{"id":1862,"date":"2025-02-11T06:00:00","date_gmt":"2025-02-11T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1862"},"modified":"2025-02-11T06:00:00","modified_gmt":"2025-02-11T06:00:00","slug":"wtf-why-the-cybersecurity-sector-is-overrun-with-acronyms","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1862","title":{"rendered":"WTF? Why the cybersecurity sector is overrun with acronyms"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Back when Elon Musk was best known for founding SpaceX and Tesla, not as one of Donald Trump\u2019s most trusted advisors, he issued a stern warning to his employees about their overuse of acronyms.<\/p>\n

In 2010, Musk sent a memo to staff<\/a> that read:<\/p>\n

\u201cThere is a creeping tendency to use made up acronyms at SpaceX. Excessive use of made-up acronyms is a significant impediment to communication\u2026 No one can actually remember all these acronyms and people don\u2019t want to seem dumb in a meeting, so they just sit there in ignorance\u2026. This needs to stop immediately or I will take drastic action\u2026. If there is an existing acronym that cannot reasonably be justified, it should be eliminated, as I have requested in the past.\u201d<\/p>\n

This may seem heavy-handed, but there\u2019s no denying the overuse of acronyms<\/a> in the tech industry can in fact serve as a significant obstacle to clear and concise communications. This is especially troubling in a high-stakes sector that demands understanding and transparency.<\/p>\n

APT, CTI, DDoS,EDR, IAM, MDR, MSSP, SASE, SIEM, SATetc., RaaS, OpSec, SOC, SOCaas, DevSec, DevOps, DevSecOps, DFIR, SAST\/DAST, NHI, GDPR, CISA, HIPPA, CVSS, SSO, 2FA, MFA, the list goes on. CISOs and other cybersecurity professionals may grasp these immediately<\/a>, but just as many may be left scratching their heads, especially newcomers to the firm or the field.<\/p>\n

And how about pronunciation? Ask a colleague who\u2019s a CSIO how they pronounce their title. Is it siss-oh? See-so? Or do they go all out and hit the initials C-I-S-O. What about SIEM? Seem? See em? Seye em?<\/p>\n

If you don\u2019t believe cybersecurity is a little overloaded with acronyms, check out GitHub\u2019s massive curated list<\/a> of those currently in use. It\u2019s so pervasive that cybersecurity pros occasionally give it a smirking acknowledgment in their work, as when security developer Victor Alvarez developed a malware detection tool and named it YARA. \u201cYARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice,\u201d Alvarez said on X<\/a> (formerly Twitter) to explain his naming convention.<\/p>\n

Having too many acronyms can bog things down at the worst time<\/h2>\n

Imagine an organization is in the midst of a massive hack or security breach, and employees or clients are having to Google frantically to translate company emails, memos or crisis plans, slowing down the response.<\/p>\n

When these acronyms inevitably migrate into a cybersecurity company\u2019s external marketing or communications efforts, they\u2019re almost guaranteed to cause the general public to tune out news about issues and innovations that could have a far-reaching impact on how people live their lives and conduct their businesses. This is especially true as artificial intelligence (AI!) and machine learning (ML!) technologies expand and new acronyms emerge to keep pace with developments.<\/p>\n

Acronyms can also have unfortunate real-life connotations \u2014\u00a0point of sale, to name just one example. When shortened to POS, it can suggest something is\u2026 well, crappy.<\/p>\n

I edit copy written by academics, including cybersecurity scholars, as an editor at The Conversation<\/a>, <\/em>a global online news organization. Let\u2019s put it this way: Many academics, regardless of their area of expertise, have never met an acronym they didn\u2019t prefer to typing out the entire phrase. That means our copyediting efforts too often involve spelling out or removing acronyms throughout, much to the chagrin of some of our authors. They may have made up these acronyms and are particularly proud of them.<\/p>\n

When is it safe to use an acronym?<\/h2>\n

Our rule of thumb is that no acronyms should be included in copy unless they\u2019re well-known \u2014 think IT, WiFi, FBI, NATO, CEO, CNN. If people don\u2019t use them in conversation, they should be avoided and simply spelled out, even in repeated references.<\/p>\n

Clearly, tech organizations and publications, including CSO Online, have their own style guides detailing what acronyms are acceptable. But as a general rule, it\u2019s never a bad idea to err on the side of spelling things out in written communications, especially on first reference.<\/p>\n

Here are some of the sillier acronyms we\u2019ve had to remove from copy:<\/p>\n

SHT for smart home technologies.<\/p>\n

FRT for facial recognition technology.<\/p>\n

PWUD for people who use drugs.<\/p>\n

EWE for extreme weather events.<\/p>\n

SET for structural and environmental technologies.<\/p>\n

NAP for national adaption and\/or action plans.<\/p>\n

PWHCH for a person who has caused harm.<\/p>\n

Some of these acronyms are arguably used by PWHCHs and run the risk of turning readers into PWUDs.<\/p>\n

Why do we use acronyms?<\/h2>\n

So, what\u2019s behind the tendency to shorten terms to a jumble of often incomprehensible acronyms and abbreviations?<\/p>\n

\u201cOn the one hand, acronyms, abbreviations and jargon are used to achieve brevity, standardization and efficiency in communication, so if a profession is steeped in complex and technical language, it will likely be flowing with acronyms,\u201d says Ian P. McCarthy, a professor of innovation and operations management at Simon Fraser University in Burnaby, British Columbia.<\/p>\n

\u201cBut because communication helps define the identity and exclusivity of a profession, the use of acronyms by a profession is a form of elitism that selects and restricts who can function in the profession. Using acronyms signals that you are worthy of belonging to a professional community.\u201d<\/p>\n

It\u2019s as if the industry has declared acronyms its ultimate secret weapon, employing them not just to save time but to create an exclusive club where only the initiated can follow the conversation. This isn\u2019t just frustrating \u2014 it can slow down onboarding, alienate potential collaborators and obscure the critical work being done.<\/p>\n

And rightly or wrongly, the tech industry already faces criticism for being elitist and exclusionary<\/a>. While the cybersecurity sector is making progress<\/a> in terms of hiring more women and racialized minorities, there\u2019s still work to be done.<\/p>\n

Here\u2019s how acronyms can really get in the way<\/h2>\n

So, using inaccessible language may make it even more difficult to engage people from diverse backgrounds. New employees or clients of cyber-security firms may feel as though they\u2019re navigating an entirely separate language, populated by a never-ending list of abbreviations.<\/p>\n

As useful as acronyms can be, they are overwhelming when used in excess, creating the following problems:<\/p>\n

Barrier to entry<\/strong>: For newcomers, the constant onslaught of acronyms can be intimidating and discouraging. Imagine a new employee trying to understand cybersecurity protocols but feeling overwhelmed by thousands of unfamiliar abbreviations. Acronyms initially intended to help industry insiders communicate quickly may unintentionally alienate newcomers \u2014 and slow things down when an organization needs to move fast.<\/p>\n

Duplication and ambiguity<\/strong>: Acronyms often have multiple meanings depending on the context, like ASP (application service provider vs. active server pages). If someone refers to \u201cAPT,\u201d are they talking about an advanced persistent threat, or something entirely different? This ambiguity can lead to misunderstandings in crucial communications, potentially leading to security vulnerabilities.<\/p>\n

Acronym fatigue<\/strong>: As Musk alluded to in his scathing 2010 memo, professionals already in the field may face \u201cacronym fatigue\u201d as the sheer volume of terms makes it challenging to keep up with new developments. This can be especially problematic in cybersecurity, where it\u2019s crucial to understand the latest threats and solutions.<\/p>\n

Loss of transparency<\/strong>: As cybersecurity becomes more critical to our daily lives, it\u2019s important for the public to understand basic security concepts, but acronyms can obscure rather than clarify. Concepts like MFA and VPN might be bewildering to users who lack an understanding of the terminology, even if they know these tools are meant to protect them.<\/p>\n

Here\u2019s how to make acronyms more approachable<\/h2>\n

The solution isn\u2019t necessarily to avoid acronyms altogether\u2014they can serve an important role in condensing complex concepts. In fact, this list of old standbys, as well as new and evolving acronyms<\/a>, may be helpful for cybersecurity organizations. However, reducing the overuse of acronyms, and providing context, can make them more accessible. Here are some approaches that could improve understanding:<\/p>\n

Glossaries<\/strong>: Organizations could create a standardized glossary of commonly used acronyms, especially in onboarding materials or materials aimed at a broader audience \u2014\u00a0and especially anything public-facing. This would make it easier for newcomers to familiarize themselves with essential terms.<\/p>\n

Simple explanations<\/strong>: Providing short explanations or definitions when using less common acronyms can clarify their meaning. This approach, already common in documentation and industry articles, could be expanded to include presentations, meetings and emails within organizations.<\/p>\n

Avoiding unnecessary acronyms<\/strong>: As an editor I recently fumed to a colleague as we co-edited a story: \u201cIs it really so onerous to spell out \u2018extreme weather event?\u2019\u201d My colleague replied: \u201cOr just write out tornado, hurricane, flood, whatever it actually is?\u201d Not every term needs an acronym, and in some cases, plain language can even replace what the acronym stands for. Reserving acronyms for the most common or widely understood terms can reduce the total volume of abbreviations.<\/p>\n

Training<\/strong>: Regular training sessions that update veterans on both new terminologies and existing commonly used acronyms can help everyone at the organization stay on the same page without overwhelming them.<\/p>\n

A tech sector worker on Reddit jokingly asked<\/a>: \u201cWhat do cybersecurity professionals do with all the time they save by using acronyms?\u201d<\/p>\n

They could use that time to think of ways to ensure their workplaces take all the necessary steps to prioritize clear, concise language to the benefit of all their employees, clients and stakeholders. To paraphrase playwright George Bernard Shaw, t<\/a>he single biggest obstacle in communication is the illusion that it has taken place<\/a>. Overusing acronyms helps create that illusion.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Back when Elon Musk was best known for founding SpaceX and Tesla, not as one of Donald Trump\u2019s most trusted advisors, he issued a stern warning to his employees about their overuse of acronyms. In 2010, Musk sent a memo to staff that read: \u201cThere is a creeping tendency to use made up acronyms at […]<\/p>\n","protected":false},"author":0,"featured_media":1863,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1862","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1862"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1862"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1862\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1863"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1862"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1862"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1862"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}