Towards a Better Definition of Cybersecurity and its Implications

With the breadth of news coverage around blockchain, hacking scandals, and data integrity, an average person polled on the street is likely to have at least a basic sense of cybersecurity, as a concept if not by name.

The idea of cybersecurity is omnipresent; we know it exists, and we know it matters. A more concrete definition, however, has proved more elusive. Professionals and academics alike have tried to narrow it down, but there remains no definitive, universally-accepted scope of cybersecurity.

With so many definitions available, and none in precise agreement with one another, determining a way forward to cover their organisation against the spectre of cybersecurity can feel like a minefield for key decision-makers.

Cybersecurity presents a business risk, not merely a technology risk, and protecting the business must be seen not as an issue for the IT department but as a team sport including all stakeholders.

Three sample definitions of Cybersecurity

Cybersecurity and Information Security¹

This approach debates the relationship between cybersecurity and information security – are they subsets of one another, or indeed the same thing?

Broadly defined, information security is classified as the protection of information and information systems from unauthorised access, while cybersecurity is the ability to defend the use of cyberspace from cyber-attacks.

Information security is a concept more broadly understood; it’s been around for decades. The new question is this: is cybersecurity is an aspect of information security related to private information stored in cyberspace? Or has cybersecurity has subsumed information security altogether?

A more likely outcome is to consider information security and cybersecurity to be both interdependent and mutually exclusive. While they are different disciplines requiring different strategies to maintain security, there is enough overlap that they will always need to be considered in tandem through an integrated approach.

A Human and a Computer

Fredrick Chan, former Director of Research at the US National Security Agency, outlines this definition of cybersecurity and the need for an interdisciplinary solution:

“Humans must defend machines that are attacked by other humans using machines. So, in addition to the critical traditional fields of computer science, electrical engineering, and mathematics, perspectives from other fields are needed.”²

The cyber hacker is an elegant breed of criminal, trading in digital heists such as “espionage, disinformation, market manipulation and disruption of infrastructure, on top of previous threats such as data theft, extortion and vandalism”.³

To defeat a human threat, cybersecurity strategies need to be as intelligent, dynamic, and creative as their opponent. This requires holistic solutions across interconnected systems, and drawing on insights from experts across a broad network of disciplines.

Cyberspace Confidentiality

In an extensive study⁴ conducted in 2017, researchers reviewed a number of stakeholder issues and came up with this definition of cybersecurity:

“The approach and actions associated with security risk management processes followed by organizations and states to protect confidentiality, integrity and availability of data and assets used in cyber space. The concept includes guidelines, policies and collections of safeguards, technologies, tools and training to provide the best protection for the state of the cyber environment and its users.”

By this definition, cybersecurity can broadly be considered the sum total of all strategies and systems required to defend the integrity of all confidential information held by a given institution.

Mapping the way forward

As businesses venture further into the digital world to maintain relevance, they expose themselves to an ever-increasing number of cyber threats. A holistic plan for cybersecurity management is absolutely essential.

In 2014, McKinsey⁵ proposed four structural hurdles for companies to address cybersecurity holistically.

A – Certain levels of Cybersecurity risk are inevitable

B – Implications of Cybersecurity are pervasive, spreading into every aspect of the business

C – Cybersecurity risk is difficult to quantify

D – It’s difficult to change user behaviour

Cybersecurity risk mitigation requires strategists to find a way to outrun a foe that is undefined but omnipresent. It’s the Little Dutch Boy syndrome of the business world, only cybersecurity analysts never run out of vulnerabilities that need to be plugged. Organisations require holistic systems, managed by strategic individuals who can implement dynamic changes to address a myriad of threats.

Moving away from viewing cybersecurity as a technology risk and recognising it as a business risk doesn’t have to be an insurmountable task. Cybersecurity is a team sport, not a job description, and a comprehensive cybersecurity strategy will touch every aspect of an organisation, including IT, employee training, and security policies.

Learn how to make your organization resilient against cyber threats.

Download the course prospectus now.

A Case Study in Cybersecurity Agility

Telstra is an industry beacon in cybersecurity innovation. One of Australia’s leading telecommunications and technology companies, Telstra was nominated in 2017 for the Cybersecurity Project of the Year⁶. Their guide to success? A company playbook entitled Telstra’s Five Knows of Cyber Security:

1. Know the value of your data

Understand the true value of your data – not only for your company, but for those who want to steal it.

2. Know who has access to your data

Know who has access to your data at all times, both internally and externally, and who has administrative rights.

3. Know where your data is

Where are you storing your proprietary data? Is it stored locally, or in the cloud? How is it maintained, and can you trust service providers to protect your data from third parties?

4. Know who is protecting your data

Who holds the keys? What processes do they follow to protect your assets, and how easily can you reach them when a breach occurs?

5. Know how well your data is protected

What systems and processes are employed to protect your data? Are the security measures adequate, and updated regularly to combat new threats?

Telstra found a model that worked for them, and it delivered. Coming to terms with the indeterminable nature of the cybersecurity beast can help CEOs find a business-wide strategy to shore up their own vulnerabilities.