Who cares?

I recently witnessed a silly bunfight between two professionals slugging it out in public over whether “information security” and “cybersecurity” were the same thing. And whether physical security was part of either.

Honestly. This is the kind of dogmatic pedantry that gets companies popped. If I may be allowed to quote Hamlet:

“Words, words, words, words, words.”

With apologies to Shakespeare, words are a signpost to the things themselves, and not the actual thing. You need to go past the words to engage with reality. Words and metaphors are constraints that filter an overwhelming volume of sensory input.

Security work requires you to engage with reality as it is, not as you wish it to be, but as it actually is, and that means seeing past words and discarding filters and metaphors to more adequately engage with the world.

That’s all a bunch of fancy theory to mean the following: It doesn’t matter whether we call the work “information security” or “cybersecurity” or even, in 2024, “physical security”. It's all the same thing.

On the latter point: Car theft. Physical security or infosec/cyber?

Well these days the two have merged. Check out what car theft looks like these days. The security of our physical world is now more and more reliant on infosec/cybersecurity.

Saying infosec/cyber folks are siloed off from physical security is ridiculous! You think it’s hard to clone keycards? As we all know of course it is not. Information security vulnerabilities are physical security vulnerabilities. And vice versa—physical access to information-securing devices is in most cases a game over scenario.

Defensive security work must be pragmatic, and not dogmatic. Bringing your pet theory to work and cherry-picking facts to fit your theory is a good way to get your employer popped. Being pedantic about words and their meaning, doubly so.

Being pragmatic means holding all theory loosely, willing to discard a useful metaphor on a moment’s notice when new and important information contradicts it, and engaging with reality with an open mind.

This takes no small degree of courage. It is mentally challenging to hold known unknowns and unknown unknowns in your mind. It is stressful to let down your words, words, words filter and attempt to receive the full stimulus of the human experience. There’s a reason we metaphor: our brains are vastly insufficient to process all of the sensory input our bodies are capable of receiving.

It is a strange mismatch. It’s like our senses possess the ability to hoover up vast quantities of telemetry but there's a PDP-11 upstairs chugging along. Most of that data has to get thrown away, unreviewed. Metaphors and words are processing filters that routinely drop true positive alerts for lack of processing power.

So to anyone debating “information security vs. cybersecurity”, I can only say that’s the same thing as arguing whether a particular shade of paint is “off white” or “cream”. It doesn’t matter what the word is. We can see the color on the wall in its raw form. The word we use to describe it is irrelevant, except as a means of shared language to communicate with others.

And today there is no meaningful difference between the thing signified by “infosec” vs “cyber”, and both clearly touch on physical security.

So let’s all drop silly debates and get back to work.