Cybersecurity Is JAR
Just Another Requirement
I lead a sizable cybersecurity engineering organization for large defense contractor.
A common discussion topic within the organization relates to the idea that cybersecurity, as an engineering domain, is different from other traditional domains like systems engineering and software engineering.
We are not.
Everything we do in the course of our work, has a similar practice in those other domains.
The threat based assessments we do, is very similar to the safety hazard analysis safety engineers do; or the failure modes and effects analysis that reliability engineers do.
Pen testing is another form of stress testing or environmental testing that test engineers do.
Our biggest challenge culturally, is getting these other engineering domains to accept this validity of this idea.
Unfortunately, when we try and create distinctions, either culturally or organizationally, from those core engineering domains — we simply pour fuel on the fire we want to put out.