Is it time to drop "cyber" in security?

Cyber Threat

Just like technology, words get out of date combine the two, and you've got "cyber".

For many people, any offline element of the world can be brought online or digitised simply by plunking "cyber" as the prefix: cyber security, cyber war, cybersex, cyberspace, cyber bullying, and so on.

While that might have helped differentiate the online and offline worlds back when they felt like separate spaces, for most of us there's little gap bullying is bullying, whether it's online or off, and the same goes for security, sex, and so on. That leaves the prefix feeling outdated and unnecessary, notes Dominic Watt, a linguistics lecturer at the University of York. "What does the term 'cyberspace' mean to youth?" he says. "My guess is they'd have to think about it fairly hard."

Richard Starnes, key security strategist at Capgemini, suggested that age is one reason the word is disliked. "The term cyber security' has a tendency to make the grey heads wince a little," he suggested. "I think mainly because it's a reminder of our age we remember a time when it was information security'."

The prefix "cyber" has older origins than many may realise, popping into modern use with robotics and the word "cybernetics", notes Oxford Dictionaries, from the Greek word "kubernetes", meaning "steersman". The word's use in robotics, engineering and computer science gave it a "futuristic sheen", so when computing took off in the 1960s, and the web arrived in the 1990s, it felt the best way to describe these new technologies.

"A lot of times a concept is described in science fiction decades and decades before it's realised, and so there's a ready-made word right there," Watt says. "And I think that's been the case with the 'cyber' prefix."

An alternative did pop up: the "e" prefix, thanks to email. However, that doesn't attach itself so well to other words as cyber, as it would be confusing to refer to "e-war", "e-sex" and "e-security" meaning there is a worse way to phrase the idea of online attacks than cyber security.

That also means we can kill off "cyber" plenty of words die off, particularly in a fast-moving industry such as technology, with Watt comparing it to the cycles of words in slang and other specialist vocabulary. "High tech is just the latest edition of it," he says, predicting the prefix "cyber" will slowly fade into less frequent use.

Cyber isn't alone as an odd tech-themed language creation. Plenty of other tech words simply feel silly to say or obfuscate the real meaning. Dongle, for example, has been the subject of amused debates searching for better ways to describe a thing you plug into a computer without sounding like you're making a reference to male genitles. Cloud has been criticised as a bad metaphor for years, and "phablet" was dubbed the worst word of the year in 2013. Those lexical inventions are "very jokey and wry", reflecting the laid back attitude of Silicon Valley leaders, Watt suggested.

Sometimes it's more serious, with newswire the Associated Press changing how it describes digital security incidents, saying journalists should avoid the word cyberattack but not because of the word cyber. Instead, the phrase should only be used for incidents that cause "significant and widespread destruction". The idea is that an attack between nations could spark a war, when (so far) hacking conflagrations between countries are nowhere near an attack on par with firing missiles or a ground invasion.

A better word is possible

Here on IT Pro, we often use the word "cyber security" it's a topic that comes up frequently, after all and the discussion of attacks and the digital infrastructure to prevent them is perhaps one of the last bastions of the otherwise outdated prefix.

While we could easily change our style guide to ban "cyber", instead we asked the security industry how much they use the word "cyber" inside their companies and what they'd suggest as a replacement, be it returning to "information security", adjusting it to a more modern sounding but limiting "online security", or something else.

Dr Guy Bunker, SVP of products at Clearswift, says his employer still uses the word, but agrees it can be confusing. "There is no single solution, a silver bullet, which solves the problem of cyber-security and all too often vendors appear to claim they can do this which can make it appear confusing, especially for smaller businesses who dont necessarily have the resources or the skills required to implement comprehensive cyber security."

"At VendorMach we don't use that term because it's too broad," says CEO of the AI fintech platform, Chaney Ojinnaka. "Every company that tackles cyber security is actually doing so in a very niche way or area and that's what makes us experts in our field, so the term cyber security is misleading because it's an umbrella term. We prefer 'data protection' or in our case as a more specific term we use 'supply chain resilience'."

What's a better term, then? "Personally, I much prefer using the term IT security', because it grounds the topic far more effectively," says Johan Dalnert, CMO of BehavioSec. "Breaking it down to a specific sub-topic, such as online fraud, for example, is also a better way to communicate the issue at hand, without getting lost in a world of jargon."

"I feel a better tag for all this is Digital Technologies Security (DTS), which can encompass not only technology (devices, application development, network components etc.) and information, but also compliance and user awareness," suggested Kevin Eagles, enterprise security architect at Capgemini.

Or, we could keep it simple. "Perhaps the best alternative is also one of the simplest," says Steven Allen, senior security consultant at Capgemini. "How about just calling it security'?"

Rashmi Knowles, field CTO at RSA, agrees. "The aim is to secure businesses; it's not really about cyber', or IT, it's about managing business risk," she argues. "By prefacing security with cyber, it can appear to be a problem that IT can solve and manage, which isn't the case. The ramifications can have a serious impact on business and the organisation as a whole needs to be on board with understanding and managing that risk.

He adds: "The fact is that a cyber' attack, is an attack. While in the old days a bank robber would hold up a branch with a gun, now they take on the whole network with a laptop, [but] a crime has been committed all the same."

In defense of cyber security

Andrew Clark, EMEA director for One Identity, argues that "cyber security" as a term is "more meaningful today than it ever has been" even going so far as to describe it "on trend" enough to be used in the name of new government bodies (the National Cyber Security Centre) and as a catch-all term for the discipline.

However, he admits that other niche terms are more important when it goes to getting real work done. "So, while cyber security is still a relevant term provided it's only used as the title slide when the CISO presents to the board, beyond that, each organisation needs to assess its risk and decide which area of cyber security it should be focused on to ensure the organisation is more secure tomorrow than it is today," he warned.

Thomas Owen, head of security at cloud firm Memset, is annoyed by the whole debate.

"The cyber, yay or nay' debate is one of my pet hates," he argues. "Security practitioners of all stripes are already often crippled by an inability to communicate complex but increasingly critical concepts to those around them; becoming clannish about terminology is just going to make matters worse."

It simply doesn't matter what we call cyber security, he says. "Let's call security in general a potato' if it'll help spread understanding and gain organisational support," he says, arguing that it's a little unwieldy to use it's full description, which it says should be: "really important thing that can help the business (economy, society, nation, etc.) stabilise and grow".

He adds: "I'll be glad to call it a potato' if you'll understand my point and give me more funding." We're not sure "potato" will catch on, but we're willing to give it a go.

In the end, whether it's called security, we use "cyber", or rename it entirely (perhaps not after a vegetable), what's key is that we all know what each other are talking about. "Many cyber security terms are still debated to this day, but the same applies for a number of other terms around the topic. Ask any ten people what a hacker is and you will get ten definitions," notes Capgemini's Starnes. "Regardless of the term used however, as long as everyone understands the definition, it doesn't really matter."

While "cyber" may be a dated prefix, it has the benefit of being understood by a wide, non-technical audience, notes Dr Bunker of Clearswift. "Cyber" is part of the fabric of our terminology. Far from being something only IT people and geeks have heard about, everyone knows about cyber, cyber attacks, data breaches and so on. It would be better to increase awareness around strategies to deal with the cyber threat.

Nikolay Grebennikov, VP of engineering at Acronis, agrees. "The word 'cyber' is easily understood by the general population and when we want to reach users with a simple message, we need to use the language they understand."