Tim Bourgaize Murray: RIP, “APT”
When a real problem meets dated jargon.

In a world where words and catchphrases drift in and out of style, etymology is all the more important and too often ignored. To wit, and believe it or not, I briefly debated using “On Leek” parodying “on fleek” to headline this month’s cover story. Understanding where verbiage comes from should help explain what it means and why, all of the sudden, Twitter is obsessed with hashtagging it.
Of course, the same goes for technology speak. Take, for instance, a cyber-related situation back in 2011, when a state actor compromised RSA, the vendor that builds token-password technology used by most Fortune 500 companies. The actor turned out to be China, but everyone involved was reticent to say as much.
Back then, it wasn’t politically kosher to identify the country, as one senior technologist recently put it to me, so a new term—“advanced persistent threat”—was coined and served to obfuscate things until an army general at US Cyber Command, Keith Alexander, and US senator Carl Levin decided enough was enough, and, in a surprising turnabout, finally “outed” the perpetrator. That same chief technologist said the term—more simply known now as APT—could probably have gone away then and there, without anyone noticing.
Drawing Ire
But the opposite happened. Four years later, APT is probably the second most commonly used acronym in cybersecurity chatter, after DDoS (distributed denial of service), but it draws a lot more ire from CISOs. In a recent Waters story on the Carbanak bank breach, one source even made his own sarcastic revision, noting that the Kaspersky press push was really an AVT—advanced vendor threat. Ouch.
Like anything else that is highly marketed, the concept of an APT doesn’t exactly fit reality. There are many persistent threats facing financial services firms, and more rarely, there are bespoke, advanced threats that go after intellectual property or source code—but it isn’t too often that the Venn diagram overlaps. Yet we’re led to believe that in each and every moment we’re facing a cyber-Armageddon … and even the world’s most careful media organizations are happy to go along with that narrative.
So what’s the problem? Well, like anything else that is highly marketed, the concept of an APT doesn’t exactly fit reality. There are many persistent threats facing financial services firms, and more rarely, there are bespoke, advanced threats that go after intellectual property or source code—but it isn’t too often that the Venn diagram overlaps. Yet we’re led to believe that in each and every moment we’re facing a cyber-Armageddon … and even the world’s most careful media organizations are happy to go along with that narrative.
It would seem counterintuitive, but the most level-headed bunch in the security space—at times, even playing things down—are actually the CISOs themselves. As rational actors, they would seem most likely to play-up the threat. Bigger budgets and more personnel would probably follow.
Instead, it’s almost as if they’re in the opposite role: managing the risk, of course, but dispelling rumors and reassuring board members that, yes, actually, the firm has known for months, if not years, about the cyber news they read in the Financial Times yesterday. It must be an awfully strange position to hold in 2015, though obviously an exciting one—as we hope the entirety of the April issue of Waters has shown.
More Wheat, Less Chaff
From a vendor’s perspective, it should be an interesting space to watch, too. The major names in the space haven’t really changed yet, but if Blackstone is any indication, it does seem that more major capital markets firms are increasingly looking to start-ups rather than establishment players to fit what they need. I imagine the arguments are traditional ones: better service levels, greater customization and the opportunity to mold the product (and in Blackstone’s case, the company itself) earlier on—more wheat, less chaff.
Authorities are closing in on identifying the perpetrators of the JP Morgan Chase data theft from last year, and I imagine the industry is watching closely. Not for the contour or source of the threat—most everyone with a cyber-intelligence provider probably already knows most of that—but rather for the way it is handled by the regulatory and government authorities. In short, the way it’s spun.
Which gets back to the roots of the problem with cyber: it’s fluid and complicated enough, and we’d be better off without an additional patina of jargon coating it.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Emerging Technologies
Standard Chartered goes from spectator to player in digital asset game
The bank’s digital assets custody offering is underpinned by an open API and modular infrastructure, allowing it to potentially add a secondary back-end system provider.
Saugata Saha pilots S&P’s way through data interoperability, AI
Saha, who was named president of S&P Global Market Intelligence last year, details how the company is looking at enterprise data and the success of its early investments in AI.
Data partnerships, outsourced trading, developer wins, Studio Ghibli, and more
The Waters Cooler: CME and Google Cloud reach second base, Visible Alpha settles in at S&P, and another overnight trading venue is approved in this week’s news round-up.
Are we really moving on from GenAI already?
Waters Wrap: Agentic AI is becoming an increasingly hot topic, but Anthony says that shouldn’t come at the expense of generative AI.
Cloud infrastructure’s role in agentic AI
The financial services industry’s AI-driven future will require even greater reliance on cloud. A well-architected framework is key, write IBM’s Gautam Kumar and Raja Basu.
Waters Wavelength Ep. 310: SigTech’s Bin Ren
This week, SigTech’s CEO Bin Ren joins Eliot to discuss GenAI’s progress since ChatGPT’s emergence in 2022, agentic AI, and challenges with regulating AI.
Microsoft exec: ‘Generative AI is completely passé. This is the year of agentic AI’
Microsoft’s Symon Garfield said that AI advancements are prompting financial services firms to change their approach to integrating AI-powered solutions.
Inside the company that helped build China’s equity options market
Fintech firm Bachelier Technology on the challenges of creating a trading platform for China’s unique OTC derivatives market.