WTF? Why the cybersecurity sector is overrun with acronyms

Back when Elon Musk was best known for founding SpaceX and Tesla, not as one of Donald Trump’s most trusted advisors, he issued a stern warning to his employees about their overuse of acronyms.

In 2010, Musk sent a memo to staff that read:

“There is a creeping tendency to use made up acronyms at SpaceX. Excessive use of made-up acronyms is a significant impediment to communication… No one can actually remember all these acronyms and people don’t want to seem dumb in a meeting, so they just sit there in ignorance…. This needs to stop immediately or I will take drastic action…. If there is an existing acronym that cannot reasonably be justified, it should be eliminated, as I have requested in the past.”

This may seem heavy-handed, but there’s no denying the overuse of acronyms in the tech industry can in fact serve as a significant obstacle to clear and concise communications. This is especially troubling in a high-stakes sector that demands understanding and transparency.

APT, CTI, DDoS,EDR, IAM, MDR, MSSP, SASE, SIEM, SATetc., RaaS, OpSec, SOC, SOCaas, DevSec, DevOps, DevSecOps, DFIR, SAST/DAST, NHI, GDPR, CISA, HIPPA, CVSS, SSO, 2FA, MFA, the list goes on. CISOs and other cybersecurity professionals may grasp these immediately, but just as many may be left scratching their heads, especially newcomers to the firm or the field.

And how about pronunciation? Ask a colleague who’s a CSIO how they pronounce their title. Is it siss-oh? See-so? Or do they go all out and hit the initials C-I-S-O. What about SIEM? Seem? See em? Seye em?

If you don’t believe cybersecurity is a little overloaded with acronyms, check out GitHub’s massive curated list of those currently in use. It’s so pervasive that cybersecurity pros occasionally give it a smirking acknowledgment in their work, as when security developer Victor Alvarez developed a malware detection tool and named it YARA. “YARA: Another Recursive Ancronym, or Yet Another Ridiculous Acronym. Pick your choice,” Alvarez said on X (formerly Twitter) to explain his naming convention.

Having too many acronyms can bog things down at the worst time

Imagine an organization is in the midst of a massive hack or security breach, and employees or clients are having to Google frantically to translate company emails, memos or crisis plans, slowing down the response.

When these acronyms inevitably migrate into a cybersecurity company’s external marketing or communications efforts, they’re almost guaranteed to cause the general public to tune out news about issues and innovations that could have a far-reaching impact on how people live their lives and conduct their businesses. This is especially true as artificial intelligence (AI!) and machine learning (ML!) technologies expand and new acronyms emerge to keep pace with developments.

Acronyms can also have unfortunate real-life connotations — point of sale, to name just one example. When shortened to POS, it can suggest something is… well, crappy.

I edit copy written by academics, including cybersecurity scholars, as an editor at The Conversation, a global online news organization. Let’s put it this way: Many academics, regardless of their area of expertise, have never met an acronym they didn’t prefer to typing out the entire phrase. That means our copyediting efforts too often involve spelling out or removing acronyms throughout, much to the chagrin of some of our authors. They may have made up these acronyms and are particularly proud of them.

When is it safe to use an acronym?

Our rule of thumb is that no acronyms should be included in copy unless they’re well-known — think IT, WiFi, FBI, NATO, CEO, CNN. If people don’t use them in conversation, they should be avoided and simply spelled out, even in repeated references.

Clearly, tech organizations and publications, including CSO Online, have their own style guides detailing what acronyms are acceptable. But as a general rule, it’s never a bad idea to err on the side of spelling things out in written communications, especially on first reference.

Here are some of the sillier acronyms we’ve had to remove from copy:

• SHT for smart home technologies.
• FRT for facial recognition technology.
• PWUD for people who use drugs.
• EWE for extreme weather events.
• SET for structural and environmental technologies.
• NAP for national adaption and/or action plans.
• PWHCH for a person who has caused harm.

Some of these acronyms are arguably used by PWHCHs and run the risk of turning readers into PWUDs.

Why do we use acronyms?

So, what’s behind the tendency to shorten terms to a jumble of often incomprehensible acronyms and abbreviations?

“On the one hand, acronyms, abbreviations and jargon are used to achieve brevity, standardization and efficiency in communication, so if a profession is steeped in complex and technical language, it will likely be flowing with acronyms,” says Ian P. McCarthy, a professor of innovation and operations management at Simon Fraser University in Burnaby, British Columbia.

“But because communication helps define the identity and exclusivity of a profession, the use of acronyms by a profession is a form of elitism that selects and restricts who can function in the profession. Using acronyms signals that you are worthy of belonging to a professional community.”

It’s as if the industry has declared acronyms its ultimate secret weapon, employing them not just to save time but to create an exclusive club where only the initiated can follow the conversation. This isn’t just frustrating — it can slow down onboarding, alienate potential collaborators and obscure the critical work being done.

And rightly or wrongly, the tech industry already faces criticism for being elitist and exclusionary. While the cybersecurity sector is making progress in terms of hiring more women and racialized minorities, there’s still work to be done.

Here’s how acronyms can really get in the way

So, using inaccessible language may make it even more difficult to engage people from diverse backgrounds. New employees or clients of cyber-security firms may feel as though they’re navigating an entirely separate language, populated by a never-ending list of abbreviations.

As useful as acronyms can be, they are overwhelming when used in excess, creating the following problems:

• Barrier to entry: For newcomers, the constant onslaught of acronyms can be intimidating and discouraging. Imagine a new employee trying to understand cybersecurity protocols but feeling overwhelmed by thousands of unfamiliar abbreviations. Acronyms initially intended to help industry insiders communicate quickly may unintentionally alienate newcomers — and slow things down when an organization needs to move fast.
• Duplication and ambiguity: Acronyms often have multiple meanings depending on the context, like ASP (application service provider vs. active server pages). If someone refers to “APT,” are they talking about an advanced persistent threat, or something entirely different? This ambiguity can lead to misunderstandings in crucial communications, potentially leading to security vulnerabilities.
• Acronym fatigue: As Musk alluded to in his scathing 2010 memo, professionals already in the field may face “acronym fatigue” as the sheer volume of terms makes it challenging to keep up with new developments. This can be especially problematic in cybersecurity, where it’s crucial to understand the latest threats and solutions.
• Loss of transparency: As cybersecurity becomes more critical to our daily lives, it’s important for the public to understand basic security concepts, but acronyms can obscure rather than clarify. Concepts like MFA and VPN might be bewildering to users who lack an understanding of the terminology, even if they know these tools are meant to protect them.

Here’s how to make acronyms more approachable

The solution isn’t necessarily to avoid acronyms altogether—they can serve an important role in condensing complex concepts. In fact, this list of old standbys, as well as new and evolving acronyms, may be helpful for cybersecurity organizations. However, reducing the overuse of acronyms, and providing context, can make them more accessible. Here are some approaches that could improve understanding:

1. Glossaries: Organizations could create a standardized glossary of commonly used acronyms, especially in onboarding materials or materials aimed at a broader audience — and especially anything public-facing. This would make it easier for newcomers to familiarize themselves with essential terms.
2. Simple explanations: Providing short explanations or definitions when using less common acronyms can clarify their meaning. This approach, already common in documentation and industry articles, could be expanded to include presentations, meetings and emails within organizations.
3. Avoiding unnecessary acronyms: As an editor I recently fumed to a colleague as we co-edited a story: “Is it really so onerous to spell out ‘extreme weather event?’” My colleague replied: “Or just write out tornado, hurricane, flood, whatever it actually is?” Not every term needs an acronym, and in some cases, plain language can even replace what the acronym stands for. Reserving acronyms for the most common or widely understood terms can reduce the total volume of abbreviations.
4. Training: Regular training sessions that update veterans on both new terminologies and existing commonly used acronyms can help everyone at the organization stay on the same page without overwhelming them.

A tech sector worker on Reddit jokingly asked: “What do cybersecurity professionals do with all the time they save by using acronyms?”

They could use that time to think of ways to ensure their workplaces take all the necessary steps to prioritize clear, concise language to the benefit of all their employees, clients and stakeholders. To paraphrase playwright George Bernard Shaw, the single biggest obstacle in communication is the illusion that it has taken place. Overusing acronyms helps create that illusion.