Home  |  Sarah  |  Services  |  Blog  Contact

Sunday, 08 Mar , 2015

How I SaaW The Problem With ‘Cyber’ Security

Share this article

Using the term 'cyber' to prefix 'security' causes a strong reaction with some professionals. Are furious accusations of quackery justified and could this be the new alternative...

A few folk have seen me tweeting the hashtag #SaaW. It all grew from an online conversation with Caitlin dos Santos (Caitlin_Pro <very smart and experienced InfoSec pro). I kicked off with this:
[tweet https://twitter.com/S_Clarke22/status/573396689509339137 hide_thread=’true’ width=’1000′]
I call out other buzzwords, but the one that mainly gets my goat is ‘cyber’ when it’s used to prefix ‘security’. Many key players in the security industry are critical of the noise built up around that. You don’t have to go far to find a tweet like this…
[tweet https://twitter.com/paul_eubanks/status/569256506178326528 hide_thread=’true’ width=’1000′]
…or a cynicism fest (albeit a deliciously witty one with a truthful core), like I Cringely’s The Cybersecurity Myth. Is it resistance to change? Not really. Most of it boils down to the following:

Cyber & Stereotypes

It too easily conjures up the image of a hoodied hacker, or malware maelstrom on t’interweb (that’s cyberspace for many). It doesn’t lend itself to consideration of accidents, social engineering, physical security and resilience – equally vital vectors of attack and pillars of defence. I had my own rant about that here.

smoke-and-mirrors-704x396Cyber & Scare Tactics

It’s been been wholeheartedly adopted by the FUD merchants, be that bandwagon jumping breach chasers (think ambulance chasers, only on the digital highway), amateurish mainstream media efforts, spreaders of propaganda and folk who generate fear to sell.

Cyber & (Non)Sense

Basically, it doesn’t mean anything. Well it does. Here’s what good old wikipedia says about origins:

“Cyber-“

“Cyber- is a prefix derived from “cybernetic,” which comes from the Greek adjective κυβερνητικός meaning skilled in steering or governing (Liddell and Scott, Greek-English Lexicon)”

Not going to point out the irony in that.  It goes on to say:

“It is a common term used for Information Technology (IT), Computers and Internet. It is also used in the terms cybersex, cyberspacecyberpunk, cyberhomes and cyberhate”

Skilled in steering or governing punk (note my careful choice there)….hmmm. If you don’t see your favourite term, why not try typing ‘cyber’ into the urban dictionary and see what turns up (TIP: DON’T if you’re of a delicate disposition). Then to cybersecurity.
The Oxford Dictionary defines it thus:

“cybersecuritycyber|secur¦ity”

Pronunciation: /ˈsʌɪbəsɪˌkjʊərɪti/

noun

The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this: some people have argued that the threat to cybersecurity has been somewhat inflated [AS MODIFIER]: IT security professionals said that outsourcing would be the biggest cybersecurity threat

Loving the choice of exemplar definitions there. Seems like a bloke after my own heart. In practice there are almost as many definitions as there are security experts. Some coalesce round a government, academic or hacker perspective, but a general consensus there aint.

InfoSec’s own perception problem

Folk who’ve been diligently practicing Information Security for years are especially ticked off, but InfoSec as a discipline suffers it’s own misconceptions. People don’t think it covers IT security, web security, cloud security, social media security, mobile security, physical security, business continuity, disaster recovery and everything else including data security (the oft assumed sole focus), but it does. Check out ISO27002 if in doubt. The latest iteration of the global ISO2700x information security standards is set to refer out to other standards for control selection (to futureproof validity of the framework), but you get the idea.
In what feels like vindication for still calling myself an InfoSec pro, the ISO27032 standard is specifically about cybersecurity and is (to quote ISecT Ltd from their ISO27001 Security site):

“In practice..about Internet security.  

The standard does not directly address cybersafety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime or protection of critical information infrastructure, although there are oblique references to these aspects.”

The fact remains that it galls many seasoned pros to see cyberFUD merchants run roughshod over whatever hard-won credibility the InfoSec industry has…well…until you ‘cyberize’ your personal brand and demand a 20% pay rise. Heck, if you searched this blog it would have cyber on almost every page, BUT the strapline is “Straightforward Security” and ‘that’ word is used judiciously to make sure my voice is as loud as the media-savvy snake oil pedlars. Stripping all else away I’d summarise it like this:

Good advice and common security sense is getting buried under the weight of the cyberpap

Soooo, I never tend to shout about a problem without offering a solution….that’s where SaaW came in. It”s my suggestion for a new, basic, descriptive term.

SaaW or Security as a Whole

SaaWA nod to the XaaS epidemic and shorthand for – look at everything that needs securing (including people) and tackle it by channeling the enemy, using risk to prioritise and avoiding expensive games of whack-a-mole* with cyber tool mallets that just target newsworthy exploits.
I created a different amateur graphic which featured an image of a besuited cartoon pony with a chainsaw. That in turn lead to me learning about a group called bronies (adult fans of My Little Pony). My pony reference was because of the pwnie/pony link (being pwned meaning being hacked), but didn’t stop the bronies taking offence. Another fine (but slightly disconcerting) example of the power of images and words.
I know SaaW is a non-starter as candidate for the next buzzword (not least because I discovered it stands for a deeply significant term in Islam and I’m not in the business of upsetting anyone on purpose), but please do be mindful of the context of security pitches, certifications and publications that lead with the ‘C’ word. Cyber isn’t going away any time soon and digital selection is more about survival of the slickest, rather than survival of the fittest.


*Whack-a-mole is a term I first heard used for our approach to security by Charlotte Schider (). I Have borrowed it ever since. For the rest of this the usual caveats apply: It is just my opinion, not reflecting any past or present employers and not necessarily representing their opinions.


Opinion: Paying to play with our personal data – is it ok?

We’ve migrated from ‘Hot or Not?’ to being held virtually hostage by many of the digital platforms we rely on today. In the midst of that a new processing paradigm has emerged. Myriad startups want to pay to play with your personal data. Can this tackle on-going...

In AI we will blindly trust…

...and the architects, designers, data scientists, and developers will think we are nuts I've been driven back to the blog to talk about one very specific aspect of privacy, data protection and Artificial Intelligence (exchange for Machine Learning or Algorithms as...

Data Protection, Security, and the GDPR: Myths and misconceptions #2

Welcome back! This is a shamefully delayed sequel to my first instalment of security themed GDPR thoughts: Data Protection, Security, and the GDPR: A fraught and fuzzy relationship. Here I look back again over my pre-privacy IT and InfoSec career to spot things likely...

Where and to whom does the GDPR apply?

Yeah, I doubted my sanity going at this one too, but here I am, because working out whether or not the GDPR would apply in different practical and geographical circumstances is proving harder than it really should...for everyone. This regulation has been my almost...

GDPR – You’ve analysed the gaps, but can you close them?

  There is a critical gap for most firms: An inability to interpret and leverage gap analysis, data discovery, and mapping output to actually implement technical data processing change. This article is about the challenges most large firms are facing when trying...

GDPR – The Compliance Conundrum

There is one question related to the General Data Protection Regulation that will arguably cause more ulcers than any other: How much is enough? In some portions of the GDPR 'good' is straightforward. In many others we are asked to respect principles of fairness and...

Opinion: The role of automated data discovery in a GDPR programme

Do you have any online profiles or posts featuring those 4 magic characters: G D P R? If so, whether you are a business decision maker, IT body, security body, charity boss, employed data protection pro, or job seeking data protection pro (less and less likely), you...

When Business Culture Eats Cybersecurity For Breakfast – Part One

A four-part story of budget cuts, blamestorming, breaches and massive bumps in the road to mature security. Wild Speculation & IT Transformation Do you remember Nick Leeson? On February 23rd 1995 he sent a fax telling bosses at Barings Bank he was ill and wanted...

Cyber Insurers Dictating Cybersecurity Standards?

A run down of the key challenges with choosing and using cyber insurance called out in the last few months. It looks entirely possible you will have 'adequate' security dictated by your insurers, so it is your job to understand the risk based yardstick they're using...

There Is No Such Thing As Information Security Risk

Having worked in IT and Information Security for 13 years, I've come to the conclusion that there is no such thing as information security risk. There are just business risks that have one or more security or IT related causes. There is a fundamental and persistent...