Cybersecurity: Is This All There Is?
Over the last decade, the scope of the cybersecurity function has become bigger and bigger, while the focus of the cybersecurity industry has shrunk to a singular focus — external attack detection and defense.
It used to be called “Information Security”, when principles like the C-I-A triad, and least privilege, and defense in depth were all part of the function of the security team. We cared about external attacks, but also insider threats, configuration mistakes, technology use that safely enabled the business, and interdisciplinary organizational culture. When we talked about third party risk, it wasn’t only about how much cyber insurance they had in case they were attacked. It was about how resilient their IT stack was, and their operational business model.
Now, when we talk about Cybersecurity, it is about protecting against and identifying cyber attack.
That’s it.
Security, whether you call it cybersecurity or information security, is a “wicked problem”. It is resistant to resolution, and cannot be solved by simplistic and immature thinking. But our collective thinking is getting more and more focused on one thing, simplifying for the sake of easy messaging. A messy problem to be cleaned up.
When the recent Crowdstrike outage occurred, we were quick to say “this isn’t a…