Page 46 - the SyI Quarterly
P. 46
Cyber Updates
Recently I was speaking with Philip Grindell MSc at a Security Institute event, and he also put forward this
There is only security, everything idea. One of Philip’s specialties is in stalking, and his team see no difference between physical and cyber
stalking. In the modern world someone can be harassed and followed as much through their online
presence as through their physical one, and separating these two as distinct areas requiring different
expertise is falling into a trap where we split our efforts instead of acknowledging that ultimately the goal
is to protect an individual from unwanted attention and interference in their life. Whether a computer or a
else is stamp collecting painted sign is used to harass them makes no difference to the ultimate aim of the attacker, it still causes
harm to the asset we are looking to protect.
I won’t argue that cyber security does not require specialised knowledge, it does. You must have some
understanding of the potential of technological tools and how they connect people in novel ways, distinct
By James Bore CSyP MSyI from the physical connections we have, to understand how to apply those fundamental principles of
security to technology. Ultimately though, we are still seeking to protect assets, whether people or
Ernest Rutherford once said (allegedly) that physics organisations, from threats, again whether they are people or organisations.
is the only true science, and everything else is stamp
collecting. This quote has been attributed to a At the root of this is the outdated idea that technology is somehow special and unique, that it introduces
number of people, and I am horribly misquoting it new threats which have never been considered before. My own view is that this is a dangerous concept
in this article, but there’s an important ring of truth to adhere to, if we were dealing with safety rather than security we might want to consider environmental
when we talk about security and cyber security. threats, and many security frameworks do take these on board, but if we look at the basic principles of
security threats outside of safety have an autonomous cause, and unless we face an alien invasion or
There’s a view which occasionally comes out in the development of strong autonomous AI (unlikely to ever happen, all current AI is simply application of
information and cyber security domains that these models at the direction of humans) all autonomous threats which can actively work against our security
areas are somehow special and unique in their own controls are human, and we have to deal with them following the same principles regardless of the domain
way. While it’s not entirely untrue, it misses some key we are operating in.
points about how we should approach security and
what it is for.
Once at a conference Jon Moss of the British Bodyguard Association made a comment that has resonated
with me ever since, guiding my approach to cyber and information security. “Security is the protection of
assets from threats”, this is a very broad definition of what we do, but holds true as much for cyber security
as it does for information security, physical security, bio security, food security, or any other area. Over
the years I’ve made my own little addendum to this concept by adding that the threats are always going to
be human, and the assets we are really trying to protect are also human. Sometimes, these are the same
humans.
This is something that we can lose track of in the cyber security domain with so much focus on the
technology piece, with areas such as penetration testing and red teaming narrowed so much onto the
technology that’s involved. Ultimately though, the technology is purely a way for those threats (people) to
connect to and attempt to cause harm to assets (also people). These attempts may be malicious, they may
be down to negligence, they may even be well-intentioned but due to the complexities of those connections
mistakes can be made, but ultimately we are always dealing with people at both ends of the equation.
When Rutherford (supposedly, while he’s been cited as saying it no actual source has been found) said
that anything other than physics was stamp collecting I choose to believe he wasn’t being dismissive, but
instead that physics is at the root of all sciences. Chemistry, biology, and any other science ultimately are
different levels of the study of physics, applied to different domains where we need to use different levels of
abstraction and different collections of knowledge to understand those physical models in a useful way.
This applies equally to security. If we are looking at technological security, whether we call it cyber security,
information security, technology security, or anything else we are applying those same fundamental principles
in other domains. There may be specialist knowledge needed, but the principles we are trying to apply to
protect assets from threats are ultimately unchanged by the domain we are working within.
46
