What is that Cybersecurity anyway? And why it is not only IT guy’s problem, but yours.
Cybersecurity. Blockchain. Internet of Things. Artificial Intelligence. Machine Learning. Big Data. Artificial Blockchain Cybersecurity Intelligence. Cool buzzwords. We are living in awesome world heavily dependent on the technologies interacting with us every single moment of our lives. Everybody talks about them. Everybody uses them. Almost nobody understands them.
I am Petr Simsa and this is start of my journey for increasing level of Cybersecurity and privacy on the world… or at least for few people for beginning.
Why I decided to start this blog? I work as an information security and privacy specialist and I am helping our clients with — as expected — with information security and privacy. And I still feel large gap and separation between Cybersecurity professionals, IT professionals and all other out this world professions — aka “users”. My personal goal is to close at least little bit the distance between these sides.
My articles will be focused on Cybersecurity, privacy and related topics such are cyber psychology, cyber sociology, cyber law or cyber criminology (yes — the key is to put prefix “cyber” to real domains existing for decades to sound new and cool).
Why? Because I like writing. And I want to introduce awesome world of Cybersecurity to people professionally outside this world and help them orientate in confusing terminology such “Threats”, “Vulnerabilities”, “Attack Vectors”, “Phishing”, “Ransomware”, “Cross-Site Scripting”, “Avada Kedavra” and other magic words frequently used by Cybersecurity professionals.
Since it is my strictly personal blog without any connection or relation to my worklife (except the topic of Cybersecurity), it will be written in my personal, sometimes non-serious and popularized manner. To avoid any discrepancy I need to declare that (mandatory legal announcement alert!): in my articles I represent strictly my personal opinions and do not express any official company’s statement on any topic, event or problem. Now let’s continue to the point.
During my work I get steadily confronted by following opposing verdicts:
“Cybersecurity is the IT guy’s responsibility.” - User
and
“It is users’ fault.”- IT guy
Who is right? Both. And no one. As we will show below.
Before we go to the definition — in a theory there is a large amount of “something” security — e.g. Cyber Security, Information Security, IT Security, IoT Security, OT Security, Internet Security, Communication Security, Computer Security and other types of security. Even whether in the theory and practice there really can/are differences and boundaries between the terms, now, for case of simplification, let’s use only term “Cybersecurity”.
So…what exactly is that Cybersecurity anyway?
By Kasperky’s definition the Cybersecurity is:
“Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks.”
Little bit more poetic definition proposed by US Cybersecurity and Infrastructure Security Agency (CISA)
“Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.“
And third citation which is not definition but rather statement I like by Glenn Taylor on Avast’s blog:
“Cybersecurity is a process, not one-time solution.”
Regardless whether we consider Cybersecurity being “practice”, “art” or “process” the main goal is the same — protection of “assets”. What exactly are the “asset”? By definition in standard ISO/IEC 27005:2018: “An asset is anything that has value to the organization and which, therefore, requires protection.” Not sure whether it helped, however by “assets” in Cybersecurity terminology we are usually referring to:
- Primary Assets: usually represent main source of value for the organization or individual and may be divided to:
a) Information which are being processed including financial data, business data, personal data and so on.
b) Business Processes which are necessary for providing of services or are essential for existence of the organization - Supporting Assets: store, process or (by definition) supports the primary assets. And as ISO/IEC 27005 says: “The supporting assets have vulnerabilities that are exploitable by threats aiming to impair the primary assets of the scope.” Do not worry you are not sure what exactly are “vulnerabilities” or “threats” yet, I will cover this topic in further detail in the next articles. The supporting assets may be divided into various categories, but for simplification let’s consider these two for a start:
a) IT Assets such as software, hardware, network etc.
b) Non-IT Assets such as people, sites, suppliers and so on.
In simple words — in Cybersecurity we are trying to protect our data/information, our business and processes, our property (even so called “intellectual”), our health, our privacy and everything what has a value for us and is related to processing of data or “digital” presence.
To answer second question in the beginning of the article — why it is not only IT guy’s problem, but (also) yours. Let’s start with simple questions — do you use computer? Do you use email? Do you use internet? If all answers were “no” — maybe really Cybersecurity is not of your business. However in most of cases I guess you are in. Think about following situation:
Cybersecurity infrastructure:
- Next-gen firewalls
- Intrusion Detection Systems
- Identity and Access Management
- Cryptography
- Security Information and Event Management
- Other cool words
You
- Password: “ilovemymom” on a sticky note on your monitor
I feel we have little gap here.
Despite the usual understanding, the Cybersecurity is not only technology problem. Do not get me wrong — it is a technology problem, but not only. Cybersecurity is also matter of processes, procedures, protocols and behaviour of every part of the whole ecosystem. And yourself. Your secure behaviour is essential part of the success of whole system. If you will use repeating and weak password. If you are wildly clicking all links and attachments on wierd emails without any consideration. If you are downloading software from torrents. All of these actions may lead to compromising of your computer and further whole network and IT infrastructure.
You are part of the Cybersecurity system. You need to understand it. You have to take the responsibility. Without your onboarding we can implement all these Cybersecurity controls, detections systems, data leak prevention systems on so on, but we will have a large hole in the system. In martial art parallel — we perform all of the tricks, flips and Chuck Norris’s spinning hook kicks but cannot block simple direct to the face as this guy from movie Never Back Down. As cited above: “Cybersecurity is a process, not one-time solution.”
On the other hand, “It is users’ fault” mantra by some IT or Cybersecurity professionals is the opposite extreme and I consider this opinion highly alibistic and dangerous. I did not hear much Sales Representative to blame different part of the company to not make Sales KPIs. Yes, there are a lot of aspects we cannot sometimes involve — budgets, management decisions, different and sometimes contradicting regulatory requirements and so on. But in the end we should take responsibility for it. And if users are doing mistakes — we should train them. Or implement system where they cannot do such mistakes.
Ok. Now I hope we all understand what is the Cybersecurity and why it is important. What to do next? This will be topic of the following article.
