The Honest Security Glossary
Security jargon, translated into plain English with brutal honesty.
Every term comes with the official definition (what they tell auditors), the real definition (what it actually means), and the red flag (when to be suspicious).
Things Auditors Ask About
Audit
An independent examination of an organization's controls, processes, or financial records.
Weeks of gathering evidence, answering questions, and explaining why that one exception happened. The auditor's job is to find problems. Your job is to have already fixed them.
An auditor who doesn't ask any hard questions.
Business Associate Agreement (BAA)
A HIPAA-required contract between a covered entity and a vendor who handles PHI.
The legal document that obligates your vendor to protect health data and accept responsibility if they fail. Getting a company to sign one is easy. Getting them to actually follow it is the important part.
A vendor who takes weeks to produce a BAA or wants to "modify" the standard terms.
Control
A safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of information and systems.
Something you do (or a tool you use) to prevent bad things from happening. Controls can be technical (MFA), administrative (policies), or physical (locked doors). Auditors love talking about controls.
Controls that exist in policy but not in practice.
Evidence Collection
The process of gathering documentation to demonstrate control effectiveness.
Screenshots. So many screenshots. Plus logs, policies, and that one approval email from 2019 that you really hope is still in someone's inbox.
Manually collecting logs, configuration screenshots, and other artifacts on a quarterly basis instead of using a platform for automation.
FedRAMP
Federal Risk and Authorization Management Program, a standardized approach to security assessment for cloud services used by federal agencies.
The government's way of saying "prove you're secure enough for us." It's SOC 2's more demanding older sibling. The process is long, expensive, and once you're in, you're basically in the club.
Claiming to be "FedRAMP ready" when you haven't started the authorization process.
HIPAA
The Health Insurance Portability and Accountability Act, establishing national standards for protecting sensitive patient health information.
Healthcare's security law that governs how you handle PHI. There's no official certification. You're either compliant or you're waiting for OCR to come knocking. The fines are substantial.
"We don't need a BAA because we don't look at the data."
HITRUST
A certifiable framework that harmonizes various industry standards (HIPAA, NIST, ISO, PCI) into a single comprehensive security and privacy framework.
A proprietary framework that bundles NIST, ISO, HIPAA, and other standards into one certifiable package. Healthcare enterprises often require it. Critics call it expensive and "pay to play." But if your customers require it, the debate is academic.
Pursuing HITRUST when your customers would accept SOC 2 + HIPAA.
ISO 27001
An international standard for information security management systems (ISMS) that provides requirements for establishing, implementing, maintaining, and continually improving security.
The European cousin of SOC 2. More prescriptive, requires a formal management system, and involves ongoing surveillance audits. Popular with enterprises and anyone selling to European customers.
Claiming ISO 27001 certification when you only did a gap assessment.
NIST Cybersecurity Framework
A voluntary framework developed by the National Institute of Standards and Technology consisting of standards, guidelines, and best practices for managing cybersecurity risk.
The free, government-created framework that most other frameworks borrow from. Organizes security into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Not certifiable, but widely respected and a solid foundation for any security program. Start here if you're not sure where to start.
Using NIST CSF as a checkbox exercise without actually implementing the controls.
PCI DSS
Payment Card Industry Data Security Standard, with requirements for organizations that handle credit card data.
The credit card industry's way of making sure you don't store card numbers in a spreadsheet. The requirements are detailed, the audits are thorough, and the consequences for breaches are significant.
"We're PCI compliant" but the SAQ was filled out by marketing.
Risk Assessment
A systematic process to identify, analyze, and evaluate risks to organizational assets.
The exercise where you write down all the bad things that could happen and try to quantify how bad they'd be. Required by basically every framework, and a great way to discover how much you don't know about your own systems.
A risk assessment that finds zero high-severity risks. Either you're Fort Knox or someone didn't try.
SOC 2
A compliance framework from AICPA for service organizations, covering security, availability, processing integrity, confidentiality, and privacy.
The certificate enterprise customers demand before they'll sign the contract. Think of it as a security report card that auditors create by asking you a lot of questions and looking at your evidence. Type I is a snapshot, Type II is a movie.
"We're SOC 2 compliant" with no report to share.
Technical Stuff That Matters
API Security
Practices and tools to protect application programming interfaces, the entry points to your systems, from attacks.
Your APIs are often your biggest attack surface and you may not have visibility into all of them. Every engineer spins up endpoints; not every engineer thinks about authentication, authorization, and other security controls.
"Our APIs are secure" but there's a missing inventory, ad hoc release process, and limited security reviews.
Cloud Security Posture Management (CSPM)
Tools that continuously monitor cloud infrastructure for misconfigurations and compliance violations.
Your cloud security watchdog, constantly checking for open S3 buckets, overly permissive IAM roles, and the hundred other ways cloud environments drift out of compliance. Essential for cloud-first companies, but only valuable if someone actually triages and remediates the findings.
A CSPM tool with thousands of unacknowledged findings.
Encryption
The process of converting information into code to prevent unauthorized access.
The reason a stolen laptop or intercepted network traffic doesn't automatically mean a breach. "Encryption at rest" protects stored data. "Encryption in transit" protects data moving across networks. You want both, and you need to know where your keys are stored.
"Our data is encrypted" but no one can explain how or where the keys are stored.
Endpoint Detection and Response (EDR)
Security technology that monitors endpoint devices for suspicious activity and responds to threats.
Antivirus that went to graduate school. Watches what's happening on laptops and servers, looks for bad behavior, and can respond automatically. Actually quite good at catching things now.
EDR deployed to half the fleet because "the engineers complained."
Identity and Access Management (IAM)
Policies and technologies ensuring the right people have appropriate access to technology resources.
The gatekeeper for your entire environment. In cloud providers like AWS, it's the 500-page documentation that one person on your team actually understands. Get it wrong and either nobody can do their job or everybody can access everything.
Root credentials stored in a shared password manager with 47 people. All user groups in the cloud have full Admin permissions.
Least Privilege
The principle that users should have only the minimum access necessary to perform their job functions.
Everyone's an admin until you implement this. The goal is "need to know" and "need to do," nothing more. It sounds simple until you try to actually do it and realize everyone has access to everything.
"We'll clean up permissions after the sprint."
Multi-Factor Authentication (MFA)
An authentication method requiring two or more verification factors to gain access.
The single most effective control against account takeover. Modern options include authenticator apps, YubiKeys, registered devices, and biometrics. The goal: a stolen password alone isn't enough to get in.
"We have MFA available" but it's not required.
Penetration Testing
Authorized simulated attacks on a computer system to evaluate security.
Paying someone to try to break into your systems before the actual bad guys do. They'll find things you missed. You'll fix them. That's the point.
A pentest report with zero findings. Or a "pentest" that was actually just an automated vulnerability scan.
SIEM
Security Information and Event Management, a platform that collects, analyzes, and reports on security data.
A giant log aggregator that's supposed to detect attacks. In practice, it generates alerts that a human has to review. If you don't have that human, it's an expensive log storage system.
A SIEM that no one has logged into this month.
Single Sign-On (SSO)
An authentication scheme that allows users to access multiple applications with one set of credentials.
Log in once, access everything. Great for users, great for security (when done right), and often absurdly expensive because vendors know you need it.
SSO that doesn't enforce MFA. Or all the SaaS apps left out because of the SSO tax.
Vulnerability Scanning
Automated testing of systems to identify known security weaknesses.
Running a tool that tells you everything that's wrong with your systems. The trick is not drowning in the results. Pro tip: Most of those "critical" findings aren't actually critical in your environment.
Scanning once a year and calling it continuous monitoring.
Zero Trust
A security model that requires strict identity verification for every person and device trying to access resources, regardless of network location.
"Never trust, always verify." Sounds paranoid until you realize the alternative was "trust everyone inside the firewall," and that worked out terribly. It's less a product you buy and more a philosophy you gradually implement across your environment.
Anyone who says they "implemented zero trust" in a single quarter.
Security Leadership
CISO
Chief Information Security Officer, the executive responsible for an organization's information and data security.
The person accountable when things go wrong and often invisible when things go right. Part security expert, part translator, part executive advisor. The job is making the business safer without slowing it down.
A CISO who reports to IT and has no board access.
Cyber Insurance
Insurance coverage designed to protect organizations against losses from cyber incidents including data breaches, ransomware, and business interruption.
Financial protection for when security fails. Best reserved for catastrophic events—claims are burdensome and deductibles are high. Insurers now ask detailed questions about MFA, EDR, and backups. Lie on the application and they won't pay.
A policy that excludes ransomware or "failure to maintain security controls."
Fractional CISO
A part-time or outsourced security executive who provides strategic leadership on a flexible basis. Also known as a virtual CISO (vCISO).
All the strategy, none of the $400K salary. Works for companies that need security leadership but aren't ready for a full-time hire. Same expertise, different employment model.
A "fractional CISO" who's really just a security engineer answering emails. Or one who meets for an hour a month to "check on progress."
Governance
The framework of policies, processes, and decision-making structures that guide security activities.
The boring stuff that determines whether security actually works. Who makes decisions? Who's accountable? How do exceptions get approved? Without governance, security becomes a series of one-off decisions that don't add up to anything.
"Our governance is that everyone's responsible for security."
Incident Response Plan
Documented procedures for detecting, responding to, and recovering from security incidents.
The playbook for when things go wrong. Who do you call? What do you do first? How do you communicate? If you're figuring this out during an incident, you've already lost.
An incident response plan that's never been tested.
M&A Security Due Diligence
The assessment of cybersecurity risks and posture during mergers, acquisitions, or investment transactions.
Finding out what you're actually buying. Acquirers want to know if the target company has hidden security debt, undisclosed breaches, or compliance gaps that become their problem post-close. Sellers want a clean security story that doesn't crater the deal.
Security due diligence that consists of a single questionnaire with no technical validation.
Risk Appetite
The level of risk an organization is willing to accept in pursuit of its objectives.
How much danger the business is comfortable with. Every company says they're "risk-averse" until you show them how much security costs. This is actually a business decision, not a security decision.
Executives who say "just make it secure" without defining acceptable risk.
Security Awareness Training
Programs designed to educate employees about security risks and best practices.
Your people will always be a target. The question is whether they're prepared for it. Good training builds instincts, not just checkbox completion.
Annual training with 100% pass rate and zero actual behavior change.
Security Program
The coordinated set of activities, policies, and controls that protect an organization's information assets.
The difference between random security activities and actual security. Policies, tools, training, processes, and the strategy connecting them into something intentional. Without a program, you're just buying tools and reacting to fires.
A security "program" that's really just a list of tools purchased.
Security Questionnaire
A standardized set of questions used to evaluate an organization's security posture.
The 300-question spreadsheet that gates every enterprise deal. Your answers are reviewed by vendor risk analysts who've seen thousands of these and know which answers don't hold up.
Copying answers from last year's questionnaire without checking if they're still true.
Security Roadmap
A strategic plan outlining security initiatives, timelines, and resource requirements.
Your answer to "what's the security plan?" Shows what you're doing, when, and why, balancing risk reduction, compliance deadlines, and budget reality. Lives in a slide deck, dies in a spreadsheet.
A roadmap that hasn't been updated since it was created.
Tabletop Exercise
A discussion-based exercise where participants walk through a simulated incident scenario.
Getting everyone in a room and asking "what would we actually do if..." Cheaper than a real incident and surprisingly revealing. Most teams discover their plan has holes big enough to drive a truck through.
A tabletop where everyone agrees the plan is perfect.
Third-Party Risk Management
The process of identifying, assessing, and mitigating risks associated with outsourcing to vendors and service providers.
Your security is only as strong as your weakest vendor. This is the practice of figuring out which vendors have access to your data, how secure they are, and what happens if they get breached. Starts with a spreadsheet, ends with security questionnaires and contract clauses.
No inventory of which vendors have access to sensitive data.
Buzzwords VCs Love
AI Security
The practice of securing AI systems and managing risks associated with AI adoption.
Making sure your AI tools don't leak your data, get manipulated by attackers, or make decisions you can't explain to regulators. Includes securing the models you build, the APIs you use, and the data you feed them.
No visibility into data access, data retention, model training policies, or excessive permissions granted to AI tools.
Attack Surface
The sum of all points where an attacker could try to enter or extract data from a system.
Everywhere you can be attacked, which is more places than you think. Every API, every login page, every exposed service, every employee with email access. Modern companies have enormous attack surfaces.
Not knowing what your attack surface actually is.
Cyber Resilience
An organization's ability to continuously deliver intended outcomes despite adverse cyber events.
Accepting that you will get breached and planning to survive it. Less sexy than "we're unhackable" but far more realistic. Includes backup/recovery, incident response, and business continuity.
Resilience planning that assumes backups always work. (They don't.)
Defense in Depth
A security strategy that layers multiple controls so that if one fails, others compensate.
Multiple locks on the door. If the firewall fails, EDR catches it. If EDR fails, the SOC catches it. The goal is no single point of failure.
Defense in depth implemented by different vendors who don't talk to each other.
DevSecOps
The integration of security practices into DevOps processes throughout the software development lifecycle.
Shift left plus automation plus acronyms. The idea is good: security isn't a gate at the end, it's baked into the process. The implementation is often just adding SAST tools that everyone ignores.
DevSecOps without a security person on the DevOps team.
Prompt Injection
An attack where malicious instructions are inserted into prompts to manipulate AI model behavior.
Tricking a clanker into ignoring its instructions and doing what the attacker wants instead. The AI equivalent of SQL injection. If your product uses LLMs, this is your problem now.
An AI-powered feature that takes user input without any input validation or output filtering.
Security by Design
An approach where security is built into systems from the beginning rather than added later.
Thinking about security before you write the code, not after the pentest report comes back. Revolutionary concept, rarely practiced, always cheaper than retrofitting.
"Security by design" as a slide in a pitch deck with no budget attached.
Shadow AI
The use of AI tools and services by employees without IT or security approval.
Your employees are already using ChatGPT, Claude, and a dozen other AI tools. The question is whether they're pasting customer data, source code, or credentials into them. Shadow AI is the new shadow IT.
No policy on AI usage. Or a policy that says "don't use AI" while everyone ignores it.
Shift Left
Integrating security practices earlier in the software development lifecycle.
Finding security problems before code ships, not after. Makes sense in theory, requires actual investment in practice. Usually means "make developers do security work without hiring security people."
"We shifted left" but security still isn't involved until the week before launch.
Threat Intelligence
Evidence-based knowledge about threats, threat actors, and their tactics, techniques, and procedures.
Information about who's attacking companies like yours and how. Ranges from free (security news, CISA alerts) to expensive (commercial threat intel platforms). Useful for prioritizing defenses, but most companies need less of it than vendors claim.
Threat intel feeds that don't automatically map to your actual inventory.
Things That Keep You Up at Night
Advanced Persistent Threat (APT)
A prolonged, targeted cyberattack where an intruder gains access and remains undetected.
The sophisticated attackers who get in and stay in, for months or years. Usually nation-states or well-funded criminal groups. If you're a regular company, you probably don't have APT problems. You have "we didn't patch" problems.
Claiming everything is an APT to avoid explaining the real cause.
Business Email Compromise (BEC)
A scam where attackers impersonate executives or trusted parties to trick employees into transferring money.
The CEO emails accounting: "Wire $50K to this account immediately and don't tell anyone." Except it's not the CEO. Low-tech, high-reward. Billions lost annually. Usually defeats all your fancy technical controls.
Wire transfer approval processes that rely solely on email.
Credential Stuffing
An attack where stolen username/password combinations are used to attempt unauthorized access.
Attackers take breached passwords from one site and try them everywhere else. Works because people reuse passwords. This is why MFA matters and why you should use a password manager.
No rate limiting on login attempts.
Data Breach
A security incident in which sensitive, protected, or confidential data is accessed or disclosed without authorization.
When the bad stuff happens. Customer data exposed, credentials stolen, systems compromised. Triggers notification requirements, regulatory scrutiny, and a lot of difficult conversations. Measure your security program by how ready you are for this.
Learning about a breach from a journalist.
Insider Threat
A security risk originating from within the organization, whether malicious or negligent.
Your own employees, contractors, or partners causing problems, sometimes on purpose, often by accident. The admin who takes the customer database when they leave. The engineer who commits secrets to GitHub. The executive who reuses passwords.
No monitoring of access to sensitive systems.
Phishing
Fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity.
Fake emails designed to trick people into clicking links or entering credentials. Responsible for the majority of breaches because it works. It will always work. Train your people anyway.
Relying on people to spot phishing emails without compensating controls.
Ransomware
Malware that encrypts files and demands payment for the decryption key.
Criminals encrypt your stuff and demand Bitcoin. It's a $20 billion industry that ruins companies regularly. Your options are: pay (they might decrypt, might not), restore from backups (if you have good ones), or start over.
Offline backups that aren't actually offline.
Social Engineering
Psychological manipulation techniques used to trick people into divulging confidential information.
Hacking humans instead of computers. Pretexting, pretending to be IT, tailgating into buildings. People are often easier to exploit than systems. Your technical controls mean nothing if someone talks their way in.
Security training that doesn't cover social engineering.
Supply Chain Attack
An attack that targets less-secure elements in the supply network to compromise a final target.
Attacking your vendors to get to you. SolarWinds, Codecov, MOVEit. Instead of breaking down your door, attackers compromise someone you trust and walk right in. Hard to detect, harder to prevent.
Never asking vendors about their security practices.
Zero-Day
A vulnerability that is unknown to the vendor and for which no patch exists.
A security hole nobody knows about except the attackers using it. Named because you have zero days to prepare. Rare in the wild, expensive to acquire, usually reserved for high-value targets. If you're worried about zero-days before fixing known vulnerabilities, you have your priorities backwards.
Using zero-days as an excuse for not patching known vulnerabilities.
Still have questions?
Security jargon is the least of your problems. If you're trying to make sense of your security program, compliance requirements, or whether you actually need a CISO, let's talk.
Get answers