This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  Here he raises an interesting question.

Often, how you characterize a problem will determine your plan of attack to solve the problem. To illustrate, I often use this example with both clients and friends.

If I were to ask you: “How long can you and your business survive without your computer?” your answer would likely be something along the lines of “I need my computer to do everything!” While I suspect this is most likely true, such a response does very little for your resilience. Should such a case ever arise in your life, you would be left scrambling to find some sort of solution to keep your business operations going.

But what if I were to ask you: “You don’t have your computer for three days, a week, or even two weeks…what do you do?”  By asking the question in this manner, you are undoubtedly forced to look at the problem in a very different way. In fact, you have to look at the problem in a very different way because your survival depends on it.

The word “cyber” means different things to different people. In virtually every training session I put on, one of my first actions is to go around the room and ask people what “cyber” means to them. If I am lucky, perhaps two or three people will have a similar answer, but in most cases, the definitions vary, even when people share similar job titles and roles.

I trust that you see there is a big problem here. “Cyber” is arguably the greatest challenge we face today, yet we cannot come to a consensus as to what “cyber” is.

Let me try to unpack the “cyber” issue a different way, one that I have found to be extremely helpful and have been using recently to help people tackle their challenges. In its current state, I see the “cyber” issue actually being two separate problems, forming one overarching issue.

The first problem is network. I believe “network” as a definition is fairly self-explanatory. I also believe we can all agree that protecting the network is primarily a technical issue that requires specialized skills. Based on industry trends, the argument could also be made that the majority of “cyber solutions” are network-based. But I could also make the case that a network-centric strategy may not be in your best interests.

The second problem is information. I also believe that “information” as a definition is fairly self-explanatory, but I would argue that we do a very poor job protecting information. Protecting information could range from training your staff, to internal policies, to utilizing industry standards, to practices on how to handle sensitive documents, and physical security (though this specific issue can jointly fall into the network category as well).

When you put these two pieces together, I characterize this as a data security issue.

I do not see many “cyber solutions” that properly address the “information side” of this problem. The key to solving any problem is asking the right questions. I am confident that unpacking the problem into two distinct problems– network and information–will lead you to the best solution for your needs.

March 7, 2017

See George’s previous post, How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?