Like it or not, “cyber” is a shorthand for all things infosec
We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.
The term cyber has been on my mind a lot because we’ve been going through the process of redeveloping the BH Consulting website, an exercise that’s prompted a lively internal debate about how we describe ourselves and our services. It’s tempting to take the moral high ground and refuse to engage with cyber. Instead, we could choose to refer only to information security because we believe it accurately reflects both physical documents as well as digital assets, while giving importance to each one.
It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry who think there’s a buck to be made by scaring people into stocking up on silver bullets instead of informing them in a responsible way about how security can help them to do business better.
Around the same time as we were going through this thought process at BH Consulting, I happened to catch Dr Jess Barker’s excellent presentation about this very same issue at the IRISSCERT Irisscon Cybercrime conference last November in Dublin. She referred to cyber as “the dreaded C word that you’re not allowed to say”.
A quick show of hands from the audience confirmed her thesis that people working in the industry tend to reject the terms cyber and cybersecurity. But if you open a dictionary, you’ll find cybersecurity is the only term of its kind. One survey ranked information security as the least popular term among the general public, even lower than e-security.
It almost goes without saying that cyber was the most popular term in that poll. Why? Probably because it’s a catch-all shorthand term that most people understand to mean computer-related or online, especially when it’s placed in front of security or crime.
It isn’t news to say that many of the recurring problems in security come down to behaviours, people and organisations. Dr Barker argued that a common language is essential if the security industry wants to get people to listen to a message, change their behaviour, and better protect the information they’re trusted with. The more clearly you communicate something, the more people engage with it.
Jessica says we should see the term cybersecurity as a bridge, especially at a time when security is getting more attention than ever. “We’ve been complaining for years that the business doesn’t listen to us. In the last few years, people are more interested in security but as soon as they start using that term, we mock what they do,” she said.
As professionals, if we’re serious about improving security by any name, then we have a duty to engage with the media, the public, business stakeholders and government on their terms rather than ours.
So maybe it’s time to concede defeat in the cyber war. Otherwise, we’ll end up about as relevant as the airline that wanted to be known for low-cost fares while its potential customers were searching online for cheap flights.