Spend enough time around security people and you pick up a second vocabulary. It has a faintly military air and a noticeable per-syllable markup on vendor invoices.
Defense in depth: coding.
Zero trust: auth.
Least privilege: the permissions you forgot to grant.
Attack surface: your code.
Blast radius: everyone else’s code.
Hardening: turning things off.
Air gap: a USB stick.
Shift left: make it the developer’s problem.
Threat model: a Google Doc.
Tabletop exercise: a meeting about the Google Doc.
Compensating control: we didn’t fix it.
Risk acceptance: we didn’t fix it, in writing.
Remediation: a Jira epic.
Assume breach: we got breached.
CVE: cirriculem vitae enhancement.
CVSS 9.8: please answer the phone.
Lateral movement: ssh.
Exfiltration: curl.
Supply chain security: running npm install, nervously.
Security posture: vibes.
Then there’s cyber, which gets prefixed to all of the above and increasingly used on its own. Cyber risk, cyber hygiene, cyber resilience, Cyber Essentials, “I work in cyber”. I have been on the internet long enough to remember when cyber was a verb, and what it meant when a stranger in an AOL chatroom asked if you wanted to. I cannot watch a minister say it into a microphone without that association firing, and at this point I’ve stopped expecting it to fade.