What is Cybersecurity?
This question sparked a robust discussion I had with some security and non-security folks a few weeks ago at a networking event. I thought it would be a great place to start my “What Is Wednesdays” series (I love a good alliteration) by looking deeper into its definition.
You might be surprised to know that, as our discussions revealed, not everyone has a definition of cybersecurity.
Even more surprising is that looking further into this, I found that most “experts” disagree on something as simple as what constitutes security measures or even security alone cybersecurity. This lack of consensus may be the first stumbling block to why there isn’t a widely accepted, detailed definition of cybersecurity, despite being an area worth billions of dollars, facing a supposed skills shortage, and has been around for decades. Is it just me who finds this a bit mental??
Let’s take it back to basics and break down the term “cybersecurity.” (Let’s leave it one word or two? for another time) If we simplify it, it essentially refers to the security of cyber. However, we need to acknowledge that the term “cyber” is used in the media and everyday conversations in many different ways, with modern language constantly evolving alongside new technology and its associated culture that my kids will one day explain to me. New “cyber” terms appear on what feels like a daily basis as online habits evolve, such as cyberbullying, cyberspace, cyberstalking, and cyberchondria.
What does Cyber mean in the context of a cyber attack?
So, back to what Cyber means. From the research that I have done, it appears as though most references point to the modern usage of the prefix “cyber”, originating from the term cybernetics. This term comes from the Greek word kybernētēs, meaning “guide” or “governor.” US mathematician Norbert Wiener popularised itthrough his work Cybernetics: Or Control and Communication in the Animal and the Machine (1948). His work laid the foundation for studying regulatory and control systems in machines and living organisms, and his influence led to the widespread adoption of “cyber” as a prefix in technology-related contexts.
Additionally, the notion of “cyber” was further extended into popular culture. For instance, the term cyberspace—referring to the virtual environment of computer networks—was coined by science fiction author William Gibson in his 1981 novel Burning Chrome (about 2 US hackers against Russia – worth around read!), which helped cement the modern association of “cyber” with digital and literary themes.
From the beginning of computers in the 1960s to the early 1990s, most folks talked about individual types of security, such as computer security, information security, or network security. These terms are fairly descriptive and cover the areas succinctly enough to be understood by those in similar fields; there was no lumping them all together as there is now.
So how did the term cyber catch on?
Well, after spending way too much time on this, my best guess comes from the 1998 Senate Committee on Governmental Affairs hearing titled “Weak Computer Security in Government: Is the Public at Risk?” The hearing featured testimonies from (cyber)security experts, including Dr. Peter G. Neumann and members of the hacker collective L0pht. Their evidence highlighted vulnerabilities in the US government computer systems, marking a pivotal moment in raising awareness about cybersecurity.
These hearings were widely publicised in the press and on TV, and the term possibly was seen as trendy or exotic by both senators, who went on to use it in their speeches and then, in turn, the press, much to the constant dismay of those working in the individual fields then and ever since. The novelty factor may have had an influence on its catching on, especially among sales and marketing folk keen to latch onto snappy terms.
Right, at this point, I’m going to say we know what cyber means—networks, computers, data, and, of course, we can’t forget “AI” nowadays as well. Therefore, let’s move on to the next part.
What does security mean?
Being married to an English teacher, I am reminded that security and all of its spin-offs can be both verbs and adjectives. For example, we take actions to secure (the verb) an environment to ensure its systems are secure (the adjective). Endpoint security is crucial in this context, as it involves protecting all devices connected to a network, including desktops, laptops, and mobile devices. Cloud security is another critical discipline focused on protecting data, applications, and infrastructure hosted in the cloud. This includes protection against malicious software, cyber threats, and cyber attacks that can compromise the confidentiality, integrity, and availability of digital information, often through vulnerabilities in the operating system. Unfortunately, much like our meandering into the meaning of cyber, there is no agreed-upon formal definition here, however, in essence, cybersecurity is all about safeguarding our digital world from those who seek to exploit vulnerabilities for their gain.
Cybersecurity Basics
My Cybersecurity Definition – just to add another
Cybersecurity refers to the practices, technologies, and processes designed to protect computer systems, networks, and sensitive data from unauthorized access, use, disclosure, disruption, modification, or destruction. This includes protection against malicious software, cyber threats, and cyber attacks that can compromise the confidentiality, integrity, and availability of digital information. In essence, cybersecurity is all about safeguarding our digital world from those who seek to exploit vulnerabilities for their gain.
Cybersecurity vs Information Security
While often used interchangeably, cybersecurity and information security are distinct concepts. Cybersecurity focuses specifically on protecting computer systems and networks from cyber threats. It deals with the digital realm, ensuring that our online activities and data remain secure from hackers and malicious software. On the other hand, information security encompasses a broader range of measures to protect sensitive data. This includes not only digital security but also physical security, encryption, and access control. Think of information security as the umbrella term, with cybersecurity being a crucial part of it, dedicated to defending against the ever-evolving landscape of cyber threats.
Why is Cybersecurity Important?
Cybersecurity is a Critical, Board-Level Issue
Cybersecurity is a critical concern for organizations of all sizes, as the consequences of a cyber attack can be severe and far-reaching. A single data breach can result in significant financial losses, damage to reputation, and legal liabilities. Moreover, the increasing reliance on mobile devices, cloud computing, and the Internet of Things (IoT) has expanded the attack surface, making it essential for organizations to prioritize cybersecurity as a board-level issue. Effective cybersecurity measures can help prevent data breaches, protect sensitive information, and ensure the continuity of business operations. In today’s interconnected world, neglecting cybersecurity is not an option; it’s a fundamental aspect of safeguarding an organization’s future.
What do the references say about malicious software?
So, how is it defined in reference material?
The Miriam Webster dictionary defines cyber security as
“measures taken to protect a computer or computer system (as on the Internet) against unauthorised access or attack.”
Whereas the Cambridge English dictionary defines it as
*“things that are done to protect a person, organisation, or country and their computer information against crime or attacks carried out using the internet.”*
Both definitions leave out the issues of controlling access, detecting malicious activities and protecting networks. Attackers often gain access to sensitive information through deceptive tactics like social engineering and phishing.
NIST, The National Institute of Standards and Technology, defines CyberSecurity in much more succinctly
The ability to protect or defend the use of cyberspace from cyber attacks.
My definition would be
Cybersecurity is the practice of protecting networks, systems, hardware, software, and data from threats and ensuring their confidentiality, integrity, and availability through a combination of technologies, policies, and best practices.
In any case, we have come a long way from Eugene Spafford’s original definition of security, or at least computer security, which was written in 1990 in their book Practical Unix and Internet Security.
“a computer is secure if you can depend on it and its software behaves as it should”
Moreover, the increasing reliance on mobile devices, cloud computing, and the Internet of Things (IoT) has expanded the attack surface, making it essential for organizations to prioritize cybersecurity as a board-level issue.
So why is a definition so important? It’s about ensuring that we are all on the same page when discussing these concepts and areas of work. It is also important in helping us define the metrics that allow us to see how effective the controls we use are so we can compare them to others’ work and judge the pros and cons of those controls.
Effective cybersecurity measures can help prevent data breaches, protect sensitive information, and ensure the continuity of business operations. Addressing security threats through employee education and threat detection systems is crucial for enhancing cybersecurity.
In today’s interconnected world, neglecting cybersecurity is not an option; it’s a fundamental aspect of safeguarding an organization’s future. Phishing attacks are a common method used by cybercriminals to steal sensitive data, such as credit card numbers and login details, by imitating trusted sources.
So, to finish this rambling article and summarise my findings, we do not have a consensus or an agreed-upon definition of CyberSecurity, which leaves much more room for discussion due to the ambiguity—which is annoying. However, we have looked at what the component words mean, where the term comes from, and some of the many definitions.