Information Security, Cybersecurity, IT security, and other synonyms
Information Security, Cybersecurity, IT security. We’ve all heard and read them in interchangeable ways, these synonyms all aim to define what is security. But most of them imply assumptions harmful for the Information Security domain. Let me explain.
What we try to do
Generally, when we, or often the media, use the term “Cybersecurity”, we want to describe the idea that we want to be secure against some kind of “hacker”. Most people who use this term imagine a “hacker”, in a black hoodie, in front of a screen full of green scribble. But this idea misses the point of what really is Security, or as I prefer to say, Information Security, or InfoSec.
What a bad actor, often named “hacker”, really want to do is to gain access to information that he/she wouldn’t normally have access otherwise to reach a goal.
In a ransomware attack, the goal is to keep you from having access to this information and extort money from you. In a phishing attack, the goal could be to steal credentials, which is a kind of information, to use them or sell them.
So once we understand what the bad actor wants, we understand what we need to protect. At the highest level, the goal is Information. Hence the word “information” in “Information Security”. The security part imply the idea that we want to protect this information against all kind of attacks.
Why it’s a problem
The problem with the words “Cybersecurity”, “IT security” and other similar terms is that they imply that the security must be done at the technology level: the computers, the servers, the firewalls, the switches, etc. While it is important to secure these technologies, the global strategy needs to be way larger.
For example, no technology can help us against the CEO fraud if an untrain employee falls for it. The problem in this specific case is the lack of training. Training is not a technological solution but it is one of the most effective strategy to protect the business.
If we try to reduce the security problem to only the technology, we’ll fail miserably.
The reason these terms are harmful to the domain is that they create this idea in the mind of the leaders that security is an IT problem. So it often falls in the hands of an IT officer, like the CTO. Most businesses don’t have a CISO, and those who do have him/her under the IT department. I could write a complete post on why this is a bad idea.
What should we do
This is a business culture problem and this is where we need to start the work. Businesses that invest in a Security culture often thrives even more than the ones that put millions on technologies.
So it is more than time that we start talking about this domain by naming it “Information Security“!
Note: I wrote “hacker” between quotes when talking about bad actors because this term became pejorative. Initially, a hacker is only someone who finds a way around some limitations, with good or bad intentions; mostly goods. For example, my reading light is too bright and I can’t dim it enough; so I put black tape on it to cover about 80% so I get just enough light. That’s hacking applied to something else than technology. It’s a ridiculous example to demonstrate my idea.
As explained in wikipedia:
The controversy is usually based on the assertion that the term originally meant someone messing about with something in a positive sense, that is, using playful cleverness to achieve a goal. But then, it is supposed, the meaning of the term shifted over the decades and came to refer to computer criminalsSource: https://en.wikipedia.org/wiki/Hacker
Note 2: because of the way SEO works, I’ll hack my way to the top results by placing terms like “Cybersecurity” in my blog from time to time 😉