The Infosec Phrasebook

Spend enough time around security people and you pick up a second vocabulary. It has a faintly military air and a noticeable per-syllable markup on vendor invoices.

Defense in depth : coding.

Zero trust : auth.

Least privilege : the permissions you forgot to grant.

Attack surface : your code.

Blast radius : everyone else’s code.

Hardening : turning things off.

Air gap : a USB stick.

Shift left : make it the developer’s problem.

Threat model : a Google Doc.

Tabletop exercise : a meeting about the Google Doc.

Compensating control : we didn’t fix it.

Risk acceptance : we didn’t fix it, in writing.

Remediation : a Jira epic.

Assume breach : we got breached.

CVE : curriculum vitae enhancement.

CVSS 9.8 : please answer the phone.

Lateral movement : ssh.

Exfiltration : curl.

Supply chain security : running npm install, nervously.

Security posture : vibes.

Then there’s cyber , which gets prefixed to all of the above and increasingly used on its own. Cyber risk, cyber hygiene, cyber resilience, Cyber Essentials, “I work in cyber”. I have been on the internet long enough to remember when cyber was a verb, and what it meant when a stranger in an AOL chatroom asked if you wanted to. I cannot watch a minister say it into a microphone without that association firing, and at this point I’ve stopped expecting it to fade.