Carsten Reisinger - stock.adobe.

C-suite mystified by cyber security jargon

Malware, supply chain attack, zero-day, IoC, TTP and Mitre ATT&CK are just some of the everyday terms that security pros use that risk making the world of cyber incomprehensible to outsiders

Although the C-suite are now keenly aware of the threats to their organisation, and how often they are attacked, many struggle to understand the terminology that cyber security professionals would consider everyday language, but to them sounds more like jargon. As a result, many are struggling to prioritise appropriate action on cyber issues, a new Kaspersky report has found.

Kaspersky worked with C-suite executives and cyber, risk and compliance profesionals across Europe, and found significant gaps in understanding. It said there was a danger that cyber security was becoming a specialism that “speaks to itself” and makes itself impenetrable to those without a thorough background in the sector.

While more technical terminology – such as Mitre ATT&CK, TTPs, Suricata rules and Yara rules – tended to cause confusion in the C-suite, there was also widespread ignorance around much more basic security terminology, with terms such as malware, phishing, ransomware and supply chain attacks leaving significant numbers befuddled.

“Acronyms, jargon and idioms act as shorthand for those in the know, but often seem confusing for anyone without direct experience of working in cyber security,” said Stuart Peters, general manager for the UK and Ireland at Kaspersky. “Our findings suggest that the inability from senior management within large organisations to truly understand the nature of the threats they’re constantly exposed to, means they are often not considered a boardroom priority.

“In other words, this paints a picture of high-powered C-suite executives having to make timely, critical business decisions without a clear picture of their own unique threat landscape and the risk it poses to their organisation, preventing them developing a culture of cyber security based on best practices, knowledge-sharing, and ultimately actionable intelligence.”

Fortunately, there were signs that security specialists are aware of this language barrier, with almost half of C-level security, compliance and risk specialists agreeing that jargon and confusing terms presented the biggest barrier to the broader C-suite’s understanding of the threat landscape.

Nevertheless, Kaspersky described “significant obstacles” to the C-suite developing a more comprehensive understanding and awareness of the security issues they faced, and that the language used to transmit and mediate those issues was clearly inhibiting the ability of many to built a culture of best practice within the wider organisation.

When it came to educating themselves, Kaspersky found that just under half of C-suite respondents tended to rely on news stories, industry blogs and social media to gather insight. Kaspersky suggested that this tendency may also leave the C-suite at risk of consuming only information on the most high-impact, popular or trending security topics, and not engaging with the nitty-gritty of the industry.

Read more about boardroom attitudes to security

Consuming media is important, said the report, but it should be used strategically as part of a holistic, layered approach to intelligence-gathering.

Other popular sources of information included supplier partners’ and private dark web threat intelligence services, but Kaspersky also found that a not-insignificant minority were relying on their own internal resources to decipher emerging threats.

Overall, said Kaspersky, the research project revealed that the C-suite need more help in understanding the threats facing their organisations. It said it was one thing to be aware of cyber threats, but another thing entirely to understand them, and this inability to understand is causing security to slip down the agenda.

Publicly available resources and more budget for training can help, it suggested, but “the reality…is that without solid expertise to identify, analyse and cross-correlate cyber threats, organisations are only half-arming themselves against the threat”.

The report’s authors added: “At the core of this approach is an interpreter or partner who can not only speak the language of cyber crime, but also understand how the privacy and anonymity that provides protection for criminals can be used against them to develop a rapport and then extract critical intelligence.”

Read more on Security policy and user awareness