Currently I am creating a presentation on cyber security as a competitive advantage. It looked like a simple task, but ….
When building a presentation I feel that the content should be meaningful. Starting to think about a good starting point, the fundamentals I need/want to transport and a good starting point i thought it would be a good idea to start with a definition of cyber security.
Defining both words, Cyber and Security I found a definition which is a little bit strange but it was taken from William Gibson’s Novel 1984:
„Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts… A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding.“
Another one I found good and better suitable for business purposes was given by the university of maryland
The interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.
I believe this one has a better fit for purpose. Nevertheless it gives a limited view on security issues. Cyberspace is meant to be digitally. But what does that mean related to intellectual property that people have. Information written or printed on paper. Proof of concepts doming from a machine and so on. Short story: What is the representation of non digital Information? From what I found non digital information is not covered by the term “cyber”!
What is the better term to provide a holistic view on security?
To be honest: I didn’t find one. Information is written on paper, stored in brains, computers. Sometimes it is tangible, sometimes not. Sometimes it is related to buildings and other forms that might represent information or a value. The next question deriving from these thoughts:
Is there anything of value that is not related to information?
If you find something please tell me!
Security in general is meant to be a concept that implies protection from harm to any asset.
That is also the reason why we find numerous security functions in enterprises:
- Corporate security
- Facility security
- Information security
- IT security
- Cyber Security
- Data protection
When talking to clients about their security functions I very often hear that there is a wish to add new skills to the organization to cover new threats! When doing this organizations tend to look for reasonable compromises which are more likely to be trade offs. Usually existing structures are maintained (e.g. the IT Security Officer) and new functions like a Cyber Security Department is added to the organization with newly defined responsibilities and different reporting lines.
Looking at the cyber definition again the conflict is obvious! IT security deals with infrastructures. The information protection officer deals with information stored anywhere and the Cyber Security Defense Service feels extremely hip because it is something new, really important having excellent budget and sits on the territory of the CISO, IT SecOfficer and others.
I started to write down where security applies and found numbers of issues and security functions. Most of them have an overlap which I feel that it is ok.
Detection is the new Prevention
In another article I already presented my view on Detection versus Prevention. I believe Detection is key! A huge misunderstanding is that looking at the concept of security the spotlight is on prevention. This might be true but detection is the new prevention. In order to avoid harm to your organization you need to know your enemy and be prepared against almost everything that can happen. You will have to accept hackers to jump into your networks and you will need to be prepared to detect them and fix the damage asap.
What happens here: It is RESILIENCE!
Organizations need to be better prepared to fix security incidents no matter if they are related to buildings, employes, VIPs, IT infrastructure, paper based information etc.
When I came to this conclusion I felt that any security function in an organization is an important feature. It is preventive feature. It helps to detect issues. But recovery from incidents will be more important than we have ever believed.
I feel that a Business Resilience Function in any organization is the key to eliminate conflicts between different security functions and helps to align them to a powerful organization helping with prevention, detection and recovery!
What do you think? I do not know if I am right or wrong! I am really interested to read your views on this! Please share your thoughts with me and the rest of the community!