologies to ensure that... Regulation (GDPR)”. Any subsequent reference can then be referred to by its acronym. Think of it as a formal introduction, followed by a more common reference. In extended writing, such as a full report, a glossary would also be included.
One problem in writing, and particularly cybersecurity writing, is the use of idioms. Idioms are those fun little sayings that we all use to describe an idea. There are two problems with idiomatic writing. The first is, if the idiom is also explained parenthetically, as is the case with an acronym, it renders the statement redundant. The second problem is that idioms are not universally understood. This causes a reader to either question the meaning, or disregard it entirely.
In cybersecurity, when describing concepts that are already difficult to implement, clouding the ideas with idioms is demotivating. Think of how the following statements make a reader halt to understand the idiom, rather than focusing on the cybersecurity concept:
“When aiming to achieve a zero-trust architecture, many are allowing perfect to be the enemy of the good.”
This is a chiefly American phrase. A better way to write this would be:
“When aiming to achieve a zero-trust architecture, many are not making any progress because total perfection seems unattainable.”
A similar phrase, attributed to parts of India, is:
“Seeking approval for a new cybersecurity project is often like knowing the value of wheat and lentils.”
Simply rephrased, this would be:
“Seeking approval for a new cybersecurity project is often a difficult process.”
One final example:
“All we need to do is introduce better security awareness training, and Bob’s your Uncle, we will reduce our chances of becoming victims of a phishingWhat is Phishing?Phishing is a type of cyberattack in which attackers send fraudulent communications, or direct people to counterfeit websites in order to trick those individuals into revealing sensitive information,... attack.”
“Bob’s your Uncle” is a British phrase that means something is easy to achieve. (The idiom dates back to a political scandal in Britain in 1886 when the Prime Minister gave his nephew the position of Chief Secretary for Ireland. The sentence shown above can easily be rewritten to remove the idiom.
This is not to mean that idioms should be entirely eradicated from writing. Idioms add flair and style to a person’s writing. It can give an author a unique, and instantly recognizable “voice.” As with all presentations, one just needs to be cognizant of the audience. If you are writing a piece that will remain as an internal corporate document, then sharing a well-recognized idiom is perfectly acceptable, if it is within corporate norms to do so. However, if that document will possibly be shared with a broader audience, then the idioms must be reconsidered.
Idioms are often local, not global. They must be judiciously considered, especially when writing about cybersecurity.