I write and speak about this particular issue quite regularly, and it’s one that I believe is vital to grasping cyber security’s place in the world.
Especially while many people are still remote, technology has become more and more central to people’s lives, and we are talking about ways that things will or will not return to normal. As we hear about more and more cyber security incidents, each supposedly carried out by ‘sophisticated threat actors with unprecedented capabilities’, it’s time to talk about the mystique of cyber security and the problem it has with public perception.
Jon Moss once said to me, when I asked him for a definition of security, that it is the art (or science, it’s been a while and I forget which) of protecting an asset from a threat. In many security fields that is immediately clear and obvious to practitioners. In cyber security, information security, or IT security it can be muddied and hidden away. Since it’s been a while since I last wrote about this topic in the Circuit, it’s time to dust off the cobwebs and reiterate some things, as not much has changed in the field since the last time I brought it up.
Cyber security is not magic
There is an incredibly common perception, encouraged by some cyber security professionals and companies, that cyber security requires some sort of arcane, obscure, special knowledge which only a privileged few can access. This perception not only discourages people from entering the field and taking ownership of their own security, it also gives an impression that cyber is somehow outside the reach of anyone other than specialists.
With the media stories out there, thinking about cyber security is stressful for many and the promotion of this view drives learned helplessness.
Learned helplessness is what happens when people repeatedly experience a stressful situation and feel it is out of their ability to control. Enough experiences like this, which doesn’t take many repeats, people stop trying to do anything even when an opportunity to change arises. Getting people out of learned helplessness is difficult, and for years much of the cyber security industry and the media coverage has been driving the idea that not only is everyone under threat, but that protecting yourself from those threats is not possible without abilities beyond the reach of ordinary people.
This idea extends to security professionals as well. Over the years I’ve had several conversations with experts in various security fields who are convinced that while they have expert knowledge, far beyond mine, in the security discipline they need to leave cyber security to the specialists.
It’s a domain, not a discipline
Security is a discipline, a skills toolkit, more about learning how to approach situations in general than about the details of those situations. The skills involved in security are applicable across multiple different domains, and all in the pursuit of protecting assets from threats. Cyber is a particular domain, an area in which those skills can be applied. All of the skills developed in other domains of security can be applied to cyber security by learning to reapply the models you use to technology.
All of this is to say that cyber security is just security applied to a poorly-defined mishmash of technology and information security, it is not special, it does not deserve to be treated as an ivory tower, and absolutely anyone can not only learn it but excel if given the opportunity. There’s no need to have amazing technical skills, just an understanding of how the technology can be used and what attack vectors might exist. Sure, the technical skills are useful, but they aren’t essential for individuals to take ownership of their own security, or to protect other people. Call in the specialists when they’re needed, but take the time outside of that to ask questions and learn.
Any cyber security professional who won’t help people to understand the field most likely doesn’t understand it themselves. To improve cyber security worldwide it isn’t enough to add new people to the field, we aren’t ever going to have enough and we struggle to get companies to understand what security they actually need in any case (if you’re wondering for the vast majority of companies the answers are ‘more than you have’, along with ‘fewer shiny technologies and more people’). We need for everyone to feel comfortable when dealing with a cyber security situation, to not suffer from learned helplessness but instead to take control of their own security posture, take responsibility for their own protective measures, and ask for help where it’s
Cyber Security Fundamentals: Security and Technical Debt Collection
By: James Bore
James Bore is an independent cybersecurity consultant, speaker, and author with over a decade of experience in the domain. He has worked to secure national mobile networks, financial institutions, start-ups, and one of the largest attractions’ companies in the world, among others. If you would like to get in touch for help with any of the above, please reach out at firstname.lastname@example.org