I've just read this article by the BBC and I've been left, not for first time, wondering what do we really mean by "cyber security"?
There's no doubt with the rapid expansion of virtually every organisation's attack surface there's now more ways for a threat actor (baddie) to breach your network and steal your stuff. Isn't that the "classic" view of cyber security and aren't those the fears most boards feel?
The article then goes on to talk about employees disposing of hard copy paper work in regular waste bins at home without shredding. Is that a cyber or an information security risk? Maybe it's a more of a data privacy risk? Does it matter? Is there a difference? Would you class an employee who doesn't dispose of sensitive company material properly an "insider"?
There's much focus on the loss or theft of data in this story - bad news if its PII or IP, but where's the consideration to business disruption? What if I just want to slow you down or stop your business?
So here's my opinion: I don't think it really matters. I think anything that raises the profile of looking after your crown jewels is important, even if this article conflates a number of risk types.
The issue is I'm not sure many organisations can define what their crown jewels are, where they live nor who has access to them. That to me is convergence of themes, where firms need to pull together cross functional teams to understand what really matters to them. The classic strategy of defense in depth has never been more important. If "cyber security" is part of an integrated strategy to protect what's important I don't think it matters what label you give it.