Cyber Security Does Not Warrant Special Naming
Let me start off by recognizing this is a slightly pedantic issue. Without a doubt I have spent too much time contemplating this topic, and cannot recall ever having substantive conversations with my colleagues about it. I find even bringing up the idea embarrassing because it is to trivial. But it bothers me and I intend to get this off my cyber chest.
While I find myself being finicky about it, words are important, and the vernacular we use when talking about the cyber is vital. It is imperative the entire industry speaks a common language, uses common terms, and has a common baseline understanding of the complex issues we face every day. This is why I am concerned with industry and media discourse around cyber, and the peculiar obsession with using the term cybersecurity as opposed to cyber security.
What, after all, makes this domain so important as to warrant its own word? While cyber is a relatively new security realm when compared to more traditional areas, its newness should not award it any superior stature. Even though cyber has permeated almost every aspect of modern human culture, does this somehow automatically provide it with special pedestal-like status above other security specialties?
There are a host of other security disciplines just as important to everyday life as cyber, yet in every other case no special status was granted to their naming. Here are just some of the various security vocations for reference:
- Application security: discipline focusing on ensuring applications are developed securely throughout the various stages of the application development lifecycle.
- Asset security: discipline dedicated to protection of computer assets, whether that is hardware, software, data, or any component providing or supporting information-related activities.
- Industrial security: this is more of a government and defense industry related security domain rather than something general. It focuses on managing the needs of private industry to access classified information, and ensuring organizations have implemented specific criteria before being provided with access to highly sensitive data.
- Information security: discipline dedicated to preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of data. This is type agnostic, and applies to any form of data, regardless if it is printed, recorded, on a network, etc.
- Network security: policies and measures implemented to prevent unauthorized access, misuse, modification, or denial of network resources.
- Operations security: also known as OPSEC, its goal is to protect the entire puzzle by ensuring smaller, seemingly benign pieces of a larger puzzle are not knowingly or accidentally disclosed. The desire is to ensure potential attackers are unable aggregate enough of the puzzle to fully comprehend what data they have acquired.
- Personnel security: a discipline dedicated to managing insider threat risk and ensuring employees are trustworthy enough to be provided legitimate access to highly sensitive information. This is done through a series of background checks, interviews, and potentially even polygraph tests, depending on the level of security clearance required.
- Physical security: discipline dedicated to denying unauthorized physical access to facilities, equipment, and resources to protect personnel and property from harm or damage. This could be in the form of human actions like theft, terrorism, or espionage; or it can be natural disasters like floods, typhoons, earthquakes, and more.
Now we come back to cyber, which is a discipline dedicated to, like many of the above, protecting information technology assets from unauthorized access, theft, destruction, misuse, disruption, and misdirection. There are various strategies employed in this endeavor, often times requiring aspects of multiple security domains to properly achieve the stated goal.
In no case above does the space between the domain and the word security disappear. There is no assetsecurity, networksecurity, physicalsecurity. Yet for some reason the world seems enamored with cybersecurity.
Why is this? Why have I spent so much time thinking about such a banal topic?
Cyber is just another security discipline and should not be afforded its own special word. In fact, many people already seem to use various forms, confused which is appropriate to use at which time.
The proper way to write it is as cyber security, to denote it as another security discipline, while not elevating it to some special status above others. Cyber security is important, but so is application security, physical security, and the myriad other disciplines.
Cyber security is merely a modern manifestation of security as society has evolved towards a more data-centric lifestyle. While physical security remains just as important as ever, especially with current terrorism threats, cyber has invaded our lives in ways we never imagined. That does not warrant a new word for this discipline, just a reimagined focus on strategies for protecting this new realm.
Stop using cybersecurity to describe this topic, and stick with the tried and true cyber security. It makes more sense, looks far better, and is aligned with the various uses of security throughout history.
Now that I got that off my chest I can finally start focusing on more important security topics.