I am not sure how the cybersecurity meme started and it sure won't die, but it needs to. We need to stop saying cybersecurity because this gross generalization obscures the real issues that lay beneath.
Mark Twain observed that precise language is the difference between lightning and a lightning bug. When you hear someone say cybersecurity, you can guarantee the very next sentence will contain a wild, sweeping generalization that's likely neither perscriptive nor useful.
Here is why - context matters. Security is extremely context sensitive, what is appropriate for one type of system is not he same as another.
On the one hand I agree with Pete Lindstrom, management always plays a role. As Roger Needham said, "Management is that for which there is no algorithm. Where there is an algorithm it's administration."
But now let's consider the systems that Ralph Langner works on - critical infrastructure. Sure there is always an element of management, but its not the same thing that's being protected.
It was only a couple years ago where we had different breach report providers arguing with each other over threats. At the time APT reports started coming out of Mandiant, other organizations demured that they did not see the same kind of threats in their data, they were seeing credit card and commerical fraud, while Mandiant was seeing IP disclosure. Each made leaps from what they were seeing to paint a bullseye on what the real threat was. Here is the thing -
1. they were both right from their perspective
2. how you defend in either case is very different. So what we learned from either data set was not really perscriptive to the other
Why? Its not about the threats (and it ain't about the cyber), its about the assets! Just like security, "cyber" is only useful in a given context. And that context is assets - users, customers, identity, data, IP, transactions, cash flow, competitive advantage and you name it.
Cybersecurity is meaningless because cyber does not describe any asset at all, it presupposes there's some security regime that "just works" for any connected digital anything. This would not matter at all except now its the go to concept for policy makers.
Cybersecurity must be replaced with something else to be useful. I suggest Asset Security. Four of the six largest companies in the US are - IBM, Apple, Google, and Microsoft (the other two are oil companies). Notice anything about the four? They are all tech companies!
In investing people will often say "well the tech sector this" or "the tech sector that", I really have to laugh every time I hear this. What in the world do those companies have in common really? Sure they all have computers (newsflash its 2013) but trace the cash flows: Apple is selling iThings and movies and music to consumers. IBM is selling mainframes to big companies. Google is selling your data to advertisers and Microsoft is selling stuff to help companies work. Their customer bases have little in common, why lump them together?
I laugh when I hear "tech sector" but I cry when I hear "cybersecurity", what is appropriate hardening for Netflix, a healthcare organization, a bank, a consumer, and critical infrastructure has little in common. Even Cloud Security varies wildly from one Cloud integration to another. There is a reason why Ross Anderson's epic Security Engineering has chapters dedicated to domain specific concerns by industry. Tech is a meaningless term in 2013, instead trace the cash flows to the customers. Likewise cybersecurity is meaningless, trace the security under discussion to the asset its defending.
Mark Twain also observed that "a man who attempts to carry a cat home by its tail will learn a lesson he can learn no other way." trying to perscribe global cybersecurity regimes to cover all things cyber will also lead to lessons that can be learned no other way.
Connected digital things are all around, know your assets, be specific, context matters.