The cybersecurity industry still uses the term whitelisting. Find out why it's time to promote equality and be more inclusive in our language.
As the VP of Marketing for a cybersecurity company, part of my job is managing SEO (search engine optimization). For non-marketing people, SEO is the art of figuring out how to get the right people to find your website. I need to know how our potential buyers are searching for solutions to challenges they have to ensure our website shows up in their searches. For example, if someone is concerned about ransomware but they have out-of-support legacy operating systems like Windows 2012, they will be searching for a solution to protect themselves from unpatched vulnerabilities. It’s my job to make sure that whatever combination of keywords someone uses to search for solutions, the Virsec website is easy for them to find. Aside from paid ads, this is difficult to do, especially in a noisy market like cybersecurity.
At Virsec, we have patented technology that extends Zero Trust to applications and workloads by leveraging security controls that embrace a modern automated allowlisting approach - permitting only known good code (executables, libraries, and scripts) to run. All other code is explicitly denied execution — eliminating dwell time and stopping zero-day attacks before exploitation can occur.
Here's my challenge: The word choice used to describe our protection methodology, “allowlisting,” is more commonly called “whitelisting.” The terms whitelisting and blacklisting have long been used in cybersecurity to refer to what is allowed or not allowed. People have recognized that these terms are outdated and not inclusive in recent years, and it’s time we all do something collectively about this.
“As we work to fill open cybersecurity jobs and create a more diverse and inclusive industry that is better able to combat cyber threats, inclusivity, and the intentionality that requires, has to permeate every aspect of the field, including the language. ‘Blacklist’ equates black with bad and white with good,” Camille Stewart, the global head of product security strategy at Google and the co-founder of #ShareTheMicInCyber, an initiative to highlight and raise the voices of diverse people in cybersecurity, told Motherboard in an online chat. “Although not the most important part of the work to be done, the roots in systemic racism and the subtle message it sends about the industry matter.”
In 2021, NIST published inclusive language guidance for use in publications with the concept of “inclusive language,” — meaning wording likely to be perceived as neutral or welcoming by all audience members, regardless of their background. The terms “whitelist” and “blacklist” were replaced with “allowlist” and “blocklist” or “deny list” accordingly.
CompTIA updated the language in all certification exams in 2021 to be more inclusive as well. “Exclusive language is wording that promotes inequality. It undermines humanity by minimizing the worth and capabilities of individuals from marginalized groups.”
While major organizations like NIST and CompTIA made changes in 2021 to update and standardize more inclusive terms 2 years ago, the tech industry still lags behind. As a marketer, I want to do the right thing and never use the term whitelisting anywhere on the website or marketing collateral. However, the data shows that most security professionals still use the term “whitelisting.” The Google searches prove it. In the United States alone, from August 1st – 28th, there were 3600 internet searches of the word “whitelisting” vs. just 320 of the word “allowlisting.”
Virsec is committed to providing innovative solutions that secure applications and workloads from ransomware, malware, and zero-day threats, and takes pride in being an industry leader. As a leader, Virsec believes in promoting inclusivity and diversity in the industry by changing the vocabulary used in cybersecurity. The company has consciously decided to use the term "allowlisting" instead of "whitelisting" in all its website, ads, and marketing publications. This effort is a small step in promoting equality and highlights the importance of language in creating a more inclusive and diverse tech industry.
To learn more about the Virsec Security Platform (VSP), please visit us at www.virsec.com
Don't miss our security insights, and subscribe to our blog now.