In the world of cybersecurity there is a lot of specific definitions, a type of insider lingo that we assume that everyone agrees on the definition of. However, herein lies the problem. We assume, without discussing. I have ended up in multiple discussions that occurs due to different interpretations of a definition. In this post I’ll give my view of one of the biggest differences of definition that I have seen, namely what we include in the term cybersecurity.
The first and easiest viewpoint is that of a business that isn’t producing a digital product, neither for yourself nor for your customers. Noteworthy here is that any website is acquired as a product from a third party. This means that no product development is performed in house. In this case the full extent of cybersecurity is to ensure that the IT-environment does not get breached. This means a focus on raising security through configurations and products as well as ensuring that you trust the products provided by your suppliers.
Next up we take the viewpoint of a Something as a Service (XaaS) provider. In this case you develop a digital solution and manage the data of your clients in your IT-environment. This includes both traditional software companies (such as Google) and organisations that build software to better serve there clients, e.g. the local sports team building an e-shop to sell tickets online. Now there is an extra focus on ensuring that the in-house software does not contain neither vulnerabilities nor malware. Since both these cases can have an impact on both the company themselves and the customers.
For a company that provides software that is run purely in the environment of their customer the focus might be more focused on providing software without malware. Since the impact of a vulnerability in the product is lower for them, while being part of a supplychain attack will be devastating.
With these viewpoints we note that your needs might vary, and once again we see the risk of confusion due to reading different things into the word cybersecurity. I’ve been guilty of this myself, as someone whom have worked close to vulnerabilities throughout my career I’ve had a focus on application security and delivering software without vulnerabilities. But that is just a small part of the field of cybersecurity.
But what part of this is most important? That is up to each organisation to decide. However, for a general answer we can look to the statistics. IBM has provided a report on the Cost of a Data Breach that can be used to gain some insights. In this report we see that the most common initial access vectors (entry point for bad actors) are still human related. The two most common attacks are phishing and stolen or compromised credentials. If we combine known vulnerabilities and zero days (not yet reported vulnerabilities) we end up in the same range. My conclusion is that the focus we have on vulnerabilities in the cybersecurity industry has paid of, and it is now easier to exploit the humans where the technical protections have not kept up.
Summary
Cybersecurity can be difficult due to the different meanings. One way to brake it down is into the following three focus areas:
- Ensuring that the own internal IT-environment doesn’t get breached
- Ensuring that delivered products are without vulnerabilities
- Ensuring that delivered products are without malware
Depending on your organisation the priority of these might change, and one might affect another. Regardless, you need to understand what part or parts of cybersecurity is relevant to you and your customers. If not, you might be spending your money without protecting what’s important.
Lastly we have to normalize discussing the definitions of what we are talking about. Sometimes it’s not enough to ask if you know, we also need to clarify that we agree on the meaning.