Security

What is Cybersecurity?

Have you, or someone you know, been scammed? Ever got a phishing or a 419 email or a dubious link which turns out to be Rick Ashley’s most famous song?

This is likely to be your first encounter with cybersecurity, when it is too late. But, what do cybersecurity staff actually do?

At its core, cybersecurity is about the Confidentiality, Integrity, and Availability of data — Hence the CIA acronym. In addition, there’s the incident management, from prevention and mitigation, to response and recovery. It aims to keep your data safe, and your business secure.

CIA

When we speak of data, we mean both documents, information, and the systems that host them.

How do you defined CIA?

Confidentiality is about keeping your data consistent, accurate, and trustworthy over its entire lifecycle. The data must be protected against access by unauthorised users. It is encryption, firewalls, and access control lists.

Integrity is how you make sure that your data is what you say it is. The data must be protected against alteration and modifications by unauthorised users. It must be audited for authorised alterations and modification. It is data quality, backups, data validation, and disaster recovery.

Availability is about making sure that the right people have access to the right data. It is passwords, two-factor authentication, and IAM roles in the cloud. Together with confidentiality, it forms the basis for authentication and authorisation.

Confused about the difference between authentication and authorisation? You’re not alone.

Authentication is who you are, authorisation is what you are allowed to do. Here is a metaphor on the difference between authentication and authorisation: At the airport, authentication is your passport and authorisation is your boarding pass. You cannot get to the gates without the former and onto a plane without the latter.

How do you know what to protect and by how much? Is a million too much money to spend? Not enough? As an executive, how do you know what to do?

It is all about risk acceptance. What risks are you willing to accept versus how much resources you are will to pay to mitigate them. There are no easy answers here. A risk register is a good starting point.

How does this apply to software? Do you need to worry about it, or can we paint over it later?

Insecure software can leak user data which can lead to fines. Your users might choose a different service because their data was leaked. New users might read that your software security is poor and go with another vendor. The cost to the USA economy of bad software was a staggering $2.08 trillions in 2023. The earlier cybersecurity is implemented, the more secure your software is: cybersecurity is dye, not paint.

What about software we use, but do not control?

This is supply china security. Things that your software depends on, libraries, modules, and the whole ecosystem behind it. From cyrpto-highjacking, to social and political activism, to just discovered vulnerabilities, your software is vulnerable to vulnerabilities in dependencies of dependencies of dependencies. EU revised Cybersecurity Act has plenty to say about just this. Software Bill of Materials, or SBOM are getting more and more popular to tackle this issue.

Incidents

Ever heard your CISO say “We have been breached”? Do you remember the cold sweat and panic that sets in? What was the last time you saw a security incident? How was it handled?

Let’s cast our mind back to 1967 when the USS Forrestal was off the coast of North Viet Nam. During the punishing operations, a MK-23 Zuni rocket misfired causing a catastrophic chain of events resulting in a massive fire. After 14 hours, all the fires were finally controlled. The incident left 134 men dead, 161 more injured, and more than $680 millions (in today’s money) of damage as well as impeding military operations in North Viet Nam.

Why was it so bad? The US navy after action report highlighted poor and outdated doctrine, technical documentation, and procedures, at all levels of command. To remedy this, the Navy opened a firefighter school, the Farrier Firefighting School, where all future sailors are trained in fighting fires.

What has this got to do with cybersecurity, I hear you ask?

The old adage holds true: You fight how you train. If your staff has no knowledge of what do during an incident, they will panic and do the wrong things, thus making things worse.

When is the last time you ran a security incident training?

How did your staff do?

Humans and Adversary Relationships

Do you know Dave? The one in the cartoon below.

Yes? I think everyone does…

We, as a species, have done so well because we are fantastic at gaming any system we find. It’s how we tamed dogs, fire, and wheat, rice, and maize. It’s how we built the hanging gardens of Babylon and put men on the Moon. Any policy or tool blocking someone from doing their job will be circumvented in hours, if that. For example, the financial world did not have a good mobile communications platform, so everyone started using WhatsApp. It is not compliant and banks are being fined every year for using it. Still, they are using it.

People matter and cybersecurity should make it easier to do their job, not harder — in a secure way, of course. Sadly, some cybersecurity professionals are very much like the cat below. They say NO to anything new, anything that changes, and anything that is not what they know. Remember the A in CIA? That’s where those cybersecurity teams are failing.

Good cybersecurity is a dye, not a paint.

It permeates all the aspects of your company and makes sure that everyone can do their jobs more easily in a secure way. Cybersecurity should be everyone’s friend, not their enemy. From naming security champions, to actively listening to the pain of users, and tailored training, you can get all your teams to be more secure. In the long run, it will save you millions. 43% of UK business reported security breaches in 2025. Make sure you are not on these in 2026.

And remember: compliance (such as SOC-2 or ISO 27,001) flows from good cybersecurity, not the other way around.

Conclusion

All of these questions, and more, are under our foundation of security.

Imagine, if you will, a day when all the drama is removed from your software production: no panic, no crisis, just smooth software releases that exceed your customer’s expectations. This is what we have done in the past and can do for you.

We can help with implementing nascent cybersecurity such as Cyber Essentials, or NIST Cybersecurity framework, and compliance such as SOC-2, ISO 27,001, and the EU revised Cybersecurity Act. We can incorporate practical and sane cybersecurity early into the development process saving you future costs. With our understanding of the abstract factors, we can create the right approach for you.

This is part of a series on all our foundations. Here are links to the next entries:

People.
Development.
Security, this post.
Operations next weeks.
AI in two weeks.