Why You Need To Add "Cyber" To Your Job Title

Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn’t included; it provides time for an idea to crystallize, become defined, or reach critical mass.

That (somewhat arcane opening paragraph) sums up where I feel we are with regard to the term "cyber." We all know that it has crept into the security and risk (S&R) lexicon over the past few years, but, by managing to avoid clear definition, it’s become all things to all men — a declaration that “information security is different now” but not quite saying how. Think about it: If the US Department of Defence and the standards body NIST aren't aligned on their definitions of cybersecurity, how can we expect CISOs and business execs to be?

I have spoken to numerous S&R leaders recently, and, although there was a fair amount of discord, the CISO of one global financial services organization best summarized the prevailing perception:

"’Cyber’ is something coming from the Internet attacking our infrastructure assets. We're not classifying internal incidents as cyber, otherwise it makes no sense for us to have another word for something that is a classical security incident. It's about the external and internal distinction."

Cartoon included by kind permission of http://www.kaltoons.com/

What has been interesting is seeing how many S&R job titles are being revisited to include "cybersecurity" alongside information security; in some cases, it even replaces information security altogether. At first glance, this may appear to be a trivial rebranding, merely putting lipstick on a pig, but it’s not; this role redefinition is actually an astute move by S&R professionals. They are:

  • Rebranding for alignment. Although many S&R professionals dislike the "cyber" label, feeling that it’s just a new word for an existing practice, it's undeniable that the wider press, regulators, and governments have latched on to it. At this stage, any reluctance to adopt the term is potentially damaging to your career as it could make you look out of touch.
  • Rebranding for budget. Few board members have managed to avoid the concept of cybersecurity; it is repeatedly thrown at them from the pages of the financial press, government agencies, and industry regulators. They know it’s a big deal, but, due to its lack of clarity, they are often unsure where their firm stands. This is great opportunity for a cyber-aligned CISO to review the strategy and highlight key areas of risk for focus and investment.
  • Rebranding for talent. It’s undeniable: "Cyber" is sexier than "information security" — one CISO we spoke with found as much when trying to recruit new talent. However, by rebranding the roles and highlighting the "cyber" aspect, he managed to make the roles more appealing to recent graduates.
  • Rebranding for customer trust. In an age when security breaches are immediately visible and customer trust is closely associated with brand reputation, it is simply good marketing to demonstrate to your customers that your firm recognizes the importance of data security, understands the current threat landscape, and is doing something about it. One way to communicate that your firm is on top of these issues is to ensure that key individuals have visible accountability for "cyber" — and what easier way to do that than by including it in their job title?

Like it or not, "cyber" is part of our language now. It encapsulates an innate fear that capable, external attackers can steal our customer data or take our critical systems offline at will. As security has become more visible and more of a concern to customers and board members alike, S&R professionals need to use all possible techniques to ensure that they are seen to be fighting the good fight in every way possible. If tweaking your job title helps, then do it.

Comments

Framing

As a person who's been involved in security for many years, I hear the word "cyber" and cringe. Gestalt: when you say "cyber" in my gut it feels as if you're 70 and just watched a Sandra Bullock movie. I cringe because I dread you might follow by talking about lasers and time travel and the Borg.

That said, the author is correct: this word works, and it's weird. It's really weird, but I've come to think of it was a linguistic "gateway," using the definition of "gateway" that comes from the networking world, where protocols are converted as they cross a certain threshold.

"Cyber" is one of the words you use when you need to succinctly convey to senior management that this is super important. And maybe futuristic, like time travel and lasers. Maybe it is a "you're 70" thing. But it works.

I thought this article nicely captures the framing topic regarding cyber this or that:

http://www.newyorker.com/magazine/2010/11/01/the-online-threat

I am happy to find this post

I am happy to find this post and it is very useful for me as it contain lot of information.
Thanks.

Information Security / Cyber security

I think Information Security is different from Cyber security. We can not mix both domain, may be connect both worlds.

Cyber Security Acronymn

I really enjoyed this article. I do not mind the word Cyber Security, as it denotes security at the highest level in my opinion, and yes it sounds a little bit cooler than Information Security. I feel it actually encompasses all of information security, physical security, application security, forensics, intrusion detection and prevention, CSIRTS, etcetera when packaged as an overall Security Plan.

Why do I feel it is all encompassing? Due to the broad range of threats from both insiders and external entities businesses face in today's market place, anyone connected on the Internet can easily glean useful information from any corporation or government today, and not always for the right moral or ethical reason, but to damage a company' reputation, product, financials, or even steal information, and in some case just access systems and data to prove a point.

I think today, it is all of the employee's responsibility to play a part in Cyber Security and that organizations should provide security training and awareness for the company’s entire workforce. This has to have a top down approach, and those who are dealing with these security breaches in the trenches should receive advanced training, and certifications in this field.

What acronym will they apply to this field in 20 years?