Sometimes ambiguity has power — the power to capture the zeitgeist of a movement, culture, or vision without getting dragged into the weeds about what really is or isn’t included; it provides time for an idea to crystallize, become defined, or reach critical mass.
That (somewhat arcane opening paragraph) sums up where I feel we are with regard to the term "cyber." We all know that it has crept into the security and risk (S&R) lexicon over the past few years, but, by managing to avoid clear definition, it’s become all things to all men — a declaration that “information security is different now” but not quite saying how. Think about it: If the US Department of Defence and the standards body NIST aren't aligned on their definitions of cybersecurity, how can we expect CISOs and business execs to be?
I have spoken to numerous S&R leaders recently, and, although there was a fair amount of discord, the CISO of one global financial services organization best summarized the prevailing perception:
"’Cyber’ is something coming from the Internet attacking our infrastructure assets. We're not classifying internal incidents as cyber, otherwise it makes no sense for us to have another word for something that is a classical security incident. It's about the external and internal distinction."
Cartoon included by kind permission of http://www.kaltoons.com/