What is Cybersecurity

Cybersecurity is, unfortunately, often mis-understood. So, I offer you a succinct definition, and then a discussion about cybersecurity. This definition is one given by Dr Eric Cole, one of the early Chief Information Security Officers (CISO). You can find his work on-line. His definition is:

"Cybersecurity is understanding, managing and mitigating the risks associated with a company's critical data."

If we analyze this definition there are a couple of things that come immediately to light:

• Cybersecurity is a risk reduction effort (not a risk elimination effort). That fact has several implications:
  1. To be effective it must be ongoing, and more-or-less constant
  2. The program leaders must be made aware of changes that may affect the risks and/or the company's tolerance for risk
  3. The environment in which the risks exist must be taken into account
  4. The program leaders must have a full understanding of the controls in place at any given time, in order to understand the risks
• The company has/creates a clear understanding of the data that it uses in order to make money (the 'critical' data), and possibly other kinds of data that may represent additional risks which isn't critical except for the inherent risk related to holding it (it could be breached/exposed).
• This definition also implies that the company defines, somewhat specifically, what sorts of loss it can tolerate: loss of customers, loss of $x in revenue, loss of cash to fines and/or court costs, loss of customer and/or end-user confidence, loss of customer acquisition costs, etc.
• Finally, note that this definition suggests that it's not a goal to eliminate ALL risk (that's impossible). Rather the goal is to bring the risks under control such that any risk which does occur will have limited impact to the bottom line.

And, realize that many of the above factors will change over time for many reasons such as: the company gains customers/users, increases/decreases the amount and types of data it holds; the company has 'more to loose' if a breach were to occur (as it gains reputation in the marketplace); etc.

To expand further on cybersecurity, I would suggest that most businesses should view cybersecurity more like they do another well-known risk management technique - namely corporate finance. Yep... that's what I said. Cybersecurity has a lot more in common with corporate finance than, say, traditional IT. A company's IT department, often headed up by a CIO, is more about uptime than anything else. And uptime is mostly an issue of dollars spent. If you need more uptime and more performance you can almost always solve that problem with more cash, more equipment/infrastructure, at least temporarily. Cyber security doesn't work this way, unfortunately.

Finance is focused on keeping the lights on, and keeping the staff, and other bills paid - first and foremost, and growth second. Financial planning needs to take into account many external factors that the business itself has no control over: the economy, the availability of funding sources and the amount of funding those sources are willing to provide. Finance then takes the available funds and doles them account according to the business' current goals and growth targets.

Cybersecurity teams deal with both internal and external factors, and as with Finance, the external factors are largely beyond the company's control. Examples here are the rise, over the last few years, of organized crime becoming the dominant attackers. Hacktivism too, is a growing concern, particularly for larger companies and companies in markets that have the potential for large-scale societal disruption (self-driving trucks, for example, which may eliminate the job of 'truck driver' entirely - which is somewhat surprisingly the *most common occupation* in the US). Companies which author their own websites or other software often include a lot of free/open source software(FOSS) both in their offerings as well as being used in the development/build/release process. FOSS comes with its own risks, not the least of which are security problems existing in them. There has also been a significant rise in attacks on software development pipelines/suppliers, which attempt to sneak 'back doors' into a company's product, allowing the attacker to enter your systems.

In some companies, product design decisions are made without considering security and privacy concerns from the outset. These are internally generated risks, which any company can avoid, but most don't do a good job of, and that's especially true of tech startups.

Like finance, cybersecurity is complex, impactful to any business' long-term survival, and never finished.