“Why did we name that job ‘penetration tester’?” the author asked after a career panel at the Canberra Cyber Hubs Career Symposium, an exchange that began with a teenage snigger and ended with a question about who the language of the field invites — and who it shuts out.
Canberra Cyber Hubs Career Symposium: a moment that matters
Last year the author was on a panel at the Canberra Cyber Hubs Career Symposium, speaking to high school students about career pathways. When one panelist mentioned working as a "penetration tester," a male student in the audience started sniggering. The anecdote is small, the author notes, but illustrative: the phrase itself — and the reactions it produces — signal a broader cultural problem about how cybersecurity presents itself to potential recruits.
Militarised vocabulary and a deliberate shift
The article argues that cybersecurity vocabulary is "deeply masculine or militarised," pointing to common terms such as "man-in-the-middle attack," "kill chain," and "brute force." That framing did not arise by accident. In the early 2000s the US Department of Defense shifted from "information warfare" to treating cyberspace as a discrete domain. By the late 2000s, cyberspace had been officially defined as a "global domain" within the information environment — a conceptual move that, the piece says, gave military actors legitimate authority to operate there and exported a combat-oriented vocabulary beyond defence institutions.
How language narrows the profession
The author contends that militaristic metaphors create a professional culture that reads as "homogenous, combative and accessible only to those fluent in combat jargon." That culture, the piece argues, fuels the "hacker-in-a-hoodie" stereotype and the misconception that cybersecurity chiefly belongs to those who write code and "think in adversarial terms." In contrast, the author says, modern cybersecurity practice often sits at the intersection of governance, risk, psychology, law and public policy — a multidisciplinary reality that the combat metaphors obscure.
Evidence of divided definitions and biased recruitment language
Academic research cited in the article reinforces the claim that language matters. A University of Sydney study found that even experienced cybersecurity professionals could not agree on what the field includes. In that research, women interviewed were more likely to include "e-safety" — explicitly named as "stalking, image-based abuse and digital surveillance" — as a core cybersecurity concern, while male respondents were more likely to exclude it. Separately, Monash University research examining IT and software engineering job advertisements identified linguistic patterns associated with bias: male pronouns, references to "rockstar" candidates, and analytical terms statistically associated with male applicants. Together, these findings suggest both definitional drift within the profession and recruitment language that leans toward certain demographics.
Credentialing through jargon: Carol Cohn's observation
The article draws on the work of researcher Carol Cohn, who documented a related phenomenon in defence intellectual culture: speaking plainly — in "plain English" rather than "techno-strategic jargon" — led interlocutors to treat her as uninformed. The author uses Cohn's account to argue that language can operate as a credentialing mechanism, sorting insiders from outsiders before substantive debate even begins.
What this means for professional bodies, government and educational institutions
- Professional bodies should revisit how they define the field and what vocabulary they treat as the baseline of competence, the author argues, so definitions do not implicitly exclude whole areas of practice.
- Government must look beyond pipeline programs and graduate schemes to interrogate the professional culture those pipelines feed into, including the language of job standards and public messaging.
- Educational institutions need to reconsider how they describe careers and write job standards to avoid linguistic bias that can repel otherwise qualified applicants.
The article concludes that Australia faces a sustained cybersecurity workforce shortfall and that addressing it "requires more than pipeline programs and graduate schemes." Language, the author insists, is a practical lever: revising terms, job descriptions and professional vocabularies could broaden who feels entitled to enter and remain in the field. "Given cyberspace is a global domain," the piece closes, "the language we use to govern it should reflect that – and the full range of people capable of defending it."
