Page 47 - the SyI Quarterly
P. 47

Cyber  Updates










         Recently I was speaking with Philip Grindell MSc at a Security Institute event, and he also put forward this
 There is only security, everything   idea. One of Philip’s specialties is in stalking, and his team see no difference between physical and cyber
         stalking. In the modern world someone can be harassed and followed as much through their online
         presence as through their physical one, and separating these two as distinct areas requiring different
         expertise is falling into a trap where we split our efforts instead of acknowledging that ultimately the goal
         is to protect an individual from unwanted attention and interference in their life. Whether a computer or a
 else is stamp collecting  painted sign is used to harass them makes no difference to the ultimate aim of the attacker, it still causes
         harm to the asset we are looking to protect.

         I won’t argue that cyber security does not require specialised knowledge, it does. You must have some
         understanding of the potential of technological tools and how they connect people in novel ways, distinct
 By James Bore CSyP MSyI  from the physical connections we have, to understand how to apply those fundamental principles of
         security to technology. Ultimately though, we are still seeking to protect assets, whether people or

 Ernest Rutherford once said (allegedly) that physics   organisations, from threats, again whether they are people or organisations.
 is the only true science, and everything else is stamp
 collecting. This quote has been attributed to a   At the root of this is the outdated idea that technology is somehow special and unique, that it introduces
 number of people, and I am horribly misquoting it   new threats which have never been considered before. My own view is that this is a dangerous concept
 in this article, but there’s an important ring of truth   to adhere to, if we were dealing with safety rather than security we might want to consider environmental
 when we talk about security and cyber security.  threats, and many security frameworks do take these on board, but if we look at the basic principles of
         security threats outside of safety have an autonomous cause, and unless we face an alien invasion or
 There’s a view which occasionally comes out in the   development of strong autonomous AI (unlikely to ever happen, all current AI is simply application of
 information and cyber security domains that these   models at the direction of humans) all autonomous threats which can actively work against our security
 areas are somehow special and unique in their own   controls are human, and we have to deal with them following the same principles regardless of the domain
 way. While it’s not entirely untrue, it misses some key   we are operating in.
 points about how we should approach security and
   what it is for.
 Once at a conference Jon Moss of the British Bodyguard Association made a comment that has resonated
 with me ever since, guiding my approach to cyber and information security. “Security is the protection of
 assets from threats”, this is a very broad definition of what we do, but holds true as much for cyber security
 as it does for information security, physical security, bio security, food security, or any other area. Over
 the years I’ve made my own little addendum to this concept by adding that the threats are always going to
 be human, and the assets we are really trying to protect are also human. Sometimes, these are the same
 humans.

 This is something that we can lose track of in the cyber security domain with so much focus on the
 technology piece, with areas such as penetration testing and red teaming narrowed so much onto the
 technology that’s involved. Ultimately though, the technology is purely a way for those threats (people) to
 connect to and attempt to cause harm to assets (also people). These attempts may be malicious, they may
 be down to negligence, they may even be well-intentioned but due to the complexities of those connections
 mistakes can be made, but ultimately we are always dealing with people at both ends of the equation.

 When Rutherford (supposedly, while he’s been cited as saying it no actual source has been found) said
 that anything other than physics was stamp collecting I choose to believe he wasn’t being dismissive, but
 instead that physics is at the root of all sciences. Chemistry, biology, and any other science ultimately are
 different levels of the study of physics, applied to different domains where we need to use different levels of
 abstraction and different collections of knowledge to understand those physical models in a useful way.

 This applies equally to security. If we are looking at technological security, whether we call it cyber security,
 information security, technology security, or anything else we are applying those same fundamental principles
 in other domains. There may be specialist knowledge needed, but the principles we are trying to apply to
 protect assets from threats are ultimately unchanged by the domain we are working within.


 46
   42   43   44   45   46   47   48   49   50   51   52