The language of information security
English is one of the few languages that’s almost universally used in the business world, and it is not uncommon for it to be used as the common language of business communication between speakers who have different native languages. It also seems to be the language of information security, and more often than not you’ll even hear English terms like “cryptography,” “intrusion detection” or “access control” used in conversations that are otherwise conducted in French, Spanish, Chinese, or many other languages. Not surprisingly, the discipline of information security also shares other features of the English language.
English is easy to learn but difficult to master. Over 70 percent of aviation accidents are caused by a lack of communication, so the International Civil Aviation Organization (ICAO) has required that all civilian flight crews, air traffic controllers and station operators attain a significant proficiency in English by 2008 to ensure that a common way to communicate is shared by all workers in civil aviation.
Language is strongly tied to our sense of national and cultural identity, so people tend to be very sensitive to issues of language use and policy, and the broad international agreement to require English in civil aviation shows that it is a very pragmatic choice for this, and ease of learning it is one of the main reasons why it was chosen by the ICAO.
The English used by aviation workers is a subset of English, and is perfectly adequate for air-to-ground communications, but it’s not really suitable for more routine tasks like ordering dinner. A richer structure is needed for that. An even more complicated version is needed to accurately communicate complicated technical concepts, and English also does well in that respect. On the other hand, that level of understanding is also much more difficult to attain.
English probably has more words than any other language in the world, so that almost any subtle shade of meaning has a word that describes it. The Oxford English Dictionary has complete entries for 171,476 words that are currently used as well as an additional 46,156 words that are considered obsolete. This large number of words makes it is almost impossible for anyone to learn all of them, making English easy to learn but difficult to master.
Learning enough information security to attain a CISSP certification, for example, may be somewhat challenging, but may actually be easier learning the subset of English used by civil aviation – the typical candidate for a CISSP certification probably spends fewer hours preparing for their exam than the typical language student takes to become fluent in English to the level required by the ICAO.
Similarly, while it’s easy enough to learn the basics of cryptography, for example, at least to the level needed to use it or to support products that use it, but to really understand exactly how cryptography works and why it’s secure if it’s correctly used is a daunting task, particularly with the complicated mathematics that forms the basis for public-key cryptography. Other parts of information security may not require the extensive background in mathematics that cryptography does, but they are still just as difficult to master.
English is also essentially unique among modern languages because it rapidly adopts foreign words, quickly making them its own. English is a Germanic language, and is closely related to German, Dutch and Norwegian, sharing a common history as well as a similar grammar with these languages. Despite this, only 25 percent of the vocabulary of English comes from Germanic languages, and the remaining words were adopted from other languages over time. The biggest contributors have been Latin and French, each providing over 28 percent of English’s vocabulary. Greek has even contributed roughly five percent, and dozens of other languages have contributed smaller amounts.
Information security shows a similar voracious appetite for other the material produced by a wide range of academic disciplines. Much of the understanding of modern networks and how to make them secure comes to information security from mathematics, computer science and engineering. But because it’s also important to understand the decisions that users make to and the business context of security, information security even borrows freely from psychology, economics and risk management.
English has also changed significantly over time, and while a fluent speaker of English will probably find the 600-year-old version of the language used by Chaucer in The Canterbury Tales fairly difficult to understand, they will probably find the 1000-year-old version of the language used in Beowulf totally incomprehensible – English has changed too much over the past 1000 years so that the older version might as well be a totally different language from the point of view of a modern speaker. English continues to evolve, of course, and future speakers of the language will probably find the version that we use today to be totally incomprehensible in a few hundred years.
Information security also changes over time, and much more quickly than languages evolve. As new information technologies are invented they bring with them a new set of security vulnerabilities, so that an IT environment that was reasonably secure 10 years ago would almost certainly be inadequate in today’s environment. Fortunately, information security has also adapted to the new threats, so that it’s still possible to keep a reasonable level of security, although the security technologies that are used to make this happen are as different from those of 10 years ago as the language of The Canterbury Tales is from the language that we speak today.
Future threats will probably continue to drive the evolution of information security and before too long, the technologies that were used in the early 21st century will seem as archaic as the language of Beowulf. But the same flexibility and adaptability that has made English the language of business, aviation and information security will probably let the discipline adapt to any new threats, so that future IT environments will still be reasonably secure, although they may look very different than those of today.