Why We Need a Space in Cyber Security

There are occasional arguments about whether it's cyber security (generally favoured in the UK, among others) or cybersecurity (more common in America). People can get very passionate about this. I've had people furious with me for pointing out it's largely a regional variation, not an important one.

Now I've got to apologise to those people, because I think there is something important in the term we use. Of course, they're still wrong as we should be using cyber security, not cybersecurity. Hear me out before getting too angry - there is a rationale behind this, and it's an important one.

In the cyber security industry (or information security if, like me, you're old and creaky enough to remember before cyber security was a fashionable term) we often make one fairly fundamental mistake. It's a self-inflicted pain, making our lives harder and, like many other areas involving IT, meaning that we spend far too much time relearning lessons because we don't think our ancestors dealt with the same problems.

The mistake is that we put the cyber (or the information) first. Plenty of people think otherwise, this is far from a universal mistake, but it's common enough that I'm willing to wade back into the painful one- or two-word debate again to make the point. What we are doing is confusing the domain for the discipline.

Security is far from a new field. It is very easy to define. Security is a discipline. It is a skillset which is targeted, very accurately, at protecting an asset. The type of asset does not matter for the vast majority of those skills, they are universally applicable - risk management, vulnerability analysis (and management), threat awareness, surveillance (and corresponding understanding of surveillance), assurance, communication, there are very few skills which are unique to cyber security.

If security is a discipline then, where does cyber (or information, or physical, or supply chain, or financial, or food, or transport, etc) come in? Well, those are domains where we can apply the discipline of cyber. The domain knowledge is still important, but if it is missing it is something that can be filled in relatively quickly and easily with the right support. The discipline is what takes time to build and integrate effectively.

Many of our certifications and training courses in cyber security (and information security) focus on the domain, not the discipline. Domain knowledge is definitely useful, but without a framework of security as a discipline to hang it on, it will always leave holes and adapt only slowly to new situations.

So my big ask is, if you have got this far without breaking off to argue about whether the term for our industry needs a space or not, look at other areas of security, the methods, skills, and approaches that they use, and look for ways these can be brought over and applied to the cyber domain. Speak to people in other security domains and look for which lessons can be passed their way from the cyber domain. There are an awful lot of lessons out there that people have already learned over centuries, and it is much easier to learn from someone else's mistakes than our own.

Ultimately though remember it is all security, and our common aim is always to protect assets from a threat.