One of the hits of Black Hat 2015 in Las Vegas was a T-shirt featuring a growling Sam Jackson from one of Pulp Fiction’s more memorable scenes. Pointing his oversized handgun downrange, Jackson’s character threatens, “Say Cyber One More Time…” There was at least one word at the end that added even more emphasis, but the message was clear. Some clever designer captured what many security folks at the conference quietly thought. The word “cyber” has become so overused it is nearly meaningless. The term “cyber” has risen to the level of “information superhighway” or “web 2.0” and is clearly a target for ridicule. At the same time, others, mostly .gov and .mil guys, still use it in a forceful and matter of fact way.
Coming off the annual Cybersecurity Month in October and having the opportunity to recently speak at CyberMaryland, I’m all “cyber’ed” out. At least I’m painfully aware when it’s used in casual conversation, and I even wince when I use the term “cybersecurity” to describe what I do to the vast unwashed masses. What’s becoming increasingly obvious is that we need a new word for cyber. I want to actively debate this and find an alternative before “cyber” (an adjective, or noun) becomes a verb, as Google is to “googling” something. I never want to hear that a client was “cyber’ed” by a nation state threat, or that someone “cyberfied” their network to make it more resilient to attack. That bleak prospect is so gravely serious that we need to put tongue firmly in cheek and start talking….
As Alcoholics Anonymous and other recovery groups state, admitting you have a problem is the first step towards recovery. Yes, we have a problem. I’ve known this for some time. This fact was driven home to me earlier in the year when a non-security guy stated emphatically, “John, you know it’s not just about cyber, right? It’s about cyber, big data, and cloud?” My initial response was to suggest he add mobile and DevOps, then he would have every buzzword in IT covered. But after my first, and possibly snarkier, response trailed off, I thought serious discourse about the use of the word “cyber” was needed.
By background, I’ve been a security guy for nearly 20 years. That’s how I self-identify, and that’s how people know me. Like Johnny Appleseed, I dispense solicited advice at cocktail parties, family reunions, and at my daughter’s soccer game. I answer questions that range from smartphone security, to when to update one’s Window’s box, to how best to select hard-to-crack passwords. So I’m on the frontline, like all of us who read Dark Reading. It’s in our best interest to have a better term before someone finds a worse term to describe our industry and what we do. To that end, I would humbly submit the following observations and suggestions for further discussion.
Let .gov and .mil guys keep “cyber”
They are comfortable with the term, they use it in conversation without wincing, and would likely be a willing adoptive parent. There is the practical matter that there are so many instances where the term is baked into government code, into signage, into doctrine that a simple name change would cost taxpayers billions. In the military, the term “cyber” has been adopted to mean all things that don’t blow up bad guys. Fighter pilots, infantry officers, and naval officers may not understand what it is, but they do know it might prevent them from getting shot at. One request though. Stop using the term cyber warfighter ... As an ex-Air Force Information Warfare Center alumni I’ve never been quite comfortable with the term. Those same folks who have actually been shot at might not be able to stomach the term and you might get your nose punched by a Navy SEAL in a bar talking about how you DDos’ed someone.
Don’t reuse stale terms!
If cyber does a poor job describing what we do, certainly older, well-trodden names are no better. Information security, or InfoSec for short, is seemingly hopelessly stuck in the 90’s. It might have worked then, when the scope was purely about the security of information, but not now. Related terms, like information protection and network security are similarly dated and also too narrow in scope.
The least worst current option - cybersecurity
An acceptable compromise, and one that seems to strike a happy medium, is the term many use to-date, “cybersecurity.” Don’t worry about if it’s one word, two, or hyphenated, it has the word “cyber” in it for the Feds, and “security” in it for most of the commercial types. You can say cybersecurity in a mixed audience and not get groans or a rolling of the eyes by the more grizzled security veterans. As a stopgap measure, cybersecurity works.
In a perfect world – just security
Here’s where I’ve arrived. I call it “security;” no need to further describe or elaborate. I self-identify as a “security guy.” I help clients with security services and product. Given the constant stream of front-page stories, I find security (read cybersecurity) being so mainstream that I don’t have to clarify, or distinguish myself from our physical security brethren. No guns, gates, or guards for me, and no, I’m not a mall cop. So I’m a security professional, providing security services that keep clients out of the news.
No matter what we end up calling it, we need to make sure that those who live and breathe security are the ones who dictate the term that is used. The art of what we do as IT security professionals has evolved into a sophisticated and critical part of everyday culture, not just business. We need to own what we do and come up with a term we can be proud to associate with our work; not one that makes us cringe every time we hear it.