Is the drunken orgy of cyber security over?
Being ‘secure’ is popularly comprehended as a better state than being ‘insecure’. This is unsurprising; in the cyber security domain, being secure and doing things securely is considered so obvious as to not even need explicit reference. Many practitioners would argue that more ‘secure’ is the the goal and the entire point of their exercise.
Yet despite the wisdom of the community, what is precisely meant by this is rarely, if ever, defined. This creates an obvious indisputable problem - if more cyber security is so important it then stands to reason that the measurement too would have to be of utmost importance too. And for effective measurement to take place it would require a clear definition to at all be possible.
This is a conundrum that’s worth thinking about. Because if you are responsible for improving cyber security whether you have will be a matter of some dispute.
So WTF is cyber security?
There is no universally agreed-upon definition of the term that can be relied upon to give a clear verdict.
There is the common view that cyber security is about being in a ‘better’ state and creating an ‘advantage’. But it doesn’t take much analysis to realise that this then opens up another set of questions. ‘Better’ and ‘advantage’ as defined by what terms? To whom? When? And how?
The idea of the baseline against which a superior advantage exists provides further obstacles. Should you measure against third party expectations, a narrow set of your similar competitors, the same vertical or industry as a whole, or perhaps even the entire community.
Then, there is the problem of time. Does having better cyber security mean winning the ‘game’ at a single point in time? Or does it mean continually adding more people, processes and tools to maintain an advantageous position in relation to the changing dynamics of your vulnerabilities and threats? Where does this end? This is not sustainable.
Others argue that cyber security happens when the activities reduce risk (yep, your guess is as good as mine). Said risk reduction is considered sustained when it is in the context of changing vulnerabilities and threats relevant to your context. This line of reasoning is even more difficult to take seriously; it relies on an assumption that whoever is edictally deciding whether the risk reduction has happened and is sustained would be able to look into the inner workings of their context and have perfect knowledge.
And so it goes on…..
The bigger point is that cyber security, on one hand, is a key to a reliable, predictable, assured and trustworthy (yep, I don’t know either) business operations and that this is something that a company can create and manage. On the other hand, successful cyber security is only visible in retrospect, thus tantamount to success itself, and by nature temporal. However, this is entirely circular logic.
So, where does this leave the Chief Information Security Officer?
Well, whether better cyber security did create an advantage or not is impossible to say, given that there is no consensus on what the term means. So, perhaps any CISO looking to help themselves, and their employer, should start by defining precisely what it entails, how it will be measured and why it matters in relation to their specific context. Clarity is key. Whether any supposed expert agrees with the definition is irrelevant as long as it works for you in your context.