The Cyber Security Body of Knowledge (opens in new tab)

I'm not Internet famous like some of the security guys around here, but I'm good enough to get a job nearly anywhere I want. I wouldn't want to work for a place that harbors illogical grudges against benign words that over time have become used by almost everyone working in the industry. It makes me wonder what other petty things the company would be needlessly elitist and toxic about.

I've only been conducting interviews for a few years, but I haven't noticed a correlation between a lack of ability and the use of the term cyber. I don't think its on my resume (haven't had to update in a few years), but I wouldn't make assumptions about anyone that did.

I feel like your second paragraph is getting the focus of everyone's ire, whilst your first point is being missed (and is a much better one):

>I have to say that by the time anyone has infosec written down and categorized it is obsolete

It's a worthy goal for CyBoK to try to write this down, but having skimmed over the AppSec one it immediately feels like it's something that will get finished one day, and then people will get round to reading it one day by which point it will be little more than an academic curiosity.

My first impression is that it is broadly an academic exercise and not a practical one. This type of knowledge needs to be documented in more dynamic format if it is to stand any chance of being relevant, let alone remaining relevant. It needs the funding and the community support, but on top of academics cogitating over it, it needs real-world, real-time input, maintenance, and updates.

> Furthermore, after a couple hundred interviews over the course of my career, use of the term "cyber" is a huge red flag. Very few such people with "cyber" on their resumes are hired where I work.

Sounds like a workplace one should avoid. It seems quite petty that one would consider a harmless and a completely acceptable word to be a reason to look at a potential candidate with a negative bias.

Maybe I should start including the word "cyber" in my resume going forward to filter out petty employers like yours.

The principles of security have not changed in thousands of years(Least Privilege, fix vulnerabilities/gaps, understand methods of attack...) as those principles apply to the world of IT they have not changed since IT happened. Specific events and vulnerabilities may have come and gone but the principles of design, and all such like things, have not changed at all. What has changed about trying to maintain Confidentiality, Integrity, Availability, Accountability, etc.?

Perhaps I misunderstand what you're saying, but it seems that I frequently hear of people's systems being compromised because they didn't, for example, install security patches and the like. Because they didn't sanitise SQL queries from untrusted sources. Because of a buffer overflow. They've been written down for years, and they're still regularly used to compromise people's systems.

Couldn’t agree more. Unfortunately however, my Masters degree was renamed from Information Assurance to Cybersecurity half-way through my program, so I have one instance of the word “cyber” on my resume, despite the eye-roll it gives me. The rest of my experience speaks for itself though.

In web dev there is the OWASP top 10, which is made of relatively old but still widespread vulnerabilities, right?

> Furthermore, after a couple hundred interviews over the course of my career, use of the term "cyber" is a huge red flag. Very few such people with "cyber" on their resumes are hired where I work.

You said the word! Take a shot!

Whilst I'm not a fan of it, the term "cyber" is part of the lexicon now, and if you want to communicate to people outside the security industry about it, you'll find it easier when using that term..

It's like the old debates about the term hacker, eventually things become part of common parlance...

As to old knowledge, I'd say it very much depends. Basic principles from 20 years ago apply very much now. The specific attacks may have changed (although in some cases they're still the same) but the underlying concepts remain.

Ouch. Doing cyber related software for years, can't really avoid the word. Though I don't think it's different from safety, reliability in the sense of good engineering goals. I wasn't expect being judged for using a word. Sadly, many engineers are quite biased, so don't beat yourself up.

I think that it depends. Computer security basic and concepts maybe old but are still valid such as security models, security (engineering) principles and other security related concepts (e. g. reference monitor).

Understanding attacks can be helpful to understand vulnerabilities and wrongly implemented security principles.

In the immortal words of the sadly departed J.D. Falk: "Nothing is cooler because it is cyber."