Pragmatic Cybersecurity unpublished

Pragmatic Cybersecurity unpublished

Opinions expressed on this blog reflect the writer’s views and not the position of the Capgemini Group

The importance of a common terminology

It’s been a busy week for me this week; my latest contribution to the Computer Weekly Security ThinkTank has been published:

and I’ve also completed my slides ready to lay down the law, or at least provide an opinion, on ten common cloud security misconceptions at Cloud Expo Europe on the 26th of February:  

Blatant plugs aside, the release of the NIST Cybersecurity Framework ( earlier this week highlighted something that is obvious, but frequently overlooked:  the importance of a common terminology.   I always begin my articles and presentations with an attempt to establish a common understanding of the terms I’ll be using so as to try and avoid misunderstandings.   I don’t necessarily expect everyone to agree with the definitions – that’s not important.  What is important is that we all understand what I mean when I use those terms.   Without such a common understanding it is difficult to avoid talking at cross-purposes or else leaving one or other party to a conversation disappointed when what is delivered as a result of that conversation differs from what they thought they were getting.    

Establishing a common understanding is particularly critical in the security space where terms such as risk, threat, vulnerability and exploit get used, abused and intermingled.  When you’re talking about security there’s no room for misunderstanding or a lack of clarity, clear communication is key to delivering solutions that align to an equally clearly expressed risk tolerance.  All of which brings me back to the NIST Cybersecurity Framework.   I may not necessarily agree with the Framework in terms of it’s terminology of Functions, Categories and Subcategories.  I do however see the potential value that it offers with respect to setting a common understanding and acting as a mechanism to enable clear communication of security requirements.     

Take a look and please use the comments to let us know what you think!

About the author

Ian Cole
Ian Cole
Ian has been employed with Capgemini since 2006 and during this period has been assigned on a number of public and private sector projects within the various market sectors. Ian’s security interests are in information assurance/protective security; he also has a penchant for deciphering security speak to simple English targeted at a CxO level. Ian is a Security Cleared consultant with over 15 years experience in information security. He has an MSc in IT Security and is a member of CESG’s Listed Advisor Scheme (CLAS), an Associate Member of Institute of Information Security Professionals (IISP), a Certified Information Systems Security Professional (CISSP), a Certified Information Systems Auditor (CISA) and an ISO27001 Lead Auditor.

Leave a comment

Your email address will not be published. Required fields are marked *.