The word “cybersecurity” is one of the most overused and abused terms in an era filled with hyperbole and linguistic torture. In the 90s, the word and prefix “cyber” held bad connotations around online sex and pornography more than anything else. Then again, in those days “hacker” didn’t necessarily refer to an attacker. Today “cyber” is used in much more polite conversation, but it’s still far too broad and far too overused, especially in government policy circles where “cybersecurity” is almost interchangeable with “security.” However, there is a critical way in which we might use “cybersecurity” that is both different and distinct from the rest of security in a meaningful and useful way. Before we dive into that, though, a short story is called for.
Many years ago, I visited a US Bank and was warmly greeted by a CISO who lorded over an impressive 652-person department, which he made a point of telling me twice before we reached the conference room. I was duly impressed and asked an obvious question, ‘What’s your overall strategy for using these people?” I learned he had “crowdsourced” all the things the department could work on and came up with a heat map of the hottest and most relevant areas. He then proceeded to show me a magnificent reference architecture.
It was at this point I had what I call my “patchwork quilt” moment because he produced an impressive Escher-style tessellation in the form of a map with 64 equally weighted shapes arrayed in a quilt-like spread of projects. What should have been his moment of glory instead came across clearly with one voice that screamed “I have no idea what I am doing. In fact no one here does and I only hope this huge image dazzles with science and keeps me from getting fired.”...