I am not sure how the cybersecurity meme started and it sure won't die, but it needs to. We need to stop saying cybersecurity because this gross generalization obscures the real issues that lay beneath.
Mark Twain observed that precise language is the difference between lightning and a lightning bug. When you hear someone say cybersecurity, you can guarantee the very next sentence will contain a wild, sweeping generalization that's likely neither perscriptive nor useful.
Here is why - context matters. Security is extremely context sensitive, what is appropriate for one type of system is not he same as another.
On the one hand I agree with Pete Lindstrom, management always plays a role. As Roger Needham said, "Management is that for which there is no algorithm. Where there is an algorithm it's administration."
But now let's consider the systems that Ralph Langner works on - critical infrastructure. Sure there is always an element of management, but its not the same thing that's being protected.
It was only a couple years ago where we had different breach report providers arguing with each other over threats. At the time APT reports started coming out of Mandiant, other organizations demured that they did not see the same kind of threats in their data, they were seeing credit card and commerical fraud, while Mandiant was seeing IP disclosure. Each made leaps from what they were seeing to paint a bullseye on what the real threat was. Here is the thing -
1. they were both right from their perspective
2. how you defend in either case is very different. So what we learned from either data set was not really perscriptive to the other
Why? Its not about the threats (and it ain't about the cyber), its about the assets! Just like security, "cyber" is only useful in a given context. And that context is assets - users, customers, identity, data, IP, transactions, cash flow, competitive advantage and you name it.
Cybersecurity is meaningless because cyber does not describe any asset at all, it presupposes there's some security regime that "just works" for any connected digital anything. This would not matter at all except now its the go to concept for policy makers.
Cybersecurity must be replaced with something else to be useful. I suggest Asset Security. Four of the six largest companies in the US are - IBM, Apple, Google, and Microsoft (the other two are oil companies). Notice anything about the four? They are all tech companies!
In investing people will often say "well the tech sector this" or "the tech sector that", I really have to laugh every time I hear this. What in the world do those companies have in common really? Sure they all have computers (newsflash its 2013) but trace the cash flows: Apple is selling iThings and movies and music to consumers. IBM is selling mainframes to big companies. Google is selling your data to advertisers and Microsoft is selling stuff to help companies work. Their customer bases have little in common, why lump them together?
I laugh when I hear "tech sector" but I cry when I hear "cybersecurity", what is appropriate hardening for Netflix, a healthcare organization, a bank, a consumer, and critical infrastructure has little in common. Even Cloud Security varies wildly from one Cloud integration to another. There is a reason why Ross Anderson's epic Security Engineering has chapters dedicated to domain specific concerns by industry. Tech is a meaningless term in 2013, instead trace the cash flows to the customers. Likewise cybersecurity is meaningless, trace the security under discussion to the asset its defending.
Mark Twain also observed that "a man who attempts to carry a cat home by its tail will learn a lesson he can learn no other way." trying to perscribe global cybersecurity regimes to cover all things cyber will also lead to lessons that can be learned no other way.
Connected digital things are all around, know your assets, be specific, context matters.
physical security - asset(x), field(real world), guards, gates, guns
information security - asset(information about x), field(minds), policy, procedures, information classification
emergency management - asset(business dealing with x), field(real world), response, recovery
cyber security - asset(all aspects of x data), field(real world, virtual worlds, minds), policy, procedures, information classification, controls/borders, monitoring, defense, offense, response, recovery
Posted by: Mr. Obvious | March 01, 2013 at 10:52 AM
a distinction from Pat Helland - computers do not make decisions, computers _try_ to make decisions
http://blogs.msdn.com/b/pathelland/archive/2007/05/15/memories-guesses-and-apologies.aspx
Posted by: gunnar | March 01, 2013 at 11:05 AM
A distinction from me: Computers are not humans -- do or do not, there is no try. In fact, computers only do exactly what humans told them to do, whether the humans want to admit it or not.
Posted by: Mr. Obvious | March 02, 2013 at 03:32 PM
Give it up, it's never going away. I interviewed Gen. Raduege (ret.) at the RSA conference and he actually views the emergence of "cyber" into our daily lingo as being the pivot point for the USG in particular in taking security seriously. So, you're stuck with it. Go fight a fight that's worth fighting... cuz this ain't it.
Now... if you'd like to talk about removing "security" from our lingo, then that would be great... because none of us "do" security... security is a descriptive term for other verbs and nouns...
Posted by: Ben | March 03, 2013 at 09:32 AM
@Ben - not sure what the value prop is for USG in "cyber".
" the USG in particular in taking security seriously."
Remember during Macondo the Navy and others would chime in with helpful thoughts on using subs, but they did not know how oil wells worked so it was up to the oil majors to fix it.
The story of that fix is instructive, the competitors - Exxon, RDS, Chevron et al, all sent their best people who worked together around the clock for months to get it fixed
Posted by: gunnar | March 04, 2013 at 11:30 AM