Is Cybersecurity One Word or Two… or Hyphenated?
You’re writing your NIST Cybersecurity Framework roadmap report to the board of directors, and there it is: Cybersecurity. Do you spell it as one word or two? Or do you use a hyphen? A quick Google search shows all three spellings in practice, but less so with the hypen. Merriam-Webster insists it’s one word (search for cyber security and the online dictionary will automatically redirect you to cybersecurity). CSO.com uses two words. So, which is it? And does it even matter?
We would argue that it does matter. And here’s why: The fact that we, as an industry, haven’t agreed on a standard spelling for cybersecurity is endemic—and it’s holding us back. Let me explain.
Cybersecurity is continually evolving, and it shows no signs of stopping. As attackers advance their techniques and new technologies expand the threat landscape, the cybersecurity industry responds with ever increasing rapidity, often without any consideration into how organizations can apply new principles or operationalize newly defined practices—never mind agree upon something as pragmatic as the spelling of cybersecurity.
Why a Common Cybersecurity Language is Important?
Government Technology contributor Brian Heaton explains how the lack of a common language for cybersecurity impacts the public sector:
“With a variety of security options available, public-sector agencies often are deploying tools and using strategies that utilize different terminology and principles. These differences can lead to frustration when trying to compare cybersecurity programs and address the latest digital threats across agencies or jurisdictions. Without a standardized language, it’s difficult to gauge how strong another organization’s cybersecurity is.”
Of course, the lack of a common language for cybersecurity is equally challenging for private sector organizations as they look at mergers and/or acquisitions, attempt to measure the maturity of their own program, or report their security status to the board.
Comparatively, no other industry would tolerate this. Consider the healthcare industry. We’ve come a long way in our ability to diagnose and treat a heart attack. Imagine how different it would be if doctors had different terms for the heart. Cardiac medicine wouldn’t be nearly where it is today.
What is the NIST Cybersecurity Framework?
That’s precisely why the NIST Cybersecurity Framework is important—because it provides a common language and a benchmark across five fundamental cybersecurity categories (Identify, Protect, Detect, Respond, and Recover) to enable organizations to advance their efforts and achieve greater maturity.
Interestingly, the one thing the CSF doesn’t do is establish a standard for spelling cybersecurity. In fact, even NIST is inconsistent in its treatment of the word. The framework is referred to as the Cybersecurity (one word) Framework but NIST uses the acronym CSF, which implies that cybersecurity is written as two words.
So, let’s consider the perspective of Strunk and White (acclaimed authors of The Elements of Style, and grandfathers of the rules of English language), “The steady evolution of the language seems to favor union: two words eventually become one, usually after a period of hyphenation.”
In other words, two words become one when the term itself becomes ubiquitous. At this point, the practice of cybersecurity may not be ubiquitous, but the topic as a point of discussion certainly is. We just need to pause long enough to agree that it’s one word.
Respond to our Cybersecurity Poll
How about you? How do you write cybersecurity? If you’re reading this right now, you already know what I think. Take our Poll and let us know.
If you’re interested in seeing how Rsam can help operationalize the NIST Cybersecurity Framework, and looking for automation instead of managing your program from a NIST Cybersecurity Framework spreadsheet, you can get a demonstration here.