Information security and especially IT security has got a boost lately because of cyber security - dare I say - hype. This boost is great from my point of view, since I regard myself as a cyber security expert with years of experience. However, I think that we need to get some sense in cyber security.
I've seen blank look of business leaders when the word "cyber" was mentioned and then saw them smiling relieved when it was explained in terms of information and network security. I've seen amazement of information security expert attending cyber security workshop when he realized that instead on being rookie he actually has 10 years experience of cyber security. I've seen vendors pushing old solutions under new cyber-friendly name. I've seen proposals of changing information security guidelines headline to include word "cyber" - without changing the actual contents. There's nothing bad with some marketing, but it should not prevent getting the message through.
Cyber security is simply information security in our complex, networked world, which in my mind includes governance, risk management, IT security and network security. We shouldn't hide the basics behind complex (sometimes recursive) definitions or failed analogies. Analogies are dangerous, because not always 1+1=2. Being expert of "X" doesn't alone make you expert of "CyberX".
I love William Gibson's definition of cyberspace - "a consensual hallucination" and "buzzword". It seems that cyber is to information security what cloud is to IT - a way to (over)simplify complex environment. This reminds me of good old RFC 1925 about networking truths, which can be used in a general manner, too. Truths like every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.
I have couple of special concerns with cyber security hype. First. It took decades for information security to mature to the level where we discuss about risk management, governance and metrics. Now I'm seeing focus moving back to malware, network security and other technological countermeasures. Of course we need the full range of protection, not forgetting technical solutions, but lets look at the big picture.
Second. We shouldn't alienate current security experts from cyber security. I've heard about cyber security trainings, where basic networking security is taught. What? All networking experts worth their salt would know how to secure networks. You don't even need information security expert for that.
For many companies networked environment with all its risks is business as usual. So think cyber security more of the evolution than revolution. I understand that in some special environments, it may feel more like a revolution, but look around and you find expertise and solutions.
May the Cyber Security be with you!
Subscribe to:
Post Comments (Atom)
Well, no blog without a "comment" is no blahblah at all, right?
ReplyDeleteI can not see the huge relevance while playing names with IT Security or CyberXX here. Cyber sounds just sexy and by %replaceyourLordhere%
- Hollywood went through all this trouble with Die Hard 4.0 to annouce idea for us that someone could do harm through IT to your life. So its here, love or hate we it or not.
The fact is that we see each and every day is witnessed by more "harm done" or at least discussed in public that how it affects my "SOMA" at least. So - given the chance - you are so right in here - we need to make, or say - create sense in it.
But, please, lets agree ONE thing (all the world): Lets not debate about cyber -the name- or all the issues it has. Its plenty. Then making sense of it - what to do?
Well - I think we should leave the document headings as they are, we are, however talking about the same things - with enlarged envelope. The same concepts still exists and
we are eating the unprepared lunch of bad IT security discipline now in matters of Java 0days etc.
The problem that did NOT exactly (now - imporant: EXACTLY) exist 10 years ago was the vast expansion of applications
on top of the infrastructure formerly known as Internet.
What comes to your side of concerns, I do share the feeling. We should keep the holistic viewpoint for what information security in overall is, including all the management details back in keeping system up in the next morning too. I honestly feel that we needed a little knob in here, to wake up within the fields that what was NOT managed with good management discipline (remember that Java 0day again..?).
So software, thats why we need to have all the malware discussion around us.
I honestely feel that it is NECESSARY BAD now.
The revolution here, I think is just the matter how we tend to utilize existing infrastructure with missions in military, healthcare, survival Isaac etc. too.
To copy: May the good command of common sense be with Us all.