Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn’t included; it provides time for an idea to crystallize, become defined, or reach critical mass.
That (somewhat arcane opening paragraph) sums up where I feel we are with regard to the term "cyber." We all know that it has crept into the security and risk (S&R) lexicon over the past few years, but, by managing to avoid clear definition, it’s become all things to all men — a declaration that “information security is different now” but not quite saying how. Think about it: If the US Department of Defence and the standards body NIST aren't aligned on their definitions of cybersecurity, how can we expect CISOs and business execs to be?
I have spoken to numerous S&R leaders recently, and, although there was a fair amount of discord, the CISO of one global financial services organization best summarized the prevailing perception:
"’Cyber’ is something coming from the Internet attacking our infrastructure assets. We're not classifying internal incidents as cyber, otherwise it makes no sense for us to have another word for something that is a classical security incident. It's about the external and internal distinction."
Cartoon included by kind permission of http://www.kaltoons.com/
What has been interesting is seeing how many S&R job titles are being revisited to include "cybersecurity" alongside information security; in some cases, it even replaces information security altogether. At first glance, this may appear to be a trivial rebranding, merely putting lipstick on a pig, but it’s not; this role redefinition is actually an astute move by S&R professionals. They are:
- Rebranding for alignment. Although many S&R professionals dislike the "cyber" label, feeling that it’s just a new word for an existing practice, it's undeniable that the wider press, regulators, and governments have latched on to it. At this stage, any reluctance to adopt the term is potentially damaging to your career as it could make you look out of touch.
- Rebranding for budget. Few board members have managed to avoid the concept of cybersecurity; it is repeatedly thrown at them from the pages of the financial press, government agencies, and industry regulators. They know it’s a big deal, but, due to its lack of clarity, they are often unsure where their firm stands. This is great opportunity for a cyber-aligned CISO to review the strategy and highlight key areas of risk for focus and investment.
- Rebranding for talent. It’s undeniable: "Cyber" is sexier than "information security" — one CISO we spoke with found as much when trying to recruit new talent. However, by rebranding the roles and highlighting the "cyber" aspect, he managed to make the roles more appealing to recent graduates.
- Rebranding for customer trust. In an age when security breaches are immediately visible and customer trust is closely associated with brand reputation, it is simply good marketing to demonstrate to your customers that your firm recognizes the importance of data security, understands the current threat landscape, and is doing something about it. One way to communicate that your firm is on top of these issues is to ensure that key individuals have visible accountability for "cyber" — and what easier way to do that than by including it in their job title?
Like it or not, "cyber" is part of our language now. It encapsulates an innate fear that capable, external attackers can steal our customer data or take our critical systems offline at will. As security has become more visible and more of a concern to customers and board members alike, S&R professionals need to use all possible techniques to ensure that they are seen to be fighting the good fight in every way possible. If tweaking your job title helps, then do it.