Corporate Security

How I SaaW The Problem With ‘Cyber’ Security

A few folk have seen me tweeting the hashtag #SaaW. It all grew from an online conversation with Caitlin dos Santos (Caitlin_Pro <very smart and experienced InfoSec pro). I kicked off with this:

I call out other buzzwords, but the one that mainly gets my goat is ‘cyber’ when it’s used to prefix ‘security’. Many key players in the security industry are critical of the noise built up around that. You don’t have to go far to find a tweet like this…

…or a cynicism fest (albeit a deliciously witty one with a truthful core), like I Cringely’s The Cybersecurity Myth. Is it resistance to change? Not really. Most of it boils down to the following:

Cyber & Stereotypes

It too easily conjures up the image of a hoodied hacker, or malware maelstrom on t’interweb (that’s cyberspace for many). It doesn’t lend itself to consideration of accidents, social engineering, physical security and resilience – equally vital vectors of attack and pillars of defence. I had my own rant about that here.

smoke-and-mirrors-704x396Cyber & Scare Tactics

It’s been been wholeheartedly adopted by the FUD merchants, be that bandwagon jumping breach chasers (think ambulance chasers, only on the digital highway), amateurish mainstream media efforts, spreaders of propaganda and folk who generate fear to sell.

Cyber & (Non)Sense

Basically, it doesn’t mean anything. Well it does. Here’s what good old wikipedia says about origins:

“Cyber-“

“Cyber- is a prefix derived from “cybernetic,” which comes from the Greek adjective κυβερνητικός meaning skilled in steering or governing (Liddell and Scott, Greek-English Lexicon)”

Not going to point out the irony in that.  It goes on to say:

“It is a common term used for Information Technology (IT), Computers and Internet. It is also used in the terms cybersex, cyberspacecyberpunk, cyberhomes and cyberhate”

Skilled in steering or governing punk (note my careful choice there)….hmmm. If you don’t see your favourite term, why not try typing ‘cyber’ into the urban dictionary and see what turns up (TIP: DON’T if you’re of a delicate disposition). Then to cybersecurity.

The Oxford Dictionary defines it thus:

“cybersecuritycyber|secur¦ity”

Pronunciation: /ˈsʌɪbəsɪˌkjʊərɪti/

noun

The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this: some people have argued that the threat to cybersecurity has been somewhat inflated [AS MODIFIER]: IT security professionals said that outsourcing would be the biggest cybersecurity threat

Loving the choice of exemplar definitions there. Seems like a bloke after my own heart. In practice there are almost as many definitions as there are security experts. Some coalesce round a government, academic or hacker perspective, but a general consensus there aint.

InfoSec’s own perception problem

Folk who’ve been diligently practicing Information Security for years are especially ticked off, but InfoSec as a discipline suffers it’s own misconceptions. People don’t think it covers IT security, web security, cloud security, social media security, mobile security, physical security, business continuity, disaster recovery and everything else including data security (the oft assumed sole focus), but it does. Check out ISO27002 if in doubt. The latest iteration of the global ISO2700x information security standards is set to refer out to other standards for control selection (to futureproof validity of the framework), but you get the idea.

In what feels like vindication for still calling myself an InfoSec pro, the ISO27032 standard is specifically about cybersecurity and is (to quote ISecT Ltd from their ISO27001 Security site):

“In practice..about Internet security.  

The standard does not directly address cybersafety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime or protection of critical information infrastructure, although there are oblique references to these aspects.”

The fact remains that it galls many seasoned pros to see cyberFUD merchants run roughshod over whatever hard-won credibility the InfoSec industry has…well…until you ‘cyberize’ your personal brand and demand a 20% pay rise. Heck, if you searched this blog it would have cyber on almost every page, BUT the strapline is “Straightforward Security” and ‘that’ word is used judiciously to make sure my voice is as loud as the media-savvy snake oil pedlars. Stripping all else away I’d summarise it like this:

Good advice and common security sense is getting buried under the weight of the cyberpap

Soooo, I never tend to shout about a problem without offering a solution….that’s where SaaW came in. It”s my suggestion for a new, basic, descriptive term.

SaaW or Security as a Whole

SaaWA nod to the XaaS epidemic and shorthand for – look at everything that needs securing (including people) and tackle it by channeling the enemy, using risk to prioritise and avoiding expensive games of whack-a-mole* with cyber tool mallets that just target newsworthy exploits.

I created a different amateur graphic which featured an image of a besuited cartoon pony with a chainsaw. That in turn lead to me learning about a group called bronies (adult fans of My Little Pony). My pony reference was because of the pwnie/pony link (being pwned meaning being hacked), but didn’t stop the bronies taking offence. Another fine (but slightly disconcerting) example of the power of images and words.

I know SaaW is a non-starter as candidate for the next buzzword (not least because I discovered it stands for a deeply significant term in Islam and I’m not in the business of upsetting anyone on purpose), but please do be mindful of the context of security pitches, certifications and publications that lead with the ‘C’ word. Cyber isn’t going away any time soon and digital selection is more about survival of the slickest, rather than survival of the fittest.


*Whack-a-mole is a term I first heard used for our approach to security by Charlotte Schider (). I Have borrowed it ever since. For the rest of this the usual caveats apply: It is just my opinion, not reflecting any past or present employers and not necessarily representing their opinions.


5 replies »

  1. I agree with you Sarah: “cyber” is a buzz word currently enjoying its 15 minutes of fame, one that I sincerely hope will evaporate soon. Because of that, and because it is ‘just a word’, I’d happily ignore this whole issue … except that I sense a rearguard action by the old-skool IT security crowd, aided and abetted by the purveyors of IT security products now re-badged as cybersecurity solutions, plus assorted journalists and politicians who really don’t care what is said so long as they appear to be cool, leading to an unfortunate resurgence of IT-centricism. Their unstated premise is “Secure your computers/networks/data and all your problems will be solved”. I thought the world had moved on from that nonsense with BS7799 back in the 90’s, which is partly why I wrote those notes you kindly quoted about ISO/IEC 27032. I was at some of the ISO drafting meetings for the standard and witnessed at first hand confusion among the experts about the scope and purpose of the standard, thanks to a fundamental lack of understanding let alone agreement about the meaning of “cyberspace”. Some in the group seemed to be working ernestly on a standard about Internet security, others on something to do with virtual reality, while the rest of us were mostly floundering around helplessly wondering what was the point of such an ill-conceived standard anyway 🙂

    As to SaaW, I don’t personally feel the need for yet another acronym/buzzword – our field is awash with them already, to the point that we often confuse ourselves let alone the poor sods Out There trying to make sense of our spoutings! Cloud computing is a case in point: SaaS, IaaS and PaaS are merely technical+commercial constructs within the field of Service Oriented Architectures, and to my mind are of little consequence in that broader context. However, the current crop of cloud security standards mostly (if not entirely) focus narrowly on technology, obsessing about SaaS/IaaS/PaaS while ignoring the bigger SOA picture and the many other/non-tech risks associated with the cloud. Same thing with IDS/IPS and SIEM. As with cybersecurity, I get the feeling that, through deliberate use of tech terms, we are being manipulated by technologists and tech vendors into worrying solely about the technology – probably (I believe) because that is all they know and care about.

    It’s a distraction technique highly valued by any stage magician and pickpocket!

    I have some sympathy for the idea of referring to plain “security”, except that the term is generally understood to refer to physical security, specifically securing valuable tangible assets against physical threats (fire, flood, theft, vandalism, terrorists …). The term conjours up the image of a bouncer – typically a former military person employed more for their assertiveness and physical prowess in dealing with intruders and troublemakers, than for their intellectual capacity. They might try to stop and question someone taking a server out the back door, but equally they might hold the door open and help them load it into the van! As to the hordes of employees walking to and fro every day with USB sticks, smartphones, tablets, laptops and briefcases crammed full of valuable information, or using the Interweb like an information foot-locker, well, so long as they have their staff ID on show, what could possibly be wrong with that?

    Personally, as a long-time fan of “information security”, I find myself using “information risk” more and more of late. I’ve been quietly spreading the idea that the ISO27k standards, which already center on the idea of implementing information security according to the risks to information assets, should themselves be overtly risk-driven. Take ISO/IEC 27032 for example: if the project team developing the standard had started by elaborating on and exploring the ‘cybersecurity’ risks that the standard would help people address, it might have avoided ending up as one of those orphan projects that sucks in resources and achieves very little. I tried to take this risk-led approach with the team working on the ISO27k standard on redaction but I think I scared them when I pointed out that the standard, as originally conceived and eventually delivered, only addressed a small fraction of the risks associated with redaction. The project leader acknowledged my point but by then it was too late to divert the steam train heading towards the tunnel, so we’ve ended up with a kind of guidance document about redacting documents, rather than a much more useful information security standard on redaction as a whole. [Curiously, in this instance, one of the groups of risk they chose to ignore concerns the need to redact sensitive information from databases, such as statistical info disgorged by various government departments. Perhaps it suits the NSA’s purposes if we ignore those particular risks!]

    Sorry for the rant, and thanks for allowing me to vent. As you can tell, the pressure has been rising for a long time.

    Like

    • Gary! I missed this. Love the rant/vent – with the large dose of experienced wisdom thrown in. Good for the soul and mi casa su casa for that (tis very much in keeping with motivation for creation of this blog).

      I too don’t think we need another buzzword. SaaW was more an ironical look at our tendency to turn common sense into a logo-worthy sound-bite which then attracts style over content bandwagon jumpers. I’m now reaching the age where I feel sorry for some of the security pros I eagerly regaled with my plans to ‘fix’ security nearly a decade ago (they were seeing most of what I’d got uppity about coming around for the 2nd or 3rd time 🙂 )

      It’s now happening to me…this won’t be the last time security needs an image spring clean (like all rapidly maturing and evolving industries). What will save us is thee, me, Jake and the majority like us with heads screwed on (having genuine non-fast-buck-making integrity and an ability to, at least a little, get our voices heard over the ebb and flow of noise).

      So, to make this an even more Eurovision reply – Courage mes braves – and may sense prevail!

      Like

  2. There is no cyber-security. There is no physical security. There is no infrastructure security. There is just… Security.

    Too many people focus on their job at hand to the exclusion of the larger picture. They may get paid, but have they really helped? The goal of any service is to add value to an endeavor. Those who focus on security to the exclusion of productivity, cost, or actual risk are giving this business a bad name. To wit:

    A ship at port is safe, but that’s not what ships are built for. (Rear Admiral Grace Hopper)

    Security is a state of mind in which you are aware enough of the vulnerabilities and threats (and rewards) that you feel it is worth taking known risks. The problem is that very few understand these vulnerabilities, threats, or risks. So they hire someone to tell them. And that someone writes reports of outlandish shadows, mythical creatures, and bizarre situations. Why? Because it seems that very few others can wrap their heads around common security risks either.

    In the end, it all comes back to the person who is being paid to lead the endeavor in to hazardous waters and back again. It’s called leadership, and it is sorely lacking in today’s world.

    Like

  3. Off the back of a (to say the least) robust debate about this on LinkedIn, I feel I should clarify something. I categorically do not mean that all professionals who have cybersecurity in their title are charlatans. There are some highly skilled people who, for some of the reasons stated here (e.g. exposure, current market focus and getting a fair hearing), make that choice.

    There are also a subset who fit one of the better known and historically accepted definitions of a cybersecurity professional: People who have and practice the deep technical skills increasingly needed to identify, investigate, defend against and fix a growing number of highly technical threats and vulnerabilities.

    To confuse things further, there are other people with one or more subsets of those those skills, who won’t call themselves cyber-anything e.g. IT security pros, computer security pros, network security pros, web security pros, application security pros, penetration testers, ethical hackers, hackers who are white hat but don’t bother adding the word ethical etc. etc. Those kinds of mainly tech focused security specialists are a partner group to InfoSec pros. The InfoSec pros generally (noting not all InfoSec pros are created equal, as some are highly technical too), put that technical threat and vulnerability picture into a wider security context.

    Hopefully that balances (if in no way simplifies) this argument.

    What it doesn’t change is the difficulty faced by recruiters, consumers of security products and services (be that businesses or private individuals) and readers of cybersecurity stories in the press, when they are trying to tell the difference. For that you hopefully have access to a broadly experienced and skilled one of the aforementioned types of security bodies.

    Like

Want to add to the discussion?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s