A few folk have seen me tweeting the hashtag #SaaW. It all grew from an online conversation with Caitlin dos Santos (Caitlin_Pro <very smart and experienced InfoSec pro). I kicked off with this:
[tweet https://twitter.com/S_Clarke22/status/573396689509339137 hide_thread=’true’ width=’1000′]
I call out other buzzwords, but the one that mainly gets my goat is ‘cyber’ when it’s used to prefix ‘security’. Many key players in the security industry are critical of the noise built up around that. You don’t have to go far to find a tweet like this…
[tweet https://twitter.com/paul_eubanks/status/569256506178326528 hide_thread=’true’ width=’1000′]
…or a cynicism fest (albeit a deliciously witty one with a truthful core), like I Cringely’s The Cybersecurity Myth. Is it resistance to change? Not really. Most of it boils down to the following:
Cyber & Stereotypes
It too easily conjures up the image of a hoodied hacker, or malware maelstrom on t’interweb (that’s cyberspace for many). It doesn’t lend itself to consideration of accidents, social engineering, physical security and resilience – equally vital vectors of attack and pillars of defence. I had my own rant about that here.
Cyber & Scare Tactics
It’s been been wholeheartedly adopted by the FUD merchants, be that bandwagon jumping breach chasers (think ambulance chasers, only on the digital highway), amateurish mainstream media efforts, spreaders of propaganda and folk who generate fear to sell.
Cyber & (Non)Sense
Basically, it doesn’t mean anything. Well it does. Here’s what good old wikipedia says about origins:
“Cyber-“
“Cyber- is a prefix derived from “cybernetic,” which comes from the Greek adjective κυβερνητικός meaning skilled in steering or governing (Liddell and Scott, Greek-English Lexicon)”
Not going to point out the irony in that. It goes on to say:
“It is a common term used for Information Technology (IT), Computers and Internet. It is also used in the terms cybersex, cyberspace, cyberpunk, cyberhomes and cyberhate”
Skilled in steering or governing punk (note my careful choice there)….hmmm. If you don’t see your favourite term, why not try typing ‘cyber’ into the urban dictionary and see what turns up (TIP: DON’T if you’re of a delicate disposition). Then to cybersecurity.
The Oxford Dictionary defines it thus:
“cybersecurity: cyber|secur¦ity”
noun
The state of being protected against the criminal or unauthorized use of electronic data, or the measures taken to achieve this: some people have argued that the threat to cybersecurity has been somewhat inflated [AS MODIFIER]: IT security professionals said that outsourcing would be the biggest cybersecurity threat“
Loving the choice of exemplar definitions there. Seems like a bloke after my own heart. In practice there are almost as many definitions as there are security experts. Some coalesce round a government, academic or hacker perspective, but a general consensus there aint.
InfoSec’s own perception problem
Folk who’ve been diligently practicing Information Security for years are especially ticked off, but InfoSec as a discipline suffers it’s own misconceptions. People don’t think it covers IT security, web security, cloud security, social media security, mobile security, physical security, business continuity, disaster recovery and everything else including data security (the oft assumed sole focus), but it does. Check out ISO27002 if in doubt. The latest iteration of the global ISO2700x information security standards is set to refer out to other standards for control selection (to futureproof validity of the framework), but you get the idea.
In what feels like vindication for still calling myself an InfoSec pro, the ISO27032 standard is specifically about cybersecurity and is (to quote ISecT Ltd from their ISO27001 Security site):
“In practice..about Internet security.
The standard does not directly address cybersafety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime or protection of critical information infrastructure, although there are oblique references to these aspects.”
The fact remains that it galls many seasoned pros to see cyberFUD merchants run roughshod over whatever hard-won credibility the InfoSec industry has…well…until you ‘cyberize’ your personal brand and demand a 20% pay rise. Heck, if you searched this blog it would have cyber on almost every page, BUT the strapline is “Straightforward Security” and ‘that’ word is used judiciously to make sure my voice is as loud as the media-savvy snake oil pedlars. Stripping all else away I’d summarise it like this:
Good advice and common security sense is getting buried under the weight of the cyberpap
Soooo, I never tend to shout about a problem without offering a solution….that’s where SaaW came in. It”s my suggestion for a new, basic, descriptive term.
SaaW or Security as a Whole
A nod to the XaaS epidemic and shorthand for – look at everything that needs securing (including people) and tackle it by channeling the enemy, using risk to prioritise and avoiding expensive games of whack-a-mole* with cyber tool mallets that just target newsworthy exploits.
I created a different amateur graphic which featured an image of a besuited cartoon pony with a chainsaw. That in turn lead to me learning about a group called bronies (adult fans of My Little Pony). My pony reference was because of the pwnie/pony link (being pwned meaning being hacked), but didn’t stop the bronies taking offence. Another fine (but slightly disconcerting) example of the power of images and words.
I know SaaW is a non-starter as candidate for the next buzzword (not least because I discovered it stands for a deeply significant term in Islam and I’m not in the business of upsetting anyone on purpose), but please do be mindful of the context of security pitches, certifications and publications that lead with the ‘C’ word. Cyber isn’t going away any time soon and digital selection is more about survival of the slickest, rather than survival of the fittest.
*Whack-a-mole is a term I first heard used for our approach to security by Charlotte Schider (@CATschider). I Have borrowed it ever since. For the rest of this the usual caveats apply: It is just my opinion, not reflecting any past or present employers and not necessarily representing their opinions.