Information security is a strange market segment. To outsiders, “security” is a simple thing: you are either secure or you are not. Many people also feel that security is a feature you can add to a product. These perspectives are simultaneously 100% right and completely wrong. They are right because at the and of the day, security should be something that customers expect their vendors will provide. Recent accquisitions by IBM, HP and EMC, for example, exemplify the broader trend of baking security into products and services. This is a good thing.
But, the reductionist view of security is also completely wrong because it masks the variety and subtleties of today’s marketplace, and of the threat landscape. There are probably 1,000 information security vendors in the market, all selling various cures for real and imagined problems. Here at Yankee, we have identified at least 35 individual market segments in the enterprise arena alone. The sheer number of market entrants and threat vectors ensures that security will never again be something so simple as a “yes-you-have-it”/”no-you-don’t” discussion.
But sometimes information security vendors get a little too… shall we say, fancy in describing the terrifying variety of threats to customers’ business assets and peace of mind. I speak, of course, of the medicalization of information security — how endless variations on simple threats get turned into a baffling array of multi-syllabic symptoms, diseases and maladies.
Today’s latest addition to the jargon lexicon is something called “phlashing,” a technique for messing with embedded devices, like your home wireless router. It was uncovered — and named — by an HP researcher with a fondness for cutesy verbiage. He called it “phlashing” to denote the target of the attack vector, namely against embedded devices’ flash ROM firmware. The “ph” is the obligatory geeky add-on that, if you are a security researcher, you feel compelled to add because “fl” is far too simple.
Information security professionals of all types have long moaned that they don’t have visibility to the corner office, and that they don’t know how to “align security with the business.” I would humbly suggest that the wasting disease of medicalized jargon is part of the problem. Can we all agree to stop creating exclusionary terms to describe Yet Another Threat Vector (YATV)?
Here are just a few of the terms I’ve run across in my three years as a security analyst:
- Virus
- Spyware
- Trojan
- Rootkit
- Keylogger
- Bot
- Botnet
- Backdoor
- Dialer
- Drive-by
- Dropper
- Packer
- Phishing
- Pharming
- Phlashing
…and my favorite, “blended threat.” Symantec loves to use this term, but to me it just means “hemlock smoothie.”
I guarantee that nobody outside the information security market knows that any of these things mean. All they do is provide fodder for eager marketroids trying to fleece gullible sheep. Are you worried about creeping rootkititis? Such a deal we have for you!
Let’s get rid of the jargon, please. HP marketing, are you listening?