Infosec Buzzword Bingo: 2020 Edition

Kelly Shortridge is currently VP of Product Strategy at Capsule8 and is known for presenting at technology conferences internationally, including Black Hat USA and O’Reilly Velocity Conference.

Despite the vital importance of infosec to our economy and society, the security product landscape is littered with embellished marketing claims devoid of meaning. It’s a mystery how anyone wanting to buy information security solutions can understand what the hell is going on in a marketplace tyrannized by security buzzwords. Infosec branding is similar to skincare products—unregulated claims offered in a saccharine spoonful of fluff. It’s probably only a matter of time before we see a security product promising to “rejuvenate” your situational awareness or describing machine learning as an “exclusive miracle ingredient.”

To cope with this depressing reality, I decided to mop up all the snakeoil and squeeze a game out of it—what I call “Infosec Startup Buzzword Bingo.” I look at 100 infosec startups infused with fresh VC cash within the past year, collecting the top 25 buzzwords from across their home and product pages. After four years of bingo creation, it’s uncertain whether it successfully operates as a coping mechanism, or if it instead distills the rot that permeates the information security vendor landscape, bottled up like a poisonous gas that imperils us all.

Nevertheless, this year’s bingo card attempts to capture the current zeitgeist of the infosec startup scene. It’s a way for infosec professionals to recognize the ruthless superficiality and unscrupulousness of the marketplace while still sharing the goal of protecting the systems on which we depend. Faced with this dichotomy, we are left with the options the existential philosopher Albert Camus famously outlined for confronting absurdity: we can either abandon the industry, cling blindly to the supposed morality of our efforts, or recognize the absurdity for what it is.

The Infosec Startup Buzzword Bingo can add some levity to the misery of browsing vendor halls, perusing vendor websites, or sitting on a call that sounds more like a Turing test than a product pitch.

1581019305135-infosec-startup-buzzword-bingo-2020

I can attest that calling out buzzwords year after year certainly hasn’t dissuaded marketing professionals from leveraging them. The words “cyber,” “threat,” “intelligence,” “automation,” and “platform” are so ubiquitous that they realistically no longer count as buzzwords. The true lifecycle of a buzzword likely begins with a marketer attempting to distill technical advantages into something attention-grabbing, other marketers glomming on like bedbugs, users squinting and puzzling over its meaning, and finally, reluctant acceptance of some nebulous, “flexible” definition that solidifies its position in the industry lexicon (Exhibit A: “zero trust”).

“Real-time, comprehensive visibility” could apply to network-based detection, scanning applications for vulnerabilities, flagging sensitive data being accessed, collecting system telemetry on servers, or stopping phishing attempts. It seems unlikely that, faced with an inability to distinguish capabilities or quality, users truly feel “empowered” by these solutions.

Infosec products are presumed to be so unusable and unsatisfying that vendors must preemptively assuage concerns, using language like “intuitive,” “seamless,” or “simplify.” The fact that “accurate” ascended to the buzzword bingo card this year is revealing—our product landscape has so blisteringly failed to meet expectations that the bar is now on the floor. “Actionable,” a stalwart infosec buzzword, similarly betrays the vendor landscape by suggesting that having practical value is a differentiator, rather than a base assumption.

Over a quarter of startups I looked at deem themselves or their raison d’etre as “unique,” although their uniqueness often rests on technical architecture that is so convoluted that it’s practically useless—solving problems that pain no one. Technologists navigating these vendors’ websites and puzzling over what, precisely, they offer might struggle to agree with the “unique” label. Or, many of these startups, despite their nascency, are also self-described as “leading.” Whether they mean it in the sense of “leading the industry” or of “leading prospects on” remains unclear.

Over half of startups specify “machine learning” or “AI” as their solution’s engine—albeit with scant implementation details—and users are left to wonder whether it’s nested if statements, simple linear regression, or an unsupervised algorithm that will take a relative eon to baseline their systems. It’s assuredly too much to hope that “accelerate” climbed its way onto the bingo card this year through recognition that security products must support business goals, like speed of operations. Alas, it’s far more likely an attempt to gloss over the notoriously feeble time-to-value of infosec solutions.

In a dream world, “accelerate,” along with its companion buzzword, “modern,” could portend a new wave of security products that are usable enough for engineering teams to implement themselves. But that would require vendors to “continuously” focus on improving UX and performance. It’s far simpler to sell to security teams who don’t realize that products shouldn’t be painful to use nor bleed system resources like it’s shamefully amateur malware.

Far from the shining portrait of noble knights gallantly riding network appliances into the cyberbattle, these buzzwords trace a fuzzy silhouette of a warrior that transforms into a greedy, gnarled claw waiting to snatch budget dollars when you embrace the shadow of your would-be hero. That is, the infosec industry is built on a lie—that the mission is built on a worthy foundation of valiantly protecting data and systems. Its true face is just like any other industry—maximizing growth on behalf of VC benefactors—except with less tangible evidence of success.

These “insights” from my “deep” exploration of infosec startup buzzwords won’t change the status quo—it would be absurd of me to believe so. But we need to show the receipts if we want to preserve respect in the industry. We cannot listen to our own lies, or we will struggle to distinguish the truth—and lose our ability to pretend that we are the saviors of the digital era.