TAG Cyber analysts Jennifer Bayuk and Katie Teitler debate the "proper" usage of "cyber security" (or is it "cybersecurity...").
The debate between “cybersecurity,” one word, versus “cyber security,” two words, remains one of the industry’s most controversial topics, to semi-quote one of TAG Cyber’s clients who recently questioned our two-word version. To reinforce his seriousness on the topic, he added a smiley face to his emailed comment, tacitly agreeing that it should not be of tremendous significance. Yet while many practitioners in the field are comfortable with either version, some have very strong feelings about the proper and correct representation of where “cyber” lands in relation to “security.”
Those of us who have lived through the transitions from computer security to information security to cyber may be more comfortable with the two-word version because it aligns with the adjective form with which other “security” realms are modified: physical security, password security, email security, network security, cloud security, data security, etc. etc. etc. When “cyber” first became a thing, its usage followed a similar convention (though admittedly the accepted written form has evolved in some circles): cyber insurance, cyber forensics, cyber threat, cyber attack.
For the record, most major dictionaries and style guides have since adopted “cybersecurity,” one word, as a noun. However, several reputable industry entities—media sites, trade journals, and vendors—still have “cyber security” published as a two-word phrase. Also, there are a plethora of others which switch back and forth. For example, the SANS tagline is: “The most trusted source for cyber security training, certification, and research” but right underneath the tagline on its website, it prompts visitors to “Learn In-Demand Cybersecurity Skills from World-Leading Instructors.”
U.S. Cyber Command—two words—declaration that cyberspace (one word) is a domain in which there are cyberattacks (one word).
Now, back to our observations and usage: Thus far, no one has truly pressed TAG on the issue because it just hasn’t mattered that much. Surely no one is going to quibble about whether someone writes “cyber security” or “cybersecurity.” If the world’s “leading” instructors and institutions flipflop between usage, the average person would be forgiven for also playing fast and loose with the spelling and/or choosing one and sticking to it for no other reason than preference.
Not so fast. The topic has recently surfaced with both new TAG Cyber employees and our Distinguished Vendors. Roughly half of our clients assume typo when we write “cyber security,” and new employees often default to “cybersecurity” in their initial writings. When we explain that our style guide dictates the two-word version, no one quibbles. But the repeated suggested edits speak for themselves.
It’s important to note that it has only been in the past 10 years or so that security professionals (see how easy it is to sidestep the issue) have accepted the “cyber” label at all. For many years, stalwarts insisted that it was silly to start calling themselves “cyber” practitioners when “information security” covered it.
But as “cyber” caught on, both in vendor marketing materials and in the press, the security community started to let go of hostilities toward the new naming convention. Why? Probably because 1) a naming convention wasn’t the biggest problem security pros had to tackle and 2) reasonable arguments could be made that cyber security refers to not just securing the data, information, and systems/technologies that house data and information (i.e., “information security”), but adds the caveat that the data/information/systems are internet-connected in an ecosystem that includes people, processes, and policies governing acceptable use. Thus, “information security” fell out of favor to describe the discipline and “cybersecurity/cyber security” became de rigueur.
Meanwhile, the people heading the world’s leading security programs were and continue to be called “chief information security officers” or “chief security officers,” no cyber in sight.
With these anecdotes in mind, the question becomes: Does it matter how we write cyber security/cybersecurity? Is it just a silly distraction that keeps getting brought up because it’s fun and insignificant? Or does this really make difference in our space, as in, how the rest of the world views information security/cyber/cybersecurity. Does one standard naming convention help us raise the bar?
We truly have not seen enterprise security programs getting derailed over how to write the term. Thank goodness. Then again, people and companies do take the time to agree on their accepted version.
We hope this blog post is not the most important thing you’ve read today, but we do hope you will us know what you think about “cybersecurity” vs. “cyber security” and why. Maybe you’ll even influence how TAG Cyber refers to the discipline in the future.