InfoSec vs the cyber people

As practitioners and experts in the field of information security, it can often be frustrating when outsiders speak or make decisions about our world and our expertise. What we do is challenging, and treating it like the latest fad diet is a recipe for serious problems. Often working against considerable odds to solve real problems for organizations and individuals, our unique combination of art and science usually fails to be appreciated by those we are assisting (sometimes well beyond the call of duty).

Yet, nothing seems to stop these “others” from trying to get in our way—particularly as the media, Hollywood, politicians, and even industry increasingly find our field to be a source of lucrative opportunity.

Very often, the people we are most frustrated with are the ones who (almost obsessively, it seems) prepend the word cyber to everything. They talk about cyber safety, cyber hygiene, cyber law, cyber Pearl Harbors, cyber this, cyber that; we even have Cyber Mondays now.

No matter where we turn, someone else is cyber-ing on at length about information security without any real (apparent) knowledge; it can make us feel frustrated and dismissive of anyone who uses the term for any reason at all.

But is that the right attitude? Beyond the need for everyone to be civilized to each other, is there a practical reason for being forgiving of the Cyber Everything folks? I think there is, and that there is place for the word in our lexicon—it’s so commonly used that there must be.

“Cyber people” and information security

Here, it’s illustrative to make gross generalizations and (very anecdotally) examine what kinds of folks we assume are using the word cyber the most. It turns out they’re responsible for some fairly important things:

• Board and executive leadership: Set goals, resources, priorities, and risk management culture for organizations.

• Reporters: Popularize and simplify important topics of the day for mass consumption.

• Politicians: Set regulation and law enabling and constraining how people behave.

• Lawyers: Interpret the laws politicians set and assist market forces in setting risk tolerances.

• Critical infrastructure operations folks: Keep our society’s infrastructure running.

• Sales, marketing, and procurement staff: Significantly influence the goods and services available to us and which ones we acquire.

• The general public: Creates markets, owns significant amounts of risk, influences other groups, purchases our goods and services.

• Regulators and auditors: Hold us to standards.

The problem, though, is that despite their important roles, few of the listed groups have the words information security (or even cyber security) in their job titles. So why do they matter to us? Why are they even discussing cyber security? It turns out that they matter to us quite a bit and that they are critical to cyber security. In fact, without them, information security doesn’t exist as a meaningful enterprise.

This is because these Cyber People provide almost all the context in which our field exists: They define its goals, its resources, its constraints, and its failures. Information security risk is generally created outside of information security staff’s span of control, and its consequences are most keenly felt by the Cyber People described above. They are not only relevant, but critical to information security risk management.

We exist, as a field, because there are risks to non-InfoSec people, created by non-InfoSec people, for which we are assigned resources and goals to resolve by non-InfoSec people, and for which successes and failures we are measured by non-InfoSec people. These non-InfoSec people are the ones who say the word “cyber.”

Without these other Cyber People, most of our jobs would either not exist or involve flipping bits to no end with no purpose. We’re not experts in their fields, so why should we expect them to be experts in ours?

Tail wagging the dog

In fact, since we actually control so little of the environmental factors affecting the cyber security state, we might be able to say that information security as a field is less of a causal agent in our collective risk posture than we’ve thought. Treating information security as the primary driver of cyber security risk posture is letting the tail wag the dog.

Perhaps, then, we find here a definitional boundary that can be used to distinguish information from cyber security. Specifically, it seems like folks who most frequently use the term cyber, within their designated responsibilities have significant impact on the environment in which information security exists. So, then, cyber security might actually be definable as the set of roles, decisions, and actions that contextualize information, control systems, data, and other digital security fields.

Defining the cyber security problem space

There is, obviously, room for argument: Without a socialized, consensus definition of what cyber security is, what information security is, or really what a secure system is, it is pretty hard to make a case for one definition or the other. Still, we are starting to see these terms used in specific places over and over again. Patterns are developing, and instead of simply shrugging or, worse, being dismissive of them, we should act in keeping with the hackers that we are and evaluate what these patterns mean. Can we take advantage of them systemically to improve the world? Can we mitigate or redirect them into more productive paths?

Treating cyber security as a sort of meta-field overlaying information security may allow us to do this in a structured manner and might provide significant insights into why we are running into such difficulties keeping organizations secure, despite increased investment and awareness. It should help us become better at:

• Asking ourselves how the environment impacts our jobs and if there are any pain points we can hack—in their terms, not ours.

• Determining common exposure introduction points and modeling most effective control points.

• Translating information security common practices into business controls, instead of vice versa.

• Modeling threat architectures in terms of complete (human) systems.

And more. The point is that we don’t really have a model of what our actual problem space looks like or how Cyber People affect it. Instead, we’ve often acted dismissively and have only really modeled what a small portion of the solution space looks like. This leaves us with significant gaps in coverage, conflict, inefficiencies, and almost unlimited exposure as our environmental complexity rises.

It’s time to look at the cyber security problem space, take the people who use the term seriously, and plug information security into it in a symbiotic, not confrontational, manner that helps start to sustainably reduce our collective risk.