Sunday 18 March 2018

Infosec for Beginners: Cracking the Linguistic Fortress - by guest writer Kristine Sihto

This article first appeared in the second newsletter of the Brisbane AWSN Chapter. 

Kristine Sihto has been writing intermittently over the past three decades. Most recently, she has found joy in technical writing for Alcorn Security Group. Kristine has plans to self-publish a book of poetry in 2018


Information security can be a hard nut to crack. Infosec professionals come from a wide range of disciplines, with a wide range of backgrounds, but the stories I hear most often are of people coming into Information Security purposefully, scaffolding their pathway through closely related fields. There are people wanting to break in, but can’t find that pathway. They don’t know the right people, they don’t have the foundation skills.
I’m very new to information security. Less than eighteen months, in fact. My current role is technical writer for a security assurance firm, but I came from a background of editing and compliance within vocational training. I hadn’t really worked in depth with IT, and the compliance work I had done really only scraped the surface of data protection.
There is so much to learn in Information Security that people such as myself, who sidestep into the sector from somewhere unrelated, may find it quite impenetrable. The jargon is so pervasive that the people working with information security concepts on a daily basis may not realise that they are no longer using common English. This creates an enormous linguistic barrier to entry, especially when we start talking about ‘the cybers’.
Coming into the sector with a high level of literacy didn’t help with this barrier. Many terms mean different things outside of information technology or cyber security; terms like ‘credentials’, ‘authorisation’, ‘malicious user’, and (as a verb) ‘middling’ (which, as many cricketers will attest to, is the practice of hitting the ball with the middle of the cricket bat). Military terms like ‘attack surface’ may require a fair amount of logic and critical thinking to determine what they might pertain to, and some, such as ‘red team’, are so obscure as to require explanation.
The jargon is made even more impenetrable by the widespread use of acronyms and initialisations, which have no linguistic transparency and require prior knowledge to understand. Put a bunch of them together, and the poor idiot on the other end (e.g. me) has no idea what’s going on!
All is not lost however.
It’s possible to upskill in a reasonably short amount of time, given enough motivation to the task at hand. There are resources available that are easy to access, targeted at giving a baseline understanding of information security concepts, and most importantly, free.
Futurelearn has a brilliant series of cyber security MOOCs (Massive Open Online Courses) that I found to be especially helpful. Introduction to Cyber Security; Cyber Security: Safety at Home, Online, in Life; Cyber Security for Small and Medium Enterprises: Identifying Threats and Preventing Attacks. The entry bar for these courses is very low. The content is presented in a way that’s accessible to a range of learners, such as people with disabilities or people with lower literacy levels, and it covers all of the basics.
There are also free-to-access glossaries available online, and these may be useful not only for informing people new to Infosec, but also people who are being informed by information security, such as C-level executives. I found the Threatsaurus to be particularly useful. Glossaries such as this can assist in bringing newcomers up to the level of jargon usage that everyone else is using.
And of course, one of the best ways to feel your way into a field is to immerse yourself in it. Make connections through Twitter and LinkedIn; follow infosec blogs and podcasts (I listen to Security Weekly); engage with industry events and meetups, such as through AISA or AWSN. Listen and read on a regular basis, and there suddenly comes a point where you start to understand the words and concepts.
I believe it took me a solid six months to get to the point where I was familiar enough with terminology to feel comfortable that I wasn’t going to confuse everyone around me. I still am not at the point where I can take Google out of the equation, but in a highly technical role such as mine, I expect that my relationship with search engines will be a long-lasting one.

(c) AWSN 2018

Disclaimer: The views and opinions expressed in this article are those of the author/s and do not necessarily reflect the official policy or position of any agency, organisation or association.

No comments:

Post a Comment