What is Cybersecurity

Author: Gary Hibberd

Date: 1st July 2020

The technical answer to the question, What is Cybersecurity? Is that it is;

 “the state of being protected against the criminal or unauthorised use of electronic data, or the measures which are taken to achieve this.”

But if we left it there, this would be the shortest blog I’ve ever written, and also doesn’t do the term justice. We need to dig a little deeper and understand what Cybersecurity is and what it is trying to do if we’re going to benefit from it and improve it.

A brief history of Cyber

The term Cyber comes from the Greek word kybernētēs meaning ‘steersman’ or ‘pilot’, and was first connected with the idea of technology, when Norbert Wiener in 1948, wrote his book which described Cybernetics as “the scientific study of control and communication in the animal and the machine”. It was the first time someone used the word Cyber to refer to self-regulating mechanisms.

His ground-breaking theoretical work has had a profound impact on our modern world, with virtually all of his principles of calculating and data processing machines being adopted in the design of digital computers. From the early mainframes of the 1950s to the latest microchips, his ideas are at the core of our computers today.

Of course, 1966 saw the rise of the Cybermen in Dr Who, and finally, William Gibson is credit with popularising the term Cyberpunk, in his fictional novel, Neuromancer in 1984. 

But in truth, it took the birth of the internet to really propel the term Cyber into the position it benefits from today.

Cybersecurity; not just a technical issue

Looking at the description above, and the history of the word Cyber, we can forgive everyone for thinking that Cybersecurity is all about technology. But that is not the case. Yes the definition of Cybersecurity talks about the ‘unauthorised use of electronic data’, but it goes on to talk about the measures which are taken to achieve this.

People, Processes, Technology

In 1999, Bruce Schneier (author and cryptographer) popularised the idea that good security requires a focus on people, process and technology.  

But more than twenty years on, we are still trying to educate business owners and leaders on the fact that Cybersecurity isn’t about technology, but the protection of Data; And specifically electronic Data and the mechanisms we use to achieve this.

Cybersecurity; People

We need to educate ourselves and those within our business on the importance of protecting data in ALL its forms. It shouldn’t matter if that data sits within a laptop, on a server or in a filing cabinet. 

This education needs to be more rounded than it has been over the last twenty years. As an industry, we have done a terrible job of helping people understand the importance of these topics.

For far too long, I’ve heard security professionals describe users as ‘The weakest link’ in relation to security. This is both patronising and insulting, and it’s a practice that needs to stop.

I firmly believe we need to drop the phrase ‘Training and Awareness’, and simply call it Security Education. I can’t see this happening any time soon, but it needs to happen if we’re to improve our human defences.

Cybersecurity; Process

Ensuring you have policies and procedures in place enables teams to follow pre-agreed ways of operating that can help protect an organisation. 

Some organisations (especially the SME) operate with very few policies or procedures in place. This leads to inconsistency in the way of working, and can (and often does) lead to breaches and incidents occurring.

Having agreed principles, policies and processes in place reduces the risk of error and increases confidence in your services.

Cybersecurity; Technology

Of course, we all know that Cybersecurity is about technology, and it absolutely should not be forgotten. But it is only one part of the whole story. Cybersecurity specialists are often very proud of their technical capabilities and knowledge, but without people and process at play, all the technical knowledge and devices in the world will not save you from a determined Cybercriminal or disgruntled employee.

As Bruce Schneier once observed;

“If you think technology can solve your security problems, then you don’t understand the problems, and you don’t understand the technology.”

Conclusion

Although my LinkedIn profile talks about my being a Cybersecurity specialist, I actually don’t like the word Cybersecurity. I feel the definition of Cybersecurity is too restrictive for what I do because what I actually do is protect information in all its forms. I don’t care if that information sits on a computer, laptop, mobile device, or in a filing cabinet, handwritten note pad or briefcase.

And while the world is captivated by ‘Cybersecurity’, I believe as professionals we need people to recognise that data can exist in both physical and electronic forms.

I firmly believe that information must be protected from accidental or deliberate loss, destruction or access irrespective of the medium upon which it sits. Cybersecurity is here to stay, but I think we all should be working hard to help people understand that Cybersecurity is about more than Technology; It’s about People, Processes AND Technology.