Or why does cyber get all the best tunes?

When I entered the workplace in the 1980s ‘cyber’ was barely a word.? It existed only in the realms of scientists and science fiction writers.? But security certainly was a word, and the range of threats and threat actors were much the same as they are today.? The focus of our efforts then was on physical security protection and above all on people and their behaviour.

The authors of a recent Slate article argued that “the word?cyber?now means everything—and nothing”. I can’t help agreeing. But empty terminology doesn’t mean empty pockets. In 2021, Polaris Market Research estimated that the global value of the cyber security market was USD 217.65 billion, and set to rise by around 10% each year. And it has become pretty difficult to find a major security company which does not have ‘cyber’ in their name or in their elevator pitch, even as such companies intone the values of ‘security convergence’ and ‘holistic security’.

Perhaps this is not so surprising. There is no denying that modern use of information technology has opened up a raft of new avenues of attack that were not available to threat actors back in the 1980s. But as recent physical sabotage attacks by Russian intelligence against German military and civil infrastructure demonstrate, cyber is not the only game in town, even for threat actors with sophisticated cyber capabilities. When reviewing the risk registers of our clients, I am struck by how often insider risk is filed under ‘cyber’, even though insider risk relates to the potential for humans to do harm across the full range of domains, both physical and virtual.

Digital, Physical and Human

I think we need to resist the use of the word cyber to co-opt all areas of security management under a single (cyber) umbrella. This is not just the peevish gripe of an old fart brought up in the ancient traditions of security management. Rather, it stems from the observation that an increasingly single-minded focus on ‘cyber-threat’ is driving a belief that technology-based threats can only be combatted by technology-based solutions, a belief which in turn is leeching into approaches to non-cyber threats. In Blacksmiths, we often see companies deploying shiny insider risk ?technologies which on the one hand reduce insider risk by increasing detection, but on the other, increase it by exacerbating employee resentments and distrust. ?

Latterly, parts of the cyber world are grudgingly acknowledging the importance of thinking about more human-centric approaches to security and insider risk and are starting to talk about ‘human risk management’. The idea is a welcome one, even if the terminology used still places implicit blame on the human, harking back to the bad old days of humans as ‘the weakest link’. Where human risk management approaches are well done, they work with the way humans actually behave rather than the way we would like them to behave. Instead of blocking and castigating, they ‘nudge’ and enable. We are starting to see some genuinely creative technology-based approaches to helping users do the right thing. And it’s worth pointing out that there is a lot here that the old school security managers could learn from.

But, to return to my theme, it’s not just about cyber. Nudging techniques and creative design can be used not just to discourage weak password creation or rash link-clicking, but also to encourage the wearing of passes, the reporting of security incidents and the avoidance of tailgating. While we acknowledge that there is a place for detection-based technologies, we like to work more holistically with our clients, helping them to ‘design in’ good security behaviours through the content of their policies and the arrangement of their physical spaces, as well as the design and use of their IT systems.

About the author

Malcolm Sparkes is a senior security consultant at Blacksmiths Group where he works alongside experts in information and technical security and behavioural scientists in order to provide a genuinely convergent approach to security challenges.