Archive 6 min read

What's In A Name?

We know that cybersecurity isn't the best name to describe what is ostensibly, "information security" but it's the name we're stuck with.

What's In A Name?

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Good morning, everybody. How are you doing today? This is Mornings with Mark episode 61. I hope you are set up for a phenomenal and Fantastic Friday. Um The first of June, um the last few episodes, we've been talking about the role of cybersecurity. Um The challenge around that term cybersecurity and what I wanted to pick up in today's episode was addressing the discussion that came up when I said the ship has sailed on cybersecurity as a term.

That's what we're gonna have to use even though we're better off using the term information security. And this is a phenomenal discussion and I appreciate everyone who participated and I wanted to, to push this sort of to the next level. So there's a couple of things and the first I want to address is the actual name itself.

And that's the title of episode 61 here. What's in a name? I do a lot of media relations, a lot of engagements with journalists, a lot of public speaking, uh a lot of external communications and I will say this regardless of accuracy, once a name or a term is out there and caught up and pushed into the popular vernacular.

It's done. It's gonna take too long, too much effort to try to change it with very little hope of success. You need to look no further than the term hacker. When I first started, it was a positive term. When you were a hacker, you were someone who looked at how things worked.

You were trying to create new things, you were pulling them down in order to see how they ticked in order to make them better or to make new unique uh creative ideas. It was entirely a positive experience yet over the years, hacker has morphed into what we used to call cracker, which uh is, you know, somebody who breaks into systems, right?

And we have freaks and crackers and they turned into hackers now. Um, and that ship has sailed, that is a term hacker is a cyber criminal. We are not getting back the original use of that term very much like cybersecurity. Anything related to security that touches a digital system is cybersecurity from here on out.

I don't agree with it. I don't like it. That is the reality. We cannot change that. It's just how it is, unfortunately. Um So we need to deal with that reality. Now, the first time I put this out a couple of episodes, uh episodes ago, and we talked about the genesis and looking at information security and how that would help you remember that it wasn't just information sitting in digital systems, but also in physical systems and in biological and in people's brains as well and treating that information overall.

Um as uh you know, something you need to protect process through people as well as products. And a couple of people raised some interesting not objections but kind of clarification, clarifications. Some people were talking about, what about the infrastructure, what about the infrastructure that supports this stuff?

Well, I think information security still covers that as far as a concept because when you talk about the information you're trying to protect, you need to then delve into the, into the security of every system, process and person that touches that information.

So by focusing on what you're trying to protect the environment and the processes and the people that touch that data, that information all fall under the same scope. So I think it's possible that they all fall under information security even though we're still going to call it cybersecurity.

Um And then another objection that came up that I think is entirely valid um is that you can't do information security without information management and understanding. Um you know what you're protecting. I 100% agree now it was termed differently um in one of the discussions and I, I took some issue with how it was termed, but I think the point still stands and kudos to the person who made this point.

No, I'll put the link to the conversation below. Um and tweet that out at marknca. Uh So everybody can participate. But absolutely, the huge failing when it comes to cybersecurity is not understanding what you're trying to protect. And this is sort of the core of that failed definition, the core of the challenges we face, as we say, oh, we're doing cybersecurity.

I'm gonna lock that server down. I'm gonna make sure there's no bugs in my code, um This kind of thing, but you don't evaluate the value of the information and data that you're protecting. Um You know, we talked at length last week about GDPR that is a regulatory attempt to make sure that people value the data and information that they are storing so they can apply appropriate controls.

Um But most organizations fall flat on their face when it comes to information management, there's a really quick and easy test, just go around and ask the folks on your team, what's the most important piece of information um or category of category of information that your organization has.

Um Most folks aren't gonna be able to answer that accurately. Um And you need to be able to do that in order to defend that information. Um And of course, you know, there's rarely one easy answer, but you need to have an idea of OK.

As a company that makes a digital product, here's the hierarchy of what's important to us. Our infrastructure code and source code is the top thing because without that, we don't have a business. So we need to protect that at all costs. Um Then you kind of pull down and go well, we have personal information, we have financial information, we have user information, all this stuff at a hierarchy, but it's very top.

Um you know, source code and infrastructure code is something that's often overlooked. Look at the amount of developers walking around with the entire business sitting on their laptop, a laptop, they cross borders with a laptop. They bring to public spaces and conferences with very little operational security around it.

That is a fantastically horrible example of a failure to understand the information that you're protecting. So what's in a name a lot? Unfortunately, we can't change the name. We're stuck with cybersecurity because it's out there. That ship has sailed. It is beyond our community's reach because now we are very much in the public face.

So we're calling it cybersecurity. It's what we have to go with. What we need to understand internally is that it's really information security and that means every process system or product and person that touches that information falls under the scope of making sure that the security is adequate for the information.

You cannot do that without understanding the information, the value of that information to your organization and the risk appetite of the organization around that information. So when I say risk appetite, I mean, it very, very literally very simply. Um Well, not literally because, you know, you don't eat risk.

Um Even though if you've been bitten by it, uh you'll probably feel differently though, of course, that's a whole bunch of mixed metaphors, but it's Friday. So cut me some slack. Um So by risk, appetite, what I mean simply is understanding the value of the information and what you're willing to trade off um in order to push forward.

So go back to that source code example. Um a lot of companies want developers to have access to the full tree. They don't wanna apply fine grain permissions within the source code. Um because they feel that will slow down development, that's normally a fair trade off.

But uh uh to implicitly accept the fact that they're taking it across border or back and forth um into public spaces and home, um that might not be something you're comfortable with, that might be beyond your risk appetite. So you need to understand all the people process and um products or systems that touch the information.

More importantly. Uh You have to understand the value of that information to the organization and the appetite for risk tolerance. Uh When dealing with that information, I think that is what our job is because the goal of all of this, the goal of cybersecurity because that's unfortunately what we have to call it um is to make sure that all of your systems work as intended and only as intended and those systems are not just cyber, they're not just digital, that's people in process as well.

I hope you're set up for a fantastic Friday. Had a great weekend enjoy uh talking to you and keeping this conversation going again. This content fuels this show. Hit me up online at marknca in the comments down below. If you're seeing this online or as always by email me at Mark NCA.

I will talk to you on Monday.

Read next