Guest blog by Matthew Mackay, Practice Lead and Principal Security Consultant, Logiq
In an era where digital threats evolve faster than most organisations can adapt, you would be mistaken for believing that there would be a universally agreed definition for the term ‘cybersecurity’.
Despite its increased profile and agreed importance, cybersecurity remains a concept without a single, unified meaning. Is the lack of a universally agreed definition of cybersecurity a semantic issue or does it reflect a wider uncertainty in people’s understanding of what cybersecurity really is, the means, or the end?
What are the definitions of Cybersecurity?
Several bodies have provided their own definitions for cybersecurity, which are introduced below:
- The National Cyber Security Centre (NCSC), as the national authority for cyber security in the UK, defines it as “the protection of devices, services and networks – and the information on them – from unauthorised access, theft or damage.”
- This definition is firmly rooted in a technical and asset‑centric worldview, emphasising systems, infrastructure, and data protection. It reflects the NCSC’s operational remit and its focus on defensive controls, threat mitigation, and the security of digital estates.
- ‘ISO/IEC 27032 ‘Cybersecurity – Guidelines for Internet Security’ defines cybersecurity as “safeguarding of people, society, organizations and nations from cyber risks.”
- Here, the emphasis shifts away from individual systems and towards societal and systemic impact. Cybersecurity is framed not merely as a technical discipline, but as a means of managing risk at national and societal scale, extending well beyond traditional IT boundaries.
- The National Institute of Standards and Technology (NIST) within their Cyber Security Framework describes it as “the process of protecting information by preventing, detecting, and responding to attacks.”
- This definition implicitly assumes that compromise is inevitable, and instead positions resilience through detection and response. It reflects a lifecycle view of security rather than a static state of protection.
- While the UK Cyber Security Council defines cybersecurity as “The area of organisational risk that derives from the operation of IT systems.”
- This is perhaps the most revealing shift of all. Cybersecurity here is explicitly framed as a business and governance issue, positioning it alongside other enterprise risks rather than as a purely technical concern. It speaks directly to boards, executives, and senior leaders, rather than engineers or security practitioners. The definition, however, excludes non-IT systems from its definition which lends itself to a view focussed on traditional IT.
Each of these definitions captures different components of cybersecurity, such as the CIA[1] triad, and the protection of services and data. Although these definitions are useful, they are potentially too narrow for what we understand cybersecurity to be today, especially when we extend our view beyond traditional IT systems, or more fundamentally, ask ourselves, to what end does the protection of digital assets serve.
Many definitions inadvertently frame cybersecurity as solely an IT or cyber issue, which risks alienating the very stakeholders whose engagement is critical. This narrow positioning fosters organisational silos and undermines broader accountability. This article reframes cybersecurity as a strategic organisational concern.
The Missing Link: Strategic Alignment
For those of us who have the battle scars, or maybe the odd grey hair that we deny, we know that cybersecurity does not exist in a vacuum. By that, we mean that cybersecurity must support the organisation achieve its aims and priorities, therefore security must be a strategic enabler in achieving organisational objectives.
Cybersecurity is therefore a strategic function that must be aligned with, and supportive of, an organisation’s goals, risk appetite, and operational context. A security programme that is technically sound but misaligned with business priorities can be just as damaging to the organisation as the cyber incident it was intended to protect against. This repositions cybersecurity as a ‘means to achieve an objective rather than an ‘end’.
A Call for a Contextual Definition
What is missing from the current set of definitions is the focus on the ends that cybersecurity is trying to achieve. What is needed is a more holistic, context-aware definition of cybersecurity, one that recognises its role as an organisation enabler.
A more fitting definition might be:
Cybersecurity is the strategic and operational discipline of safeguarding assets, systems, and services in a manner that supports and advances an organisation’s mission and objectives.
This definition acknowledges the technical core of cybersecurity while elevating its purpose: to serve the organisation, not just protect it.
Conclusion
Which brings us back to the question posed at the outset: is the lack of a universally agreed definition of cybersecurity merely a semantic issue, or does it reveal something deeper? The evidence suggests the latter. The absence of a shared definition is not just about words, it reflects a fundamental lack of consensus about the purpose of cybersecurity itself, and whether it exists to protect systems, manage risk, enable organisations, or safeguard society as a whole.
While a universally accepted definition of cybersecurity may remain elusive, we must not lose sight of its true purpose: enabling organisations to achieve their objectives through the application of secure system designs, processes and though-life supporting functions, that protect the organisation against cyber attacks. Whilst this article is not expected to unify the community around a single definition of cybersecurity, it is hoped that it serves as a springboard for continued dialogue and debate about its fundamental purpose.
[1] Confidentiality, Integrity, Availability
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure managed services provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
