The security that dare not speak its name

There is a debate at work about what to call what we do. Actually, it’s not really a debate, more sort of a code of silence, or an agreement not to mention the subject in polite company lest it offends. When the subject comes up there is a sort of shuffling of feet, nervous laughter, “ahem”s and a subject quickly changed. But in Axenic’s spirit of transparency let’s get this out in the open: is what we do information security or cybersecurity? Certain people (I’m not naming names but they have numbered among our more beardy team members) have had such strong views that even using the word “cyber” at work is like a red rag to a bull. Actually, while I’m being honest, I have to admit that even though I am amongst the least hirsute of our team, I had strong leanings that way.

Why all the fuss? Well, in our defence we were trying to get “it” right, and not be swayed by fashion (notice that these aren’t hipster beards). By one definition cybersecurity is a subset of information security and by another, it is the other way around.

The first view (and the one that is orthodoxy at Axenic) cybersecurity is a subset of information security because cybersecurity is only about information that is in computers or is online (internet-connected), whereas information security is about the security of all information irrespective of its form (paper, digital) or connected-ness.

In the other view (one I find perplexing, and others found enraging) information security is a subset of cybersecurity because information security is only about securing the information within an organisation, but cybersecurity includes the information flows beyond the boundaries of the organisation.

I must admit I favour the first view, but does anyone other than pedants like me care? In practice, we use the terms interchangeably, so if we want to be effective, then let’s use the language of our customers, and let’s leave debates like these to [information|cyber] security conferences. And for better or worse most of our customers recognise the cybersecurity label. So, while I haven’t changed my mind about which term is “correct” I have changed my mind about the term I’ll use.

Why are we in this business? Well, for me, it’s because I want to improve New Zealander’s security, so let’s use the term that gets the most purchase, the term that will get people to improve their security, not the language that is the most correct!

The one substantive point to take from the debate should be that whichever term we use, we need to account for all of the aspects of security that these different terms highlight – digital and non-digital information; connected and unconnected systems; information within the enterprise and information outside – and information supply chains.

And let’s face it, while using buzzwords is a bit silly, not using a word just because it is a buzzword is even sillier. And I do enough silly things as it is.

So whatever term you prefer – contact Axenic for all your Cybersecurity/Information Security requirements…