Usefulness in Organizational Names
What we name things is important. We name our children, we name our cars, we give our friends nicknames. Those names mean something. They’re relevant and reflect a purpose, history, and relationships. In IT we name things too. We name our servers, we name networks, and we name projects. Those names serve a purpose. Think about the Oakland datacenter backup voicemail server running Linux, OakDCVMLLNX002 Like other names, what we call organizations in IT should serve a purpose as well.
Lately, I’ve been seeing a trend of calling InfoSec teams and functions really abstract, overwrought, and nondescript things. Names that include words like “Cyber,” “Threat,” and “Fusion” seem to be popping up everywhere. Many times I’m finding these teams don’t have much to do with the words in their names. Other times, I find their names aren’t inclusive or exclusive of all of their functions. These names are not helpful and distract from doing the important work of Information Security. My position? A name should be a simple descriptor of what and who are, where you fit into the organization, what you do, and who you do it with, and it should be easy for a layperson to understand.
Skipping over examples (and protecting the guilty,) let me get right to my suggestions. Call your Operations team “Security Operations.” If you’re concerned that isn’t going to capture your specific teams and their functions, divide it up and call your teams, “Security Operations: Engineering and Support” and “Security Operations: Intelligence, Monitoring, and Response.” Call your Project and Business Management Organization “Business and Project Management.” Security Architecture should be called, you guessed it, Security Architecture. If you want to call your Business and Project Management organization/function, “Business and Project Success and Enablement,” congratulations, your use of flowery, opaque terms is straight out of a Dilbert cartoon. But it doesn’t help explain what it is that group does.
When a 3rd party or person from outside of your business unit has to ask you, “What does your “Cyber Intelligence Collaboration Unit Xtreme!” do, you may want to reconsider the name. Worse yet, when an InfoSec practitioner has to ask the same question and then follows with, “Wait, are you operational or not? Do you do Engineering? Are you Day 2 or not?” you may need an intervention.
You may think the name of your new Digital Forensics team (Team Corporate Cyber CSI Fusion 9001?) sounds futuristic and witty, but our mission in Information Security isn’t to sound futuristic and witty and to dazzle people with our elaborate naming. Our mission is to secure data, systems, and networks.