Cybersecurity vs. Cyber Security: When, Why and How to Use the Term

Wednesday, July 17, 2013

Joe Franscella


Cybersecurity or Cyber Security?

“Cybersecurity” and “cyber security” are getting more and more mixed usage lately, so much that they are becoming almost as ambiguous as the term “cloud” was a few years back. The challenge information security executives and professionals are faced with is knowing  ̶  as the title implies  ̶  when and why the term should be used and how it should be presented, as a single word or two. While there isn't any recognized authority on the subject per se, there are at least some credible sources providing guidance that can help those of us in the industry to decide on "when, why and how" to use the term.

First, let’s tackle the when and why; we’ll move onto the how later.

In June, Gartner (@Gartner_inc) acknowledged that there is confusion in the market over how the term should be used, prompting the firm to publish “Definition: Cybersecurity” (note, Gartner uses the single-word form). In it, analysts Andrew Walls, Earl Perkins and Juergen Weiss wrote that “Use of the term ‘cybersecurity’ as a synonym for information security or IT security confuses customers and security practitioners, and obscures critical differences between these disciplines.” To help set the record straight, the team defined the term:

"Cybersecurity encompasses a broad range of practices, tools and concepts related closely to those of information and operational technology security. Cybersecurity is distinctive in its inclusion of the offensive use of information technology to attack adversaries."

Additionally, Gartner advised:

"Security leaders should use the term "cybersecurity" to designate only security practices related to the combination of offensive and defensive actions involving or relying upon information technology and/or operational technology environments and systems."

This is one definition and recommendation, but certainly not the only one in circulation.

I am starting to see some vendors use the term, even though they are not providing – or at least not promoting that they provide – technologies designed to “attack adversaries,” as Gartner suggests is a critical component. It seems that mostly the prefix “cyber” ̶  as analyst and writer Richard Stiennon (@stiennon) pointed out recently on a Facebook post  ̶  is being used in and around the Beltway and that only a few vendors in other parts of the country have started to adopt it. This could be due to the fact that it is yet to be fully defined and because no one, especially anyone in marketing and PR, ever wants to wind up with egg on their face due to an incorrect use of terms.

In addition to the guidance Gartner has provided, there are other definitions of the term, which could explain its growing usage.

At least one online dictionary defines it as:

"Measures taken to protect a computer or computer system (as on the Internet) against unauthorized access or attack."

In the TechTarget “What is” section there is no mention of “offense” or adversary attack:

"Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. In a computing context, the term security implies cybersecurity."

Although it does not provide a specific definition, in its “Cybersecurity Questions for CEOs” report, the DoHS kind of says what it means in its description of the term:

"A comprehensive cybersecurity program  leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current , threats and enable timely response and recovery."

Again, no mention of offense or attack, but I suppose “timey response” could imply either.

Techopedia defines it as well, again, there is no mention of offensive or attack capabilities:

"Cybersecurity refers to preventative methods to protect information from being stolen, compromised or attacked in some other way. It requires an understanding of potential information threats, such as viruses and other malicious code. Cybersecurity strategies include identity management, risk management and incident management."

I searched on the SANS glossary and didn’t find anything specifically.

For now, it appears as if the jury is out on when and how to use the term but there is at least some direction from one of the analyst groups out there that has a lot of interaction with enterprise clients as well as some other guidance as pointed out.

Onto the how  ̶   is it “Cybersecurity,” one word, or “Cyber Security,” two words?

Grammarians may argue, but the Associated Press (@APStylebook), which for all intents and purposes still holds the throne when it comes to news copy style, says it is one word – Cybersecurity:

"cyber-, cyberspace Cyberspace is a term popularized by William Gibson in the novel "Neuromancer" to refer to the digital world of computer networks. It has spawned numerous words with cyber- prefixes, but try to avoid most of these coinages. When the combining form is used, follow the general rule for prefixes and do not use a hyphen: cyberattack, cyberbullying, cybercafe, cybersecurity."

There are some exceptions to the prefix rule, specifically around proper nouns, such as ‘US Cyber Command.’ But for the most part, if you are sticking with the leader when it comes to defining news style, you will want to stick with the single word use.

Regardless of which style you prefer, it is always best to pick one and stick with it. By the way, if you are not sold on AP style, note that all of the other definition examples, including the dictionary, use the single-word form.

Suggested reading:





Possibly Related Articles:
Infosec Island
Cybersecurity or Cyber Security spelling cyber-security usage term
Post Rating I Like this!
Quite Dinkle Cybersecurity - with or without a space - is bloated and tries to be everything for everyone. There's a difference between what cybersec is and infosec that we should practice. Most of what gets tossed into the cybersec vat is infosec, see
Quite Dinkle Cybersecurity - with or without a space - is bloated and tries to be everything for everyone. There's a difference between what cybersec is and infosec that we should practice. Most of what gets tossed into the cybersec vat is infosec, see
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.