I conducted a workshop on cybersecurity risk assessment for several directors managing application portfolios in a large global financial firm. One of the senior directors who managed the mainframe systems asked me directly, “I manage the mainframe systems that are purely internal. How is cybersecurity even relevant to me?” I was hardly surprised and said silently to myself, “Here we go again.”
Cybersecurity is now a common buzzword, so one would think the meaning should be obvious and globally common. However, it is far from being clearly understood, let alone standardized. The good news is that cybersecurity is perceived as something essential that has a significant impact on business or government. We only need to figure out what exactly it means.
It may be a surprise for many that the word “cyber” has been prevalent for more than a few hundred years—Plato associated it with government control. It was then used by some philosophers and novelists to define a virtual space, cyberspace. Eventually, it became associated with the military, as they are the defenders of all spaces, and security of this space was termed cybersecurity. Because of this background, “cybersecurity” has both defensive and offensive attributes associated with it. Cybersecurity quickly connected with media and the masses and led to creation of several other connected terms, such as cybercriminals, cyberwar and cyberdiplomacy.
Computer security communities, technology media, government agencies and research firms have provided their own definitions of cybersecurity over the past few decades. However, it is only in the last couple of years that major actors have come closer to a shared definition of cybersecurity—it is understood to be a broad range of practices, tools and concepts related closely to IT and operational technology security. It includes offensive use of IT. However, as use of offensive measures would amount to breach of law, cybersecurity (in the enterprise context) must be limited in scope to defensive measures only. What remains is to take this global definition to key enterprise stakeholders—executives, managers, IT and end users.
While everything is being painted “cyber,” even in the enterprise context, it comes with the danger of overspending on advanced capabilities while neglecting security of core infrastructure, applications and security processes. Thus, understanding of one’s business and critical information infrastructure and deploying multilayered protection measures with a risk-based approach is essential. A risk-based security strategy and a long-term road map should be built and implemented with transparency. In addition to that strategy, strong governance with adequate security metrics is critical.
Read Deepak Rout’s recent Journal article:
“Developing a Common Understanding of Cybersecurity,” ISACA Journal, volume 6, 2015.