'Cyber' Security - It's a Myth



We keep mentioning 'cyber-security' as a term. Something I have been guilty of in the past as well.

In the news, it is up there with 'GDPR' and 'Blockchain' as one of the latest and greatest buzz words (my new company name will be 'GDPR BlockChain Cyber Security A̶n̶a̶l̶y̶t̶i̶c̶a̶* OÜ/Limited' - Billionaire in no time.)

However, it is not a thing. Cyber-security - cyber-warfare - information security..... they are all aspects of the same old problem.


In allocating the prefix of 'cyber' to this concept, we think that the security of our data and IT systems is somehow on another plane of existence - and that is just dangerous. Our world and the world of Hackers, the dark web, and other nasty threat actors are in fact on the same planet.

We are not in the 1995 film 'Hackers'[1] (it's just terrible - don't watch it).

Because we separate it into its own special category, we sometimes focus on the wrong priorities when securing our data & systems.  Buying in technology can help to mitigate some of the threats, but it does not stop all of them.

In order to actually improve the security of your valuable information, you need to have a whole organisational approach. You need to find out what information is out there about your company; from leaks to details that can be established from Open Source Intelligence gathering techniques against you. You need to know where your information is within your organisation. Who else has your data? How sensitive is that data? How is it stored? Who has access? These are just some of the basic questions you have to ask.

You need to make sure your staff are aware of the threats (hint: train to focus on IT security covering mainly their personal IT, rather than on the company policy - the separation between your work and your personal life is another myth. We have all checked our email at work, or accessed social media, or accessed eBay. Most companies have BYOD policies, so you have access to your work documents and email on your personal devices).

People. Processes. Policy. Ownership of systems and data. All of these need to be embedded throughout the organisation, from the Administration department to HR.

The CISO/DPO should lead by example, establishing a culture of enthusiastic security that spreads throughout the organisation, rather than it being 'a compliance tick box' mindset. The objective is not to get compliant with a standard, that is just a by-product. The aim is to secure your business the best you can.

Last, but not least, know this: At one point, it will go wrong. The difference between handling an incident well or badly is 'practice'. Test your processes. Test your Business Continuity Plans, and test how your board, tactical and operational teams can handle an incident. Make it a real-time exercise, and inject as much realism as possible.

There is no such thing as a perfect Business Continuity Plan, and there is no such thing as a good Emergency Action Drill. But in practising, adapting, and repeating you can achieve the best thing possible:

When an incident happens there is a clear plan that everyone knows, with a good command and control structure, with communications at the heart of your response efforts. With a board that leads from the front, and a team that gladly follows because they have all been involved in the process.

Clear. Confident. In Command.

....& In Control of the situation.

The best you can hope for.

[1] Hackers Film wikipedia
* Maybe not that last one. Back to the drawing board......

Add a comment

Email again: