What is a Cyberist?

Chris Ensor, Deputy Director Cyber Skills & Growth, at the UK National Cyber Security Centre (a part of GCHQ) said it best in his blog.

Chris wrote the following:

“The term ‘Cyberist’ describes, in a positive light, the role of someone who works in the cyber security profession. Far from being a shadowy figure, a Cyberist is someone with a dynamic career who plays a vital role in the community and wider society, protecting the information and systems we care about and rely on in our daily lives.

That said, it’s been clear from the response that this is quite an emotive subject. One of the immediate lessons we’ve learnt is that you can’t just invent a new word (or re-purpose an existing one) and expect everyone to accept your definition. We asked the target audience what they thought of the term, and received some positive responses, but this was only a small sample. So we’ll use our summer courses to get a much broader view, and maybe discover some alternative suggestions that we can put to a vote – at the risk of course of getting egg all over our ‘Cyber McCyberface’.

In the meantime, if you’ve any thoughts on the term ‘Cyberist’, or what we should use to inspire the next generation of cybersecurity professionals, feel free to comment below.”

Like Chris, I’ve been in this business nearly 30 years, or almost 50 years if I tag my time with Signal Intelligence and Electronic Warfare while in the Canadian Forces (CF) and the Royal Canadian Navy (RCN), and I still struggle to explain what I do to people in general also. Over the years I’ve been described as an operator, technician, technologist, engineer, a computer and information security geek, an information assurance expert, and now cybersecurity professional. However, none of these terms describe what we do, or what the job is. None of these designations will inspire the next generation to think of cybersecurity as a career. Moreover, when you add to this films, novels, TV programmes, and the Internet portrait of cybersecurity, which is usually a guy in darkened rooms, wearing a hoody, full of malice, you’ll appreciate that we face quite a challenge in naming ourselves.

I for one like Cyberist very much, and from there named my company Cyberistix (as in futuristic).

Endangering our data security

Governments all over the world are trying to abolish encryption or force application and service providers to allow for backdoors, or having users reveal their encryption keys on demand, thus endangering all our data security. Many governments are hiding behind vague ill-informed ‘national security’ clauses to make up for their national security and law enforcement agencies lack of skills, and outright laziness to weaken our national safety and security.

Instead, they are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with greater opportunities to create a wide range of havoc that in the end will cost users far more than just money.

Politicians and bureaucrats in their ignorance are providing hackers, cybercriminals, malfeasants, and just plain old thrillseekers with more significant opportunities to create a wide range of havoc that in the end will cost users far more than just money, and creating loopwholes for law enforcement abuses. (Hint: secret backdoors never remain secret for long, remember EternalBlue.)

Governments should promote Zero Trust systems architecture (basically, never trust; always verify), always encrypted data at rest and in motion, and Trust No One computing, while using existing laws and rules to target suspected criminals and terrorists, instead of casting as wide a net as possible for the just in case.

Smartly segmented Zero Trust networking involves an IT department verifying all users before granting access privileges. Effectively managing access to accounts is more important than ever with 58 percent of small to midsize businesses (SMBs) reporting data breaches in 2017, according to the 2018 Verizon Data Breach Investigation Report.

So Zero Trust networking with all data encrypted at rest and in motion sounds like common sense. Yet, governments only pay lip service to cyber and information security, and they are quick to deplore and point fingers to the enemy of the day when they patrons decry the theft of their data and money with a tendency to overreact. What governments should be doing is using legislative power to mandate cybersecurity at all levels, support real-world effective and enforceable cybersecurity standards (like CIS Controls, ISO/IEC 27000 series, NIST Cyber Security Framework for a start), subsidize third party information systems audits, but more importantly promote a wide range cyber and information security education programmes using cyber and information security best practices in schools and offices (like GCHQ’s National Cyber Security Center CyberFirst courses), a little bit like mandatory home economics classes.

Welcome to Cyberistix!

In what will follow I hope to share some of my experiences with Information and Supply Chain Security, Cyber Intelligence (OSINT: Open Source Intelligence). Also, share my opinions on all matter cyber found in various news and blog outlets, and not only remind you that it is an ugly world out there, but there are lots of great sources material to help you be secure.

I hope to remind my readers that security is not for the passive!