Racial discrimination is systemic within information security

Tuesday, 9 June, 2020

Black Lives Matter

As I wrote in my weekly infosec newsletter over the weekend:

You will, no doubt, have seen some of the horrific coverage of violence used against protesters this week… You may feel detached or removed from events however the issues are systemic and pervasive even in a ‘modern’ field like cyber security.

The language we use is important. Our profession is littered with examples of out-dated terminology that has no place in modern business:

  • Whitelist/blacklists. The idea that white is good and black is bad is ingrained. Instead, we use allow list and block list as a more descriptive terms for filtering known good/bad sites.

  • Master/slave. This is another obvious example and one that can confuse conversation: if you have three sites, that terminology just doesn’t work. Instead, we use primary, secondary (tertiary, and so on) as more descriptive terms that convey the same meaning to business and technology teams alike.

Diversity of views and experiences is also crucial when it comes to identifying the harms and consequences necessary to properly understand the cyber risk of a new product, service or feature.

Beyond the specific examples relevant to the events we’re seeing and reading about in the news at the moment, ‘industry speak’ raises the barrier to entry – it’s a form of protectionism – That may feel great if you’re on the inside, however, it’s also exacerbating the shortage of cyber security skills.

Confusing terminology is making it more difficult for infosec teams to do their job effectively. Research across 1,200 senior executives and technical teams show 35% of execs and 50% of IT believe the other are responsible in the event of cyber-attack.

Using language that is simplistic and inclusive helps infosec teams to communicate better. It’s an integral part of our positive security approach.

I know I speak from a position of privilege, and there is a lot that I don’t know. I’m trying to listen, to understand, to research and read, and to play my part in addressing this injustice. The language we use is a powerful thing and it is an area where I’m trying to make a change.

You can too. Reconsider your choice of words. #BlackLivesMatter.

What other infosec terminology do you think is out-dated? Let us know on Twitter.