In 2023, cybersecurity is chasing the chimera of software doomsday devices. We can contemplate this windmill-tilting through the language cybersecurity startups use to describe their
You see, rather than reflecting on our inability to mitigate untrustworthy code by design – how wayward we strayed from the dreams of the first security thought leaders in the 70s and 80s1 – in 2023 we’ve decided that we must purchase at least seven tools shoved into developer workflows (with one more for each developer that procrastinates completing the 5 hour security awareness training); design regulatory obstacle courses navigable only by the most digitally transformed of golden retrievers (by mortals who will never have to traverse it themselves)2; and that to really shift left, we must strap dolphins with vulnerability scanners to echolocate bugs in undersea cables (we wanted to try with bats in data centers but general counsel shot us down).
We have decided that all of this performative pomp led by Captain Ahabs everywhere will definitely Fix Things This Time – and it shows in our buzzwords.
This edition of my annual Cyber Startup Buzzword Bingo elucidates the current zeitgeist through which buzzwords are most popular among cybersecurity startups.
I surveyed 100 infosec companies’ websites3, the vast majority of which are startups who raised VC funding in the past nine to twelve months or else are notable (like having booths in RSAC’s Early Stage Expo). The idea behind the bingo card is to take it with you on journeys through vendor halls, sales pitches, or startup websites and see whether you can replace your eyerolls and abyss-gazing with the surprise and delight of “Bingo!”.
Without further introduction, below is the 2023 Cyber Startup Buzzword Bingo card – read on if you want more analysis:
What words are growing in influence?
All bolded buzzwords are on the rise (unless otherwise indicated).
We grew more sensitive this year, perhaps due to the intensifying focus on posture. Indeed, I’ve often marveled at the similarities between cybersecurity vendors and chiropractors.
We care more about CI/CD and APIs this year; even Kubernetes is mentioned more than endpoints, although I would waste an unreasonable amount of time watching security people try to explain what Kubernetes is.
The security industry is finally aware that developers exist, although they seem less enthused than Steve Ballmer was once upon a time (but maybe as sweaty about it).
Infosec also realized that workflows exist, which isn’t shocking given they seemingly remain unware of the existence of UX. Does this mean cybersecurity is creeping its way into the modern era? Software engineers strongly suspect security vendors are still full of shit.
In 2023, there are three simple words cybersecurity vendors want to hear from buyers: “You complete me.” They want you to discover all the insights they have to share and really wish you would prioritize them over all the other vendors you could take to prom; they are the fabled local single eager to meet you.
Vendors believe we feel the need for speed, our security engine antsy to go faster. Given how disruptive most DevSecOps tools are to software velocity, I suspect these vendors might be yanking our supply chain.
I don’t quite know what to make of the fact that effective soared in popularity while accurate plummeted. Perhaps these security tools are less like documentary coverage and more like reality TV – and the commonality of indecent exposure strengthens the case.
Finally, the world will perish in the battle between zero trust and trusted. Hopefully a mushroom cloud won’t follow, else we must resume our society beneath the Earth’s surface, Fallout-style. Or maybe ChatGPT will take control first. Remember, the goal is to convince the AI overlords that you’re a pet, not cattle!
Which words are falling out of favor?
All bolded buzzwords are on the decline.
Vendors suspect we care less about advanced, sophisticated, and zero-day attacks, which I can only hope is true because it’s about time we focus on the less sexy activity. Yet, I worry a new targeted buzzword threat is conspiring to rise…
While AI may be all the rage among VCs desperate to feel like they’re on the thoughtleading edge rather than the awkward outskirts of the dance floor, both it and ML are less popular in cyber startup product messaging this year. I guess it wasn’t as effortless as vendors assumed.
Vendors are now less unparallelled, unmatched, world-class, best-in-class, and enterprise-grade. How else were we supposed to understand their differentiators without those filler adjectives?? Jokes aside, I suspect this ultimately enhanced their messaging.
It is not a deep insight to recognize that some buzzy verbs seemingly flew too close to the sun last year: empower, enforce, optimize, orchestrate, and enrich declined considerably. Were they not powerful enough? Or did buyers’ eyeballs not find these verbs as seamless to digest as marketers hoped?
The term blindspots is thankfully falling out of favor, too; only 3 startups included it. If they arent going to be inclusive, then hopefully buyers won’t include them in their security stacks, either.
In general, I, for one, hope the decline of filler and fluff accelerates – but purpose-built buzzwords lurk on the horizon, as we shall see in the next section. Marketing pros are remarkably agile, despite the protestations by our sanity.
What words should we fear becoming A Thing?
All bolded buzzwords seem to be emerging.
Trying to manifest their ideal buyer persona into the universe, vendors started to use the term no-brainer in 2023. We talk a lot about attack surface, but less about the ever-growing buzzword surface and how its sprawl has a corrosive effect on our cognition.
Perhaps late to the Marie Kondo hype, cyber vendors are leaning into the word minimal. Is it a sign of maturity or growth? Or is it the first rumblings of an ominous shadow creature from the depths of Buzzoria? Will we cling to the guardrails as we hear its thunderous steps approaching or shall we perish?
2023 also budded the buzzword no-code, which is a pithy way of summarizing what CISOs which they could tell their software engineering teams.
Finally, cybersecurity vendors are simultaneously becoming more tailored and more holistic, perhaps belying their lack of coherent collective strategy – of course, other than to milk security buyers’ wallets as their foremost mission.
What will mortals on social media yell at me for not including?
Every year, mortals are mad at reality and take it out on me. As always, what buzzwords vendors spew to you in meetings are not captured by my scraper and I can only shudder to imagine what the results would be if I scraped #Security #ThoughtLeader Linkedin posts.
I know current consultants and
future consultants regulators are trying to make SBOMs happen but, like fetch, they have not yet happened. MITRE grew yet again but has never hit critical mass.
I was actually surprised that observability is flat year-over-year, given there’s a push on that buzzword by
Big Buzzword Agriculture research analyst firms. Perhaps there are smudges on the single-pane-of-glass that occlude vendors’ vision.
Speaking of cloudy, multi-cloud is relatively flat from last year and still slim in usage. You might find this to be a remote possibility, but I assure you it’s true.
And, finally, as evidenced when getting too close to the crowds at cybersecurity conferences, hygiene remains niche.
MacKenzie, Donald. Mechanizing proof: computing, risk, and trust. MIT Press, 2004. ↩︎
Because all the other compliance standards have totally not distorted incentives and wasted countless time, attention, and effort… ↩︎
I did not scrape their entire website, only the main page and, if present, product/platform page. If buzzwords appear in blogs, for instance, that isn’t captured. The goal is to hone in on how cybersecurity startups presently present themselves to the market. ↩︎