This post was contributed by Dan Dipple, Cyber Security Manager at Charles Taylor. Dan is a cyber security professional with over 15 years of experience in information technology and security.
We have all seen buzzwords over the years, from Digital Transformation to Shift Left. The question is whether Cyber is another buzzword.
Controversial opinion, but let me explain my theory behind it.
We all use it, but are we just putting another “flashy word” on the title of something previously seen as mundane to make it more attractive?
From my personal experiences, I have seen classic examples that scream that this is not “real cyber”. When I was in the UK military, I saw first-hand how recruiters would change their vacant IT roles into “Cyber roles”, the sole reason being that they couldn’t attract people into the roles if they were branded simply as IT.
Another example that I find prevalent in today’s security space is that we are not teaching people how to be a hacker, but we want people to be aware of the markers they need to be vigilant of. This could be anything from a dodgy email to being spammed with MFA requests when you are nowhere near a company device. Therefore, when we talk about security awareness training, how much of it is actually “cyber”?
Finally, nobody can truly define the term Cyber in one sentence. There have been many discussions around it, but no one definition can be pinned down to describe it. Even if someone can turn around to me today and say that they have a description of the term, countless companies and security professionals will disagree with it from their standpoint.
There has been an explosion in titles that contain the word Cyber which brings connotations of being a hacker when the reality could not be further from the truth. If you type the word Cyber into Google, you are immediately presented with images of men in hoodies typing away frantically in darkened rooms with their faces covered. There are also strings of matrix code in all images, or the code comprises objects such as padlocks and shields. The top news stories for Cyber all relate to fines, ransomware, or hacking. Cyber should encompass so much more of what security entails, but for the general public, it has been boiled down to a single emotion - fear.
What if I told you the difference in job posting frequency between IT Security engineer and Cyber Security Engineer is almost double. It gets worse if you consider yourself an IT consultant; there is a 135% difference in job postings between that and a Cyber consultant.
We, as geeks, tend to think the word Cyber belongs in the in-depth part of the IT world that most people shy away from because it is too complex and tedious for most people to deal with daily. Some examples of this are:
People hate trawling through logs to find the needle in the haystack that indicates whether you have suffered an attack. Brand log analytics as Cyber log investigation, and it says something different.
We always hear the phrase “patch when you can.” We have gotten so far down the line with people struggling to keep on top of patches that we now have to employ Vulnerability Management Specialists to identify those patches that we really have to apply because our IT teams are so thinly spread.
I believe Cyber is another buzzword because it seems like an easy way to get a bigger slice of the pie in terms of budgeting for companies. IT Security has always been a requirement since end-user devices were introduced into the workplace but were often the overlooked component that has now become key in preventing data loss. Do you believe it needed a buzzword to get it into the “C Suite’s” ongoing plan, or would it naturally have gotten there given the vast number of attacks companies are experiencing almost daily?
Security is a natural consideration for us all, regardless of whether you consciously make that decision or not. Whenever you leave your home, it is ingrained in you to lock your doors because you don't want anything to be stolen. When you park your car, you make sure you hit the button and wait for the beep to indicate that it's locked; sometimes, you even doubt whether you did that, so you go back and check. , So, why do we have all these options available to us with IT Security and knowingly have the door but choose to leave it open?
In my opinion, IT staff are the people who don't shout the loudest when it comes to requiring more support in terms of budgets. We naturally like to bury our heads in our screens and hate sticking our heads above the parapet. We tend to rely on our CISOs or those nominated to fight our corner in the boardroom. These are the people who know how to speak corporate and keep reintroducing the buzzwords that do not reflect the work the IT Security team is doing.
We are also not seen as a money maker to any business. The easiest way to save money is often to reduce security tooling without realising the impact of the loss of that tool. It's a quick, easy win until a breach occurs, and the financial impact far outweighs the cost of the security tooling.
The biggest problem with this buzzword is that nobody can agree on its correct usage. So, you can see it thrown into situations to add gravitas where there is no legitimate reason for its use in that context. We use it as all-encompassing when computer scientists have been using terminology for years, such as
Computer Network Operations, Computer Network Attack, Computer Network Exploitation, Computer Network Defense, Information Security and Computer Security.
Should we go back to these monikers, or have those of us who have benefitted from our unique skill set rush against it for fear that it will hit our back pocket?
As much as I'd love to go back to these monikers, I feel there would be uproar in the industry as it will ultimately hit people's back pockets.
The IT industry goes through fits and starts in terms of skill sets, and I remember when people with CCNA qualifications earned a significant amount more because they had something nobody else had at the time. We will hit that point of equilibrium in terms of skill requirement and availability. This will probably be the "age of automation" because, let's face it, robots don't need time off.