Cyber Security
This is cyber! so… what is cyber?
I By Rob Newby
had a call from a younger security industry peer, we chatted about governance, risk and controls for a while. After 10 minutes or so he said: “it sounds to me like you’re from more of an InfoSec background rather than a cybersecurity one.” InfoSec vs. Cyber There was a time when I would have asked him to define “cyber-” as opposed to “info-”, but experience tells me that this usually draws people into embarrassed ramblings or strident declarations that I feel duty bound to chase down rabbit holes – and apparently nobody likes a smart arse. The language does reveal something of the modern approach to security however – the view is that Cyber is dynamic: real-time analysis of threats and attacks. InfoSec is boring: collection of asset information, impact analysis, setting of rules and management of risk. I get it, I really do. I was a CLAS consultant for 5 years until the scheme closed in 2014, and it was used by the majority as an excuse to sit and write reams of paperwork. I always challenged that approach and spent more time turning it into pictures than was probably strictly necessary. That worked for me and it helped to explain risk at a time when it was sorely misunderstood. In those days (when all of this was fields) it was a requirement of government accounts that this work was done. A Senior Information Risk Officer at the Home Office would sign off my papers, accepting any residual risk I had decided was still in place after many months of design,
20 | Australian Security Magazine
assessment and redesign – all this AFTER an assessment against ISO27001 and a ListX certification for our working environment. Yes, this took years, but this was in the design, and operation was going to be monitored as per GPG13 (remember that CLAS fans?!) How Cyber has changed the world! We hear it everywhere. Even President Trump knows about The Cyber, it’s frightening what his 10-year-old son can do with a computer. If only he knew. But has it really changed? The Cybersecurity Framework And so, to the real point of this post. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) was re-released at version 1.1 today to very little fanfare. An hour-long webcast accompanied this release and I watched it live, avidly awaiting some deeper insights into the framework. It sounded like the release of an academic paper, written and produced by extremely clever people in lab environments with external corporate and public-sector feedback guiding their complex and frankly ingenious thought processes. At the development end, it excited me, they are at last looking at integration with Corporate Governance and Enterprise Risk Management, but the presentation itself was quite dry and complex sounding. If you are new to CSF, I will explain it in a little more detail. Conceptually, it is a way of describing all the security processes required to achieve information security within a business environment, whether that be as consultancy,