Language is a powerful ally to spread awareness and understanding about cybersecurity in the organization. Nevertheless, wrongly used, it can become a major barrier.
Lera Boroditsky, a famous psychologist and cognitive science academic, raises questions on how we speak and how the words we use shape the way we think in this very interesting Ted Talk.
The speaker compares sentence structure examples in different languages to show how the language influences the entire thinking approach and the vision of the world.
In a more specific environment, these very precise and relevant examples raised in my mind another question: What does our cyber language reflect? Which words are we using, and what does it mean about us in the cyber world?
Which vocabulary comes out of the articles we publish?
I looked at articles from CISO Magazine, Security Feeds, or simply online by googling “cybersecurity” in the News of Google. I iterated this activity a few days in a row with the following question in mind: “Which vocabulary comes out?”. Can you take a guess on my observations?
A large majority of articles are about attacks, ransomware, cyber companies being acquired by another, or new laws announcement.
Most texts are very formal and strict. All articles are very fact-based. I read close to nothing about collaboration, success, or lessons learned for example. Articles were not focused on how to do but more about what happens in the cyber world. Therefore, I realized that there is very limited information about possible collaboration models, advice on potential paths to success, resolutions examples, lessons learned, or recommendations.
Shouldn’t we use our vocabulary carefully to have a more effective cyber awareness?
If this language reflects our vocabulary in cyber, can we have success in awareness and training with only factual or attack-related wordings? Shouldn’t we put first how we are stronger through collaboration (within a company and across the industry)? As Lera Boroditsky explains in her Ted Talk, couldn’t we communicate a different behavior by using a different vocabulary?
If we would stress success, incident resolution, the good attitudes that facilitate cyber, or examples of successful collaboration, I believe we would be more powerful in our message. At BxC, we see a lot of awareness campaigns focusing on the fear of security incidents. Though it is a powerful driver, we believe awareness focusing less on fear and self-driven interest and more on collaborative cyber success would reach a broader audience.
What about OT vs. IT languages?
It is also interesting to observe the languages used by the IT and the OT team. What can we notice around the vocabulary employed?
The general deviation between IT and OT languages are known of each of the respective team. The table below aims at summarising the wording focus and some key assumptions:
As a consequence, a very diverse vocabulary between IT and OT, with very opposite focuses, leads to a very different perception of the environment and the risks. On the one hand, for IT, change is the norm and part of daily operations, on the other hand, in the OT, change is primarily a danger, which can only be controlled by rigorous processes and deterministic approaches. The lack of determinism of IT, the acceptance of the unknown, and the readiness to be in a reactive position are what OT teams typically consider as not acceptable.
BxC Take Away
Being aware of the wording used is one step into having more powerful and efficient communication in the field of cyber. The more you align with the vocabulary of your audience, the more you will have an impact and reach your communication objectives. Altogether, the careful choice of wording is one step towards the end goal of IT/OT Convergence.