Information security and especially IT security has got a boost lately because of cyber security - dare I say - hype. This boost is great from my point of view, since I regard myself as a cyber security expert with years of experience. However, I think that we need to get some sense in cyber security.
I've seen blank look of business leaders when the word "cyber" was mentioned and then saw them smiling relieved when it was explained in terms of information and network security. I've seen amazement of information security expert attending cyber security workshop when he realized that instead on being rookie he actually has 10 years experience of cyber security. I've seen vendors pushing old solutions under new cyber-friendly name. I've seen proposals of changing information security guidelines headline to include word "cyber" - without changing the actual contents. There's nothing bad with some marketing, but it should not prevent getting the message through.
Cyber security is simply information security in our complex, networked world, which in my mind includes governance, risk management, IT security and network security. We shouldn't hide the basics behind complex (sometimes recursive) definitions or failed analogies. Analogies are dangerous, because not always 1+1=2. Being expert of "X" doesn't alone make you expert of "CyberX".
I love William Gibson's definition of
cyberspace - "a consensual hallucination" and "buzzword". It seems that cyber is to information security what cloud is to IT - a way to (over)simplify complex environment. This reminds me of good old
RFC 1925 about networking truths, which can be used in a general manner, too. Truths like e
very old idea will be proposed again with a different name and a different presentation, regardless of whether it works.
I have couple of special concerns with cyber security hype. First. It took decades for information security to mature to the level where we discuss about risk management, governance and metrics. Now I'm seeing focus moving back to malware, network security and other technological countermeasures. Of course we need the full range of protection, not forgetting technical solutions, but lets look at the big picture.
Second. We shouldn't alienate current security experts from cyber security. I've heard about cyber security trainings, where basic networking security is taught. What? All networking experts worth their salt would know how to secure networks. You don't even need information security expert for that.
For many companies networked environment with all its risks is business as usual. So think cyber security more of the evolution than revolution. I understand that in some special environments, it may feel more like a revolution, but look around and you find expertise and solutions.
May the Cyber Security be with you!
