The word “cyber” stems from the ancient Greek word “kybernetes,” meaning “to steer.” Originally used in a nautical context—to guide or steer a boat—it quickly evolved (thanks to Plato) to embrace the wider concept of governance—“steering a society”—and was used in the context of central government control.
Just under 200 years ago the term still stayed close to its original meaning. A.M. Ampere used the word “cybernétique” in 1830s France to mean “the art of governing.” If the articles I read are to be believed, the term only appeared sporadically in works on political theory and the science of governance until 1948. That year, Norbert Weiner wrote a book titled Cybernetics and “cyber” started to gain momentum.
In his book Weiner described cybernetics as “the scientific study of control and communication in the animal and the machine.” By that definition, cybernetics is a multi-disciplinary approach to exploring the question “what does this thing do?” rather than “what is this thing?” so we may better understand and modify our world.
From the 1940s we move to the 1980s, where “cyberpunk” film and literature introduced the futuristic concept of the merging of man and machine. So the IT-centric use of “cyber” was born.
Onto the heady days of the 1990s; the dawn of the Internet era. This decade saw an explosion in the use of IT. The word “cyber” was adopted by computer professionals and thus entered mainstream use as a prefix to anything IT- and Internet-related: cyber-bully, cyber-community, cyber-geek, cyber-law, cyber-stalker, cyber-war, cyber-sex, and of course cyber-space. At some point (assumed to be 1994) someone used the word cyber-security for the first time, starting its rise and the subsequent decline of the traditional, and well understood, term of IT-security.
And now two decades later no one really understands what “cyber-security” actually means. Instead people simply just say “cyber” and leave it open to interpretation. How utterly unhelpful but resonant with history. During my research, I laughed out loud when I read about a letter from Claude Shannon (one of the, originators of information theory) to the aforementioned Norbert Weiner in which Shannon wrote, “Use the word ‘cybernetics’, Norbert, because nobody knows what it means. This will always put you at an advantage in arguments.”
I wonder who wrote a letter to whom in the modern age saying “use the word cyber because nobody knows what it means and it will always put you at an advantage in arguments.”
“Cyber” is now used interchangeably with “IT” and “electronic.” The notion of it meaning “to steer a ship,” let alone a society, doesn’t even enter into the fringes of anyone’s thinking. As such, cyber-security inevitably takes on the meaning of securing our computers and networks.
In looking at some of the cyber-security-related developments over the past 3 months I thought the market was making some positive strides:
• The US Securities and Exchange Commission has launched an initiative whereby its Office of Compliance, Inspections and Examinations will be assessing registered organisations against a framework that takes a more business-focused, risk-based approach, looking at how businesses assess the risk from the “cyber” threat, and how they manage it through governance and culture as well as the “traditional” technical controls.
• The Bank of England’s CBEST Initiative, whilst on the face of it looking like a glorified penetration test, is calling for businesses to front operational and risk staff who understand their assets and the economic value of those assets to the business.
• The Institute of Risk Management held its first cyber-risk conference, a big statement from the association that this is no longer an area that is to be managed by the IT Department.
• McAfee’s 2014 edition of its Report on the Global Cost of Cybercrime states that “Defenders [organisations] lack the incentive to do more [cyber security] because they underestimate risk,” implicitly suggesting that organisations need to really understand the cyber threat in a business context.
Positive, but when viewed in the context of Weiner’s cybernetics, these recent developments suggest to me that organisations do not have the right level of feedback to understand “what does this thing [cyber threat] do?” and the impact of their action — or lack thereof — against it. And thus it follows that they are unable to understand and modify their business environments.
Companies need to move “cyber” into more mainstream business management, ensuring organisations identify and assess the value of information and IT, assess the risks accurately, and put in place the governance, culture, and controls to manage it.
If IT and information encapsulate “cyber” as we define it today, it’s clear we cannot operate personally or professionally without this capability. “Cyber” must now form the bedrock of what must be managed to guide not just the organization forward but ourselves as well.
This brings us back to Ancient Greece, when cyber meant to steer and to govern. So let’s forget about poorly defining cyber in a confusing, IT-centric way. Forget about taking baby-steps in moving cyber from being about security to being about risk. Make the full leap.
Managing cyber should be at the heart of governing our businesses in today’s IT and information-driven world. When referring to their businesses, executives today talk about steering the ship. That’s what cyber was originally about, and should be again.
Colin Lobley is a director at London-based thought leadership consultancy Manigent, where he heads up the Information Risk Practice working with businesses to help them build information superiority and cyber-resilience.
