Always start with an Imagery
What do you visualize, when you hear the words ‘Hacker’, ‘cyber attack’, ‘cyber security’?
Send claps and kudos my way, if your imagination included one/ more of these: hoodie, multiple monitors, lines and lines of code, geeks pounding violently on invisible keyboards. As much as I like to take pride at this accurate prediction, it honestly doesn’t take a Sherlock to figure this out. Something that’s as ‘elementary’ (read it in Benedict’s voice) and apparent as this, must have some credence to it, isn’t it?
Setting the context
Before getting into the meat of the topic, let’s skin the context the right way. What is cyber security? What’s in scope and what’s out of scope? Cyber security is protection of your computer, it’s network and thus ultimately the digital asset, the data, that resides on it.
This means that everything that’s digital and to be protected is within cyber sec’s remit (simply, put). Therefore, rightly so, cyber security is otherwise called as computer security. Now, you might assume that we have already arrived at the answer for our titled question. No, not yet. Hold your horses, cowboy!
Evolution of cybersecurity
I agree that it might look quite intuitive to state that you need to understand how something works before you can protect it. This would have been true of cyber security, had we still been in a era where IT security is all about keeping the computers up and running so that the business’s applications run. An era where IT and technological problems were just operational risks. As much as we would love those simple days, we are cruising through an era where data, identity, business and brand are becoming more digital with each passing day.
Today, IT and computers are not just enablers to reduce manual work in achieving bottom line (money), but they are becoming the bottom line (cryptocurrencies, duh). Thus, security of your computer/digital space has multi-fold implications now than a mere downtime. These could be financial implications (loss of revenue/customer’s money), legal/ regulatory implications (fines, law suits, etc.,), reputational and market implications, besides the operational challenges.
To summarize, the implication of Cybersecurity is not anymore confined to just technology.
You can’t always outsmart your adversary
In the movie of cybersecurity, there are good guys, who are trying to protect the cyber space and there are bad guys who are trying to exploit the cyber space to their advantage leaving a trail of victims on their way. As much as we are used to and want to see the good guys as the protagonists and inevitable winners, reality is indifferent to moral compass. The good guys can be defeated by bad guys or much worse, good guys may end up with a non-pivotal supporting role.
Had cybersecurity been a game, where only technical prowess mattered, then good guys are left to constantly outsmart the bad guys in an eternal loop. This is ineffective and impossible. Seat-of-the-pants approach is never the best approach, when the stakes are as high and as wide as it’s with cyber security.
You can very well have a team of Elliot Aldersons (Watch Mr. Robot, if you haven’t) of the world, but still you can’t always protect your organization’s entire digital estate.
The best we (good guys) could do is to strategize our security program to reduce our attack surface/ exposure as much as we could. We should also be prepared for the dooms day with an well equipped continuity plans, legal response. Don’t you think these are beyond technology?
Cyber Security’s a risk type (end of the day)
In an ideal world, assume if we can write the hack-proof code and surround it with an impenetrable perimeter. For the heck of it, let’s also go ahead and assume that all are 100% security aware. Well, no more cyber attacks and happily ever after, right? Nope.
Just because something is possible, not everyone’s going to do it. Why? Even security- aware folks can be lazy (Who might end up in our supply-chain and screw us over, but that’s not relevant to our topic here) or there is no ROI in such expensive endeavor. Yes, security is all about cost-benefit, in reality.
Technically, there might be a best solution to protect an asset. However, as long as it doesn’t make sense economically, that solution is never seeing the light of day. Cyber security programs start with risk assessment, which defines what to protect, how much of effort to be spent and what are the performance metrics. Again, little outside of tech, no?
Conclusion
These are just few reasons, from my limited perspective, as to why I must say that cyber security is not just for techies.
There is no doubt that cyber security runs on the clock work of technologies and thus, technical expertise is crucial here. It’s just that we have to acknowledge that it has evolved and grown out of its silo to be integrated with the bottom line of businesses.
All being said, we are protecting digital asset here, thus the technical context of what and how it’s being protected is bare minimum. For example: We all need not know how to implement and configure encryption, but at least we should strive to know how it’s different from hashing, functionally.
