TAG Cyber analysts Jennifer Bayuk and Katie Teitler debate the “proper” usage of “cyber security” (or is it “cybersecurity…”).
The debate between โcybersecurity,โ one word, versus โcyber security,โ two words, remains one of the industryโs most controversial topics, to semi-quote one of TAG Cyberโs clients who recently questioned our two-word version. To reinforce his seriousness on the topic, he added a smiley face to his emailed comment, tacitly agreeing that it should not be of tremendous significance. Yet while many practitioners in the field are comfortable with either version, some have very strong feelings about the proper and correct representation of where โcyberโ lands in relation to โsecurity.โ
Those of us who have lived through the transitions from computer security to information security to cyber may be more comfortable with the two-word version because it aligns with the adjective form with which other โsecurityโ realms are modified: physical security, password security, email security, network security, cloud security, data security, etc. etc. etc. When โcyberโ first became a thing, its usage followed a similar convention (though admittedly the accepted written form has evolved in some circles): cyber insurance, cyber forensics, cyber threat, cyber attack.
For the record, most major dictionaries and style guides have since adopted โcybersecurity,โ one word, as a noun. However, several reputable industry entitiesโmedia sites, trade journals, and vendorsโstill have โcyber securityโ published as a two-word phrase. Also, there are a plethora of others which switch back and forth. For example, the SANS tagline is: โThe most trusted source for cyber security training, certification, and researchโ but right underneath the tagline on its website, it prompts visitors to โLearn In-Demand Cybersecurity Skills from World-Leading Instructors.โ
U.S. Cyber Commandโtwo wordsโdeclaration that cyberspace (one word) is a domain in which there are cyberattacks (one word).Why has โcybersecurityโ caught the attention of grammarians while other cyber fields remain modestly in adjective mode, for example, โcyber insuranceโ? Why have terms like โcyber attack,โ โcyber threat,โ and โcyber criminalโ evolved to one-word conventions. No one has been able to provide a real answer.
Now, back to our observations and usage: Thus far, no one has truly pressed TAG on the issue because it just hasnโt mattered that much. Surely no one is going to quibble about whether someone writes โcyber securityโ or โcybersecurity.โ If the worldโs โleadingโ instructors and institutions flipflop between usage, the average person would be forgiven for also playing fast and loose with the spelling and/or choosing one and sticking to it for no other reason than preference.
Soโฆblog over?
Not so fast. The topic has recently surfaced with both new TAG Cyber employees and our Distinguished Vendors. Roughly half of our clients assume typo when we write โcyber security,โ and new employees often default to โcybersecurityโ in their initial writings. When we explain that our style guide dictates the two-word version, no one quibbles. But the repeated suggested edits speak for themselves.
Itโs important to note that it has only been in the past 10 years or so that security professionals (see how easy it is to sidestep the issue) have accepted the โcyberโ label at all. For many years, stalwarts insisted that it was silly to start calling themselves โcyberโ practitioners when โinformation securityโ covered it.
But as โcyberโ caught on, both in vendor marketing materials and in the press, the security community started to let go of hostilities toward the new naming convention. Why? Probably because 1) a naming convention wasnโt the biggest problem security pros had to tackle and 2) reasonable arguments could be made that cyber security refers to not just securing the data, information, and systems/technologies that house data and information (i.e., โinformation securityโ), but adds the caveat that the data/information/systems are internet-connected in an ecosystem that includes people, processes, and policies governing acceptable use. Thus, โinformation securityโ fell out of favor to describe the discipline and โcybersecurity/cyber securityโ became de rigueur.
Meanwhile, the people heading the worldโs leading security programs were and continue to be called โchief information security officersโ or โchief security officers,โ no cyber in sight.
With these anecdotes in mind, the question becomes: Does it matter how we write cyber security/cybersecurity? Is it just a silly distraction that keeps getting brought up because itโs fun and insignificant? Or does this really make difference in our space, as in, how the rest of the world views information security/cyber/cybersecurity. Does one standard naming convention help us raise the bar?
We truly have not seen enterprise security programs getting derailed over how to write the term. Thank goodness. Then again, people and companies do take the time to agree on their accepted version.
We hope this blog post is not the most important thing youโve read today, but we do hope you will us know what you think about โcybersecurityโ vs. โcyber securityโ and why. Maybe youโll even influence how TAG Cyber refers to the discipline in the future.
