Cybersecurity – A Fabricated Delusion Fixing the Wrong Problem

Guards, gates and guns are not “Cybersecurity,” but technology alone is no substitute for an effective ISO 27001-conformant information security management system (ISMS).

John B. Weaver shares his thoughts ...

With revelations of recent security breaches at Target, Neiman Marcus and elsewhere, rarely a day goes by without some blogger, TV news anchor or reporter raising the specter of Internet Armageddon. The media has latched onto the buzzword “cybersecurity” to spread fear, uncertainty and doubt. Vendors and service providers are hawking solutions of the if-all-you-have-is-a-hammer-everything-looks-like-a-nail variety. The fact is that there is no common definition for cybersecurity among all these entities, but technology is the predominant component.

Apparently cybersecurity occurs (or doesn’t) in cyberspace; think Tron, only for business and government. We’ve heard predictions of a digital Pearl Harbor for years, the meltdown of computer networks and the end of life as we know it. Ain’t gonna happen. There will continue to be constant assaults on networked systems. Physical warfare between enemy nations as well as terrorist actions will most certainly include a digital component. But the most likely motivation for digital attacks will continue to be economic warfare and corporate espionage. And simple theft.

The recent terrorist attack on the California power grid near San Jose was initiated by the perpetrators cutting telecommunications cables that carry monitoring information to Pacific Gas and Electric (PG&E) as part of the company’s supervisory control and data acquisition (SCADA) systems.  Technology has been integrated into physical security to the degree that they are inseparable. Hacking a traditional private branch exchange (PBX) phone system has almost become a lost art with the proliferation of voice over Internet protocol (VoIP) phone systems. The latest closed circuit HDTV systems (CCTV) are fully digital, with the option for wireless cameras and DVRs that can retain recordings as long as there is disk space available.

Guards, gates and guns are not “Cybersecurity,” but the digital components of physical security are undeniable. Access card readers, biometric scanning devices, fire suppression monitoring and other components of physical security all rely on a technological component. And to some degree they all rely on the confidentiality, integrity and availability of the information they process—in other words, information security.

A successful information security program requires a risk-based holistic view of people and processes as well as technology. An effective ISO 27001-conformant information security management system (ISMS) will provide a scalable, repeatable, measurable and defensible framework for managing risk. It is a process-based, business-oriented approach that addresses risks far beyond cybersecurity to include enterprise risk, legal and regulatory compliance, and human factors as well as firewalls, networks, servers and databases.

John B. Weaver is president and CEO of JBW Group International with 25 years’ experience in stopping and catching bad people.