What's In A Name?
14 minute read | Last updated 1-Jun-2018 | 
Security, Rant
Mornings With Mark no. 0061
Watch the episode on YouTube
Join the discussion on LinkedIn
Share on Twitter
Bad Robot Transcript
Good morning, everybody. How you doing today? This is mornings with Mark episode 61. I hope you are set up for a phenomenal and fantastic Friday and the 1st of June and the last few episodes. We’ve been talking about the role of cybersecurity the challenge around that term cyber security and what I wanted to pick up in today’s episode was addressing the discussion that came up when I said the ship has sailed on cybersecurity is a term.
That’s what we’re going to have to use even though we’re better off using the term information security in this is a phenomenal discussion. I appreciate everyone who participated I wanted to push this order to the next level. So there’s a couple things in the first I want to address is the actual name itself and us the title of episode 61 here.
What’s in a name. I do a lot of media relations a lot of Engagement with journalists a lot of public speaking a lot of external Communications and I will say this regardless of accuracy once a name or term is out there and caught up and pushed into the popular vernacular.
It’s done. It’s going to take too long too much effort to try to change it with very little hope of success. You need to look no further than the term hacker. When I first started it was a positive term when you were a hacker you were someone who looked at how things worked you were trying to create new things.
You were built by pulling them down in order to see how they kicked in order to make them better or to make new unique creative ideas. It was entirely a positive experience yet over the years hacker has morphed into what we used to call Cracker which is you know, somebody breaks into systems, right? We have Freaker’s and crackers and they turned into hackers now.
That is a term hacker is a cybercriminal we are not getting back the original use of that term very much like cybersecurity anything related to security that touches a digital system is cyber security from here on in I don’t agree with it. I don’t like it. That is the reality.
We cannot change that. It’s just how it is, unfortunately. So we need to deal with that reality. Now first time I put this out a couple episodes episodes ago and we talked about the Genesis and look at information security and how that would help you remember that. It wasn’t just information sitting in digital systems, but also in physical systems that are in biological it in people’s brains as well in treating that information over all as you know, something you need to protect through process through people as well as products and a couple people raised some interesting.
Objections, but kind of clarification can clarifications some people were talking about what about the other structure? What are the infrastructure that supports this stuff? So I think information security Still covers that as far as a concept because when you talk about the information you’re trying to protect you need to then delve into the system into the security of every system process of person that touches that information.
So by focusing on what you’re trying to protect the environment and the processes and the people that touch that date of that information all fall under the same scope. So I think it’s it’s possible that they all found a hunter Information Security even though we’re still going to call it cyber-security and then another objection that came up that I think is entirely valid is that you can’t do information security withheld information management and understanding, you know, what you’re protecting 100% agree that was terms differently in one of the discussions and I I took some issue with how it was turn.
But I think the point still stands and kudos to the person who made his point know I’ll put the link to the conversation below and tweet that out at Mark NCAA, so everybody can participate but Absolutely, the huge failing when it comes to cybersecurity is not understanding what you’re trying to protect in.
This is sort of the core that failed definition the core of the challenges we face when you say or doing cyber security. I’m going to lock that server down. I’m going to make sure there’s no bugs in my code this kind of thing, but you don’t evaluate the value of the information and data that you’re protecting.
And yeah, we talked last week about gdpr that is a regulatory attempt to make sure that people value the data and information that they are storing so they apply appropriate controls, but most organizations fall flat on the face when it comes to Information Management. There’s a really quick and easy test just go around and ask the folks on your team.
What’s the most important piece of information or kladdig or even from a category of information? The organization has most folks aren’t going to be able to answer that accurately and you need to be able to do that in order to defend that information have been of course you don’t Rarely one easy answer but you need to have an idea of ok, as a company that makes a digital product.
Here’s the hierarchy of what’s important to us. Our infrastructure code and source code is the top thing because without that we don’t have a business. So we need to protect that at all cost. Then you’ll kind of pull down and go over your personal information with financial information with user information all this stuff at a higher key, but it’s very top and I’m going to source code infrastructure code is something that’s often overlooked.
Look at the amount of developers walking around with the entire business sitting on their laptop a laptop that cross borders with the laptop. They bring the public spaces and conferences with very little operational security around at that is a fantastically horrible example of a failure to understand the information that you’re protecting.
So what’s in a name a lot. Unfortunately, we can’t change the name. We’re stuck with cyber-security because it’s out there that ship has sailed. It was beyond our communities reach because now we are very much in the public face. So we’re calling it cyber-security what we have to go with what we need to understand internally is that it’s really information security and that means every process system or product and personal touches that information falls under the scope of making sure that the security is adequate for the information.
You cannot do that without understanding the information the value of that information to your organization and the risk appetite of the organization around that information. So when I say risk appetite, I mean it very very literally very simply will not literally cuz you don’t eat risk even though if you’ve been bitten by it, you’ll probably feel differently though course, that’s a whole bunch of mix metaphors, but it’s Friday, so cut me some slack and so why risk is understanding the value of the information and what you’re willing to trade off in order to push for it.
So go back to that sort code example of a lot of companies want developers have access to the full tree. They don’t apply finding permissions within the source code and because they That will slow down development that’s normally a fair trade-off, but to implicitly accept the fact that they’re taking it across border or back and forth into public spaces and home that might not be something you’re comfortable with that might be beyond your risk appetite.
So you need to understand all the people process and products or systems that touch the information more importantly you have to understand the value of that information to the organization any appetite for risk tolerance when dealing with that information. I think that is what our job is cuz the goal of all of this a goal of cybersecurity cuz that’s unfortunate we have to call it is to make sure that all of your systems work as intended and only as intended and those systems are not just cyber.
They’re not just digital theft people and processes. Well, I hope you’re set up for a fantastic Friday and a great weekend enjoy talking to you and keeping this conversation going again. This content fuels this show. Hit me up online at Mark NCAA. In the comments down below for seeing this online or ours always by email me at Mark NCAA.
I will talk to you on Monday. Good morning, everybody. How you doing today? This is mornings with Mark episode 61. I hope you are set up for a phenomenal and fantastic Friday and the 1st of June and the last few episodes. We’ve been talking about the role of cybersecurity the challenge around that term cyber security and what I wanted to pick up in today’s episode was addressing the discussion that came up when I said the ship has sailed on cybersecurity is a term.
That’s what we’re going to have to use even though we’re better off using the term information security in this is a phenomenal discussion. I appreciate everyone who participated I wanted to push this order to the next level. So there’s a couple things in the first I want to address is the actual name itself and us the title of episode 61 here.
What’s in a name. I do a lot of media relations a lot of Engagement with journalists a lot of public speaking a lot of external Communications and I will say this regardless of accuracy once a name or term is out there and caught up and pushed into the popular vernacular.
It’s done. It’s going to take too long too much effort to try to change it with very little hope of success. You need to look no further than the term hacker. When I first started it was a positive term when you were a hacker you were someone who looked at how things worked you were trying to create new things.
You were built by pulling them down in order to see how they kicked in order to make them better or to make new unique creative ideas. It was entirely a positive experience yet over the years hacker has morphed into what we used to call Cracker which is you know, somebody breaks into systems, right? We have Freaker’s and crackers and they turned into hackers now.
That is a term hacker is a cybercriminal we are not getting back the original use of that term very much like cybersecurity anything related to security that touches a digital system is cyber security from here on in I don’t agree with it. I don’t like it. That is the reality.
We cannot change that. It’s just how it is, unfortunately. So we need to deal with that reality. Now first time I put this out a couple episodes episodes ago and we talked about the Genesis and look at information security and how that would help you remember that. It wasn’t just information sitting in digital systems, but also in physical systems that are in biological it in people’s brains as well in treating that information over all as you know, something you need to protect through process through people as well as products and a couple people raised some interesting.
Objections, but kind of clarification can clarifications some people were talking about what about the other structure? What are the infrastructure that supports this stuff? So I think information security Still covers that as far as a concept because when you talk about the information you’re trying to protect you need to then delve into the system into the security of every system process of person that touches that information.
So by focusing on what you’re trying to protect the environment and the processes and the people that touch that date of that information all fall under the same scope. So I think it’s it’s possible that they all found a hunter Information Security even though we’re still going to call it cyber-security and then another objection that came up that I think is entirely valid is that you can’t do information security withheld information management and understanding, you know, what you’re protecting 100% agree that was terms differently in one of the discussions and I I took some issue with how it was turn.
But I think the point still stands and kudos to the person who made his point know I’ll put the link to the conversation below and tweet that out at Mark NCAA, so everybody can participate but Absolutely, the huge failing when it comes to cybersecurity is not understanding what you’re trying to protect in.
This is sort of the core that failed definition the core of the challenges we face when you say or doing cyber security. I’m going to lock that server down. I’m going to make sure there’s no bugs in my code this kind of thing, but you don’t evaluate the value of the information and data that you’re protecting.
And yeah, we talked last week about gdpr that is a regulatory attempt to make sure that people value the data and information that they are storing so they apply appropriate controls, but most organizations fall flat on the face when it comes to Information Management. There’s a really quick and easy test just go around and ask the folks on your team.
What’s the most important piece of information or kladdig or even from a category of information? The organization has most folks aren’t going to be able to answer that accurately and you need to be able to do that in order to defend that information have been of course you don’t Rarely one easy answer but you need to have an idea of ok, as a company that makes a digital product.
Here’s the hierarchy of what’s important to us. Our infrastructure code and source code is the top thing because without that we don’t have a business. So we need to protect that at all cost. Then you’ll kind of pull down and go over your personal information with financial information with user information all this stuff at a higher key, but it’s very top and I’m going to source code infrastructure code is something that’s often overlooked.
Look at the amount of developers walking around with the entire business sitting on their laptop a laptop that cross borders with the laptop. They bring the public spaces and conferences with very little operational security around at that is a fantastically horrible example of a failure to understand the information that you’re protecting.
So what’s in a name a lot. Unfortunately, we can’t change the name. We’re stuck with cyber-security because it’s out there that ship has sailed. It was beyond our communities reach because now we are very much in the public face. So we’re calling it cyber-security what we have to go with what we need to understand internally is that it’s really information security and that means every process system or product and personal touches that information falls under the scope of making sure that the security is adequate for the information.
You cannot do that without understanding the information the value of that information to your organization and the risk appetite of the organization around that information. So when I say risk appetite, I mean it very very literally very simply will not literally cuz you don’t eat risk even though if you’ve been bitten by it, you’ll probably feel differently though course, that’s a whole bunch of mix metaphors, but it’s Friday, so cut me some slack and so why risk is understanding the value of the information and what you’re willing to trade off in order to push for it.
So go back to that sort code example of a lot of companies want developers have access to the full tree. They don’t apply finding permissions within the source code and because they That will slow down development that’s normally a fair trade-off, but to implicitly accept the fact that they’re taking it across border or back and forth into public spaces and home that might not be something you’re comfortable with that might be beyond your risk appetite.
So you need to understand all the people process and products or systems that touch the information more importantly you have to understand the value of that information to the organization any appetite for risk tolerance when dealing with that information. I think that is what our job is cuz the goal of all of this a goal of cybersecurity cuz that’s unfortunate we have to call it is to make sure that all of your systems work as intended and only as intended and those systems are not just cyber.
They’re not just digital theft people and processes. Well, I hope you’re set up for a fantastic Friday and a great weekend enjoy talking to you and keeping this conversation going again. This content fuels this show. Hit me up online at Mark NCAA. In the comments down below for seeing this online or ours always by email me at Mark NCAA.
I will talk to you on Monday.
