I had a call from a younger security industry peer, we chatted about governance, risk and controls for a while. After 10 minutes or so he said: “it sounds to me like you’re from more of an InfoSec background rather than a cybersecurity one.”
InfoSec vs. Cyber
There was a time when I would have asked him to define “cyber-” as opposed to “info-”, but experience tells me that this usually draws people into embarrassed ramblings or strident declarations that I feel duty bound to chase down rabbit holes – and apparently nobody likes a smart arse.
The language does reveal something of the modern approach to security however – the view is that Cyber is dynamic: real-time analysis of threats and attacks. InfoSec is boring: collection of asset information, impact analysis, setting of rules and management of risk. I get it, I really do. I was a CLAS consultant for 5 years until the scheme closed in 2014, and it was used by the majority as an excuse to sit and write reams of paperwork. I always challenged that approach and spent more time turning it into pictures than was probably strictly necessary. That worked for me and it helped to explain risk at a time when it was sorely misunderstood.
In those days (when all of this was fields) it was a requirement of government accounts that this work was done. A Senior Information Risk Officer at the Home Office would sign off my papers, accepting any residual risk I had decided was still in place after many months of design, assessment and redesign – all this AFTER an assessment against ISO27001 and a ListX certification for our working environment. Yes, this took years, but this was in the design, and operation was going to be monitored as per GPG13 (remember that CLAS fans?!)
How Cyber has changed the world! We hear it everywhere. Even President Trump knows about The Cyber, it’s frightening what his 10-year-old son can do with a computer. If only he knew. But has it really changed?…Click here to read full article.