CYBER

CYBER

The Word Itself

"The cyber" entered mainstream political vocabulary around 2016 and has not left. Congressional hearings on information security produced a specific genre of question from elected officials who had received a briefing but not any actual technical education, which resulted in exchanges that security professionals watched through their fingers. Vendor marketing picked up the vocabulary immediately. If you can put "cyber" in front of your product name and charge more for it, you will, and every security vendor did.

CyberSecurity. CyberDefense. CyberHygiene. CyberResilience. CyberPosture. These are not distinct things. They are the word "IT" wearing a trench coat and asking for a larger budget. The people who actually work in security — who read CVEs, who run penetration tests, who write incident response playbooks — do not say "cyber." They say "authentication," "authorization," "patch management," "your S3 bucket is public." The distance between the vocabulary used in the boardroom and the vocabulary used in the terminal is a reasonable proxy for how functional an organization's security practice actually is.

The Vendor Playbook

Every security vendor demo features a globe with red lines on it. The red lines are attacks. There are always many red lines. The globe spins. The attacks are incoming from everywhere. Only by purchasing the enterprise tier with the Advanced Threat Intelligence Module can you understand what the red lines mean and respond appropriately. The engineer watching the demo knows that the red lines are decorative and the actual product is a log aggregator with a nicer UI than Splunk. The VP watching the demo is thinking about the board presentation where they need to show they are taking Cyber seriously. These two people are having different meetings in the same room.