The Devil’s Information Security Dictionary

Just saw the very funny Devil’s InfoSec Dictionary on the CSO site. Of course, I had to add a few definitions of my own:

Blended threat: a hemlock smoothie
Process, Security Is A: a throw-away line that explains why security measurement is impossible
Risk management: a repeated process around the Hamster Wheel of Pain that vendors use to enumerate vulnerabilities you didn’t know you had, followed by serial remediation of same. See “remediation”
Remediation: furious arm-flapping and showy activity designed to convince bosses that something is actually being done about vulnerabilities identified by third parties
Spear phishing: a sport undertaken by illiterate anglers

More from Markerbench

Andrew Jaquith

Writing for Impact: Executive Summaries

The Executive Summary is your first—and often last—chance to persuade decision-makers. Here’s how to stick the landing.

20 min read ∙ July 31, 2024

Andrew Jaquith

Talking to Executives About Cyber and Technology Risks

Senior managers talk about risks, and not about threats or controls. To have better conversations with senior leaders, focus where the risks are coming from, and why. This post offers a vocabulary for talking about cyber- and technology-related risks and their causes.

11 min read ∙ January 31, 2024

Andrew Jaquith

Who Killed the Perimeter? Some Clues.

Enterprise network perimeters have been disappearing: at first slowly, and then suddenly, all at once and at knifepoint. If this were a game of Clue, I’d accuse the Ransomware Actor, on the Edge Device, with the Zero-Day.

9 min read ∙ November 14, 2023

Andrew Jaquith

Microsoft to CIOs: Drop Dead

Microsoft’s new advice for securing Active Directory does customers a disservice by focusing on the wrong things. Tomorrow’s “Zero Trust” and Azure roadmaps won’t stop today’s ransomware epidemic. Enterprises need to protect the Active Directory they’ve already got.

7 min read ∙ December 22, 2020

Andrew Jaquith

Five Lessons from a Decade of Security Metrics

The data revolution sweeping over IT has come to cybersecurity. CISOs can learn from their success disasters, instrument their controls, and write key risk indicators (KRIs) that resonate with their audiences.

20 min read ∙ March 21, 2019

Andrew Jaquith

The Twenty-Year War on Cybercrime

Digital crime is on the rise. To defeat it, defenders need to scale up, gain the full picture of risk, and heed the lessons of John Boyd.

18 min read ∙ June 6, 2015

Andrew Jaquith

Escaping the Hamster Wheel of Pain

Security shouldn’t be an endless patch-and-pray exercise. Metrics offer a way out.

9 min read ∙ May 4, 2005