Revisiting, Yet Again: Cybersecurity Basics and the Silliness of Wordsmithing

The “revisit of the cybersecurity basics” piece may be early this year, but it’s also necessary. If you haven’t read the previous ones – “Cybersecurity Starts With Basics” and “Revisiting the Cybersecurity Basics: An Independence Day Special” – they’re good places to start.

“Cyber Doomsday” is upon us. At least that’s what we keep on hearing. The World Economic Forum Global Risks Perception Survey lists “data fraud or theft” and “cyber-attacks” as number four and five, respectively, as the Top 10 risks in terms of likelihood. In terms of impact, “cyber-attacks” and “critical information infrastructure breakdown” come in at number seven and eight respectively.

Now before we go further – and as some may question what I’m doing questioning how the WEF conducts studies – I do have a pretty “basic” question: what exactly is the difference between “data fraud or theft” and “cyber-attacks” and “critical information infrastructure breakdown” exactly?

Aren’t they all part of the same overarching cybersecurity problem?

Why Wordsmithing is Silly and Gets us Into Trouble

Here are the definitions for each, found on page 98 of the report:

  • Breakdown of critical information infrastructure and networks (Critical information infrastructure breakdown) – Cyber dependency that increases vulnerability to outage of critical information infrastructure (e.g. internet, satellites, etc.) and networks, causing widespread disruption.
  • Large-scale cyber-attacks – Large-scale cyber-attacks or malware causing large economic damages, geopolitical tensions, or widespread loss of trust in the internet.
  • Massive incident of data fraud/theft – Wrongful exploitation of private or official data that takes place on an unprecedented scale.

While we’re at it, could you define “widespread” and “unprecedented” too please?

If you didn’t get a chance to read last month’s piece, let me boil it down to a few words: there’s too much noise which is diverting our attention and making things unnecessarily complex.

As I’ve mentioned in the past, I try to boil down cybersecurity to this simple equation:

  • Network Security + Information Security = Data Security

Definition time, because well, definitions matter:

  • Network Security – primarily a technical issue that requires specialized skills.
  • Information Security – can range from training your staff, to internal policies, to utilizing industry standards, to practices on how to handle sensitive documents, and physical security.
  • Data Security – what those two things put together are.

All this fancy wordsmithing and visualization in glossy reports with pretty diagrams sure looks nice, but really, it’s all part of the same problem which means we’re making our lives unnecessarily difficult. Really, look at the three WEF definitions and demonstrate to me how they are three discrete and distinct issues? They’re not. It’s all the same thing.

Isn’t it Just the Same…but Different?

I can already sniff what some people are about to say: but George isn’t your equation very similar to what the WEF definitions are saying also?

YES! They are very similar!  But I used six words (well, technically four: network, information, data and security) to define the problem instead of what you got from the WEF.

What was that Dee Hock quote I used in last month’s article? “Simple, clear purpose and principles give rise to complex intelligent behavior. Complex rules and regulations give rise to simple stupid behavior.”

In order to get back to the basics, so we can give rise to “complex intelligent behavior” as Dee Hock says, we need the language to be simple and clear. Don’t play the word games or we’re just going to spin our wheels. This cybersecurity thing is hard enough as it is.

Focus on the Basics by Using Language Everybody Can Understand

If you want to better your cybersecurity posture and reduce your risk, make sure you are communicating to your stakeholders exactly what you are doing. And make sure they can understand what you are saying because they really don’t have time for all this “extra” language because in case you haven’t noticed, our attention spans are decreasing, thanks in large part to technology, which has reduced our attention span by a good 33% from what it was over a decade ago.

You’ll probably note that this strategy has little to do with technology. At its core, this strategy is a communications problem that needs to be solved. Therefore, if there is a message problem, regardless where in the path it could be – development, delivery, reception, or processing – we’re just going to end up with more wordsmithing and pretty diagrams.

If you can master that messaging, I’m confident you’ll be better positioned to make the right cybersecurity moves within your own organization, which ultimately will reduce your risk and save you some of your hard earned resources.

By George Platsis

SDI Cyber Risk Practice