This is a slightly pedantic issue I have spent likely too much time contemplating and not enough time discussing. While I find myself being finicky about it, words are important, and the vernacular we use when talking about cyber is vital. It is imperative the entire industry speaks a common language, uses common terms, and has a common baseline understanding of the complex issues we face every day. This is why I am concerned with industry and media discourse around cyber, and its peculiar obsession with using the term cybersecurity as opposed to cyber security.
What, after all, makes this domain so important as to warrant its own word? While cyber is a relatively new security realm when compared to more traditional areas, its newness should not award it any superior stature. Even though cyber has permeated almost every aspect of modern human culture, does this somehow automatically provide it with superior stature above other security specialties?
There are a host of other security disciplines just as important to everyday life as cyber is, yet in every other case no special status was granted to their naming. Here are just some of the various security vocations for reference:
- Application security: discipline focusing on ensuring applications are developed securely throughout the various stages of the application development lifecycle.
- Asset security: discipline dedicated to protection of computer assets, whether that is hardware, software, data, or any component providing or supporting information-related activities.
- Industrial security: this is more of a government and defense industry related security domain rather than something general. It focuses on managing the needs of private industry to access classified information, and ensuring organizations have implemented specific criteria before being provided with access to highly sensitive data.
- Information security: discipline dedicated to preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording, or destruction of data. This is type agnostic, and applies to any form of data, regardless if it is printed, recorded, on a network, etc.
- Network security: policies and measures implemented to prevent unauthorized access, misuse, modification, or denial of network resources.
- Operations security: also known as OPSEC, its goal is to protect the entire puzzle by ensuring smaller, seemingly benign pieces of a larger puzzle are not knowingly or accidentally disclosed. The desire is to ensure potential attackers are unable aggregate enough of the puzzle to fully comprehend what data they have acquired.
- Personnel security: a discipline dedicated to managing insider threat risk and ensuring employees are trustworthy enough to be provided legitimate access to highly sensitive information. This is done through a series of background checks, interviews, and potentially even polygraph tests, depending on the level of security clearance required.
- Physical security: discipline dedicated to denying unauthorized physical access to facilities, equipment, and resources to protect personnel and property from harm or damage. This could be in the form of human actions like theft, terrorism, or espionage; or it can be natural disasters like floods, typhoons, earthquakes, and more.
Now we come back to cyber, which is a discipline dedicated to, like many of the above, protecting information technology assets from unauthorized access, theft, destruction, misuse, disruption, and misdirection. There are various strategies employed in this endeavor, often times requiring aspects of multiple security domains to properly achieve the stated goal.
In no case above does the space between the domain and the word security disappear. There is no assetsecurity, networksecurity, physicalsecurity. Yet for some reason the world seems enamored with cybersecurity.
Cyber is just another security discipline and should not be afforded its own special word. In fact, many people already seem to use various forms, confused which is appropriate to use at which time.
The proper way to write it is as cyber security, to denote it as another security discipline, while not elevating it to some special status above others. Cyber security is important, but so is application security, physical security, and the myriad other disciplines.
Cyber security is merely a modern manifestation of security as society has evolved towards a more data-centric lifestyle. While physical security remains just as important as ever, especially with current terrorism threats, cyber has invaded our lives in ways we never imagined. That does not warrant a new word for this discipline, just a reimagined focus on strategies for protecting this new realm.
Stop using cybersecurity to describe this topic, and stick with the tried and true cyber security. It makes more sense, looks far better, and is aligned with the various uses of security throughout history.
Now that I got that off my chest I can surely begin to focus on more important security topics.