What is it with the Security Industry and Acronyms?
Why can't we stop creating new acronyms in security?
RSA is just around the corner, meaning I’m bracing myself for the worst of cybersecurity marketing all in one place.
Acronym use in particular is out of hand. The over-use of acronyms by security vendors is becoming a meme, yet shows no signs of slowing down. I recently asked people on Linkedin for the worst acronyms they’d seen and got some absolute gems in response:
Extended Security Intelligence and Automation Management (XSIAM) - which appears to have been created to give all the people who didn’t understand what XDR meant a new word for XDR.
Cybersecurity Asset Management (CSAM) - who’s creators must somehow have had no access to google.
Big Data Security Management (BDSM) - no comment.
Secure Access Service Edge (SASE) - which I’m informed is correctly pronounced “Zscaler and Netskope wanted to up their prices”.
Artificial Intelligence Trust, Risk, and Security Management (AITRiSM) - my personal favourite for it’s absurdity. It’s possibly so bad it’s good.
Notable mention for the 17 different _SPMs ‘Something Security Posture Management’ and for QR Phishing (which some lunatic decided to call Quishing).
It’s all fun and games but must be ridiculously frustrating for anyone who actually has to procure and use security products.
For example, our team is working on making it easier to manage vulnerabilities. The ‘category’ we’re in could be described as VM, RBVM, UVM, ASPM, XSPM, or CTEM. All these acronyms mean roughly the same thing. The trendiest of them at the moment is CTEM, which I’m honestly yet to fully understand. How is any of this helpful for anyone?
I don’t think vendors understand how little the average security person understands what they are trying to say:
Why do we have so many acronyms?
I should make clear that I have been heavily involved in creating and promoting some bad acronyms in the past (HLS or ICES anyone?). At the time, they seemed like a great idea from our point of view as the vendor. I think that is exactly the problem. Vendors are incentivised to constantly try and stand out in what is a crowded market, and new phrases and acronryms seem like a great way to do it.
Security is actually pretty simple when you boil it down - we need to find and resolve risks before attackers can exploit them, block potential entry routes, and, if all that fails, detect attackers once they do get in and limit the damage. There is really not that much more to it, yet there are 100s of different places in the IT stack you might need those things and 10s of different approaches to solving those problems. Hence you end up with a lot of vendors who do roughly the same thing in a slightly different way, who are desperate to stand out amongst the crowd.
The typical cycle looks something like this:
Vendors are incentivised to create a new acronym to describe their product, to clearly differentiate it from the competition
Analysts are incentivised to create or promote new acronyms, as it drives more demand for their services (buyers need to be educated on the new category)
Some CISOs are incentivised to adopt the new acronyms as it helps them explain to their CFO why they need to buy another tool
And, if the new category/acronym takes off, all the other vendors are incentivised to adopt it as buyers start actively looking for that thing
Acronyms aren’t all bad
There’s nothing ultimately wrong with the way the system works. Once you know what they mean, acronyms can help people quickly understand how different vendors view themselves within the market or can simply to save us all time. Nobody wants to say ‘Endpoint Detection and Response’ multiple times a day.
The problem is not the existence of acronyms, it’s the amount of them we have and the total over-reliance on them by marketing teams.
CISOs have a hard enough job on their hands as it is — needing to stay up to date with so many different topics within security. We could make their lives a lot easier if we led with what our products aim to achieve, rather than trying to push our latest 5 letter creation. If we had 10x fewer acronyms, I think we’d be just fine.
ICG (I completely agree)
loved the writeup.