Cybersecurity began simply as security in the early days of the Internet. It wasn’t well-understood and unsurprisingly regularly confused with traditional security – defenses up, guards, and gates. Soon it was referred to as information security, but as the internet morphed into web 2.0 the term cyber entered into the lexicon and was quickly embraced by the information security industry.
Interestingly, the transition to cybersecurity ushered in a new focus on technology and the market responded with an explosion of cybersecurity products. Countless options to address every possible scenario materialized, but challenges remained as threat capabilities and business demands evolved.
Nonetheless, by any name cybersecurity can be summarized as the controls that protect assets from threats. The key for security professionals is ensuring a balance between the effectiveness of controls relative to threat dynamics, changes in asset characteristics, investments and resources, risk management, business expectations, compliance, scalability, and, of course, usability. Not that perfect security exists, but the closer you try to get to it the costs skyrocket and the ability to use the environment in a meaningful way dramatically diminishes to zero. Of course, the opposite is true. With virtually no security the system is extremely usable, which includes people and processes that you don’t want using it.
What makes cybersecurity so challenging is everything is moving, changing, and evolving at a breakneck pace. The threat and business environments are very dynamic making it difficult to maintain clarity on effectiveness of controls that are themselves changing as security professionals work to synthesize and integrate a myriad of dozens of disparate technical solutions. In a cruel sense of irony, when cybersecurity is doing its job well it is virtually invisible to the business and user community. Only when things go wrong does it surface to the forefront.
The dichotomy of cybersecurity’s invisibility of value and the white-hot spotlight of perceived failure is one of the greatest challenges for businesses. Unlike many aspects of the business, returns related to cybersecurity are exceedingly elusive. Very early in the evolution of security the term ROSI (“rosie”), Return On Security Investment, emerged only to be crushed under the weight of business realities. Ever since the cybersecurity industry has worked to show value and need, mostly through “FUD” (fear, uncertainty, and doubt), which interestingly was the birthplace of penetration testing.
From those ashes a few focused on business enablement as the core differentiation to the business. It challenged the security industry to find ways of integrating security in a manner that promoted key business charters, such as quality, time to market, customer satisfaction, and the like. While similarly challenging as ROSI, the underlying value to cybersecurity to the business took a turn in 2012. In that year Reveton surfaced; arguably the first ransomware that used cryptocurrency as a form of payment, completely obliterating the challenging process of monetizing hacking. Seemingly overnight every business was under attack, not because they we’re attractive to a particular type of threat or had something specific of value, but rather there was a method to extract money.
Fast forward to today. Businesses are faced with an incredible array of cybersecurity challenges where any one of them could represent a devastating and potentially business-ending event. Add to that compliance demands, legal and insurance requirements, remote workforce, globalization, expansion of third parties and supply chain complexity, and, of course, digitization of the business, the need and value of cybersecurity has in many ways come full circle. Cybersecurity’s value to the business is ensuring the balance of controls to protect what matters. Not surprisingly, far easier said than done.
