You Cannot Secure Cyber

Cyber is useful as an executive umbrella term, but dangerous when practitioners adopt it as precise language. Security is an engineering discipline. Engineering requires specificity. You secure assets, systems, identities, data, processes, and trust boundaries. You do not secure “cyber”.

This article was prompted by conversations I had around BSides Calgary 2026, but it is not about BSides. It is about a broader habit in the security industry.

I grew up around the 90s hacker scene, so I should probably have more tolerance for the word “cyber”.

I don’t.

If anything, I have less.

Back then it sounded like a movie prop. Today it sounds like a boardroom prop.

This is not about taste. It is about precision. Security is an engineering discipline, and engineering disciplines depend on specific language. You secure assets, systems, identities, data, processes, and trust boundaries. You do not secure “cyber.”

Information security protects information.

Application security protects applications.

Cloud security tells you the environment.

Identity security tells you the control plane.

Product security tells you the scope.

Cybersecurity protects… what, exactly?

It gestures vaguely at computers, networks, threats, nation-states, ransomware, hackers, compliance, resilience, fraud, infrastructure, and whatever else the speaker wants to include in a hand-wavy manner.

I prefer “information security” when speaking about my profession because it is specific about what I am protecting. Since I work mainly in cloud environments, I’m not concerned about physical security but rather the data flowing into, through, and out of systems.

This is not a semantic purity test. Vague language creates vague accountability. Vague accountability creates vague controls. Vague controls fail in specific ways.

I have always believed that security is an engineering discipline. It is about working with specifics, because nuance is where vulnerabilities and failures live. To that end, let’s apply the same rules about “cyber” to a civil engineer’s profession.

A civil engineer would not say, “We need to improve bridge.”

They would not say, “The bridge has a structural vibes problem.”

They would talk about load, stress, materials, corrosion, fatigue, reinforcement, drainage, inspection intervals, seismic risk, and failure modes.

That is not pedantry. That is the work.

Likewise, security practitioners should be talking about:

assets, trust boundaries, privileges, data flows, identities, secrets, threat models, vulnerabilities, controls, detection, response, recovery, and evidence.

The more serious the discipline, the more precise the language should become.

I understand that security leaders are required to translate to non-security people. In fact, every profession needs to do this. Boards, executives, customers, regulators, and insurers may use “cyber.” Fine. Meet them where they are.

But translation should not destroy meaning.

Good translation:

Our cyber risk is concentrated in three areas: privileged access, backup recoverability, and third-party API exposure.

Bad translation:

We need to mature our cyber posture.

It may be acceptable as a slide heading. It is not acceptable as the analysis.

The first compresses detail while preserving traceability. The second turns an engineering problem into fog.

But then comes the most troubling part for me: the reverse shibboleth.

Some people use “cyber” as a shibboleth to sound like they belong. But to many practitioners, it can have the opposite effect. It signals that they know the boardroom word for this domain, but may not know how to decompose the problem.

This is not always true, of course. Plenty of capable practitioners use the word because their audience expects it. But when “cyber” is the deepest level of explanation someone can provide, it starts to become a tell.

“Cyber” is often the language of people who need security to sound important before they can explain what needs to be secured.

When someone says “cyber,” ask them:

• What asset?
• What threat?
• What control?
• What owner?
• What evidence?
• What decision?

If they can answer, “cyber” was just shorthand. If they cannot, “cyber” was camouflage.

Security does not become more mature when it adopts broader words. It becomes more mature when it becomes more specific about what can fail, why it matters, who owns it, and what evidence shows it is under control.

Use “cyber” if you must. But do not let it become the thing you manage.

You cannot secure cyber.

You can only secure real things.