Episode 51: Subcategories of cyber

This series was created with Joe Rose, a Senior Product Manager and Senior Security Architect, bringing practical, real-world security insight.

Cyber security can feel like a wall of acronyms and buzzwords, which makes it easy for people to nod along rather than ask questions. In this blog, cyber security is broken down into five practical categories that matter when organisations are buying technology: network security, endpoint security, identity and access management, data security, and cloud security.

The focus is on helping technology procurement teams understand what they are actually buying, how the pieces fit together, and where they need to probe for clarity rather than be blinded by jargon.

This overview builds on our introduction to cyber security, which sets the context for why these categories exist.

Why it helps to group cyber security into clear categories

To make sense of the many different tools and concepts in cyber security, the discussion groups them into five main areas:

• Network security

• Endpoint security

• Identity and access management

• Data security

• Cloud security

Each category comes with its own products, services and risks. For procurement teams involved in IT procurement for hardware, software and services, having this structure makes it easier to ask sensible questions and compare options.

What network security covers in practice

Network security is mostly about tools and services that protect the organisation’s network from unwanted or malicious traffic.

A key building block is the firewall. It usually sits just behind the telecoms equipment at the network perimeter. A firewall:

• Allows only trusted traffic into the network

• Blocks suspicious or malicious connections

• Acts like a secure access door for the organisation’s systems

Firewalls are also commonly used to host virtual private networks. When people connect from home, their traffic is encrypted through a VPN tunnel so it cannot easily be intercepted. From the user’s point of view this is now largely transparent, configured by IT without much choice at the endpoint.

More advanced network security stacks may also include:

• Intrusion detection systems, which spot potential break-ins and raise an alarm

• Intrusion prevention systems, which try to block malicious traffic in real time

All of these devices generate logs. Those logs are usually sent to a security incident and event management platform, or SIEM. This lets teams see events in time order, trace where an attacker came from, how they moved through the firewall, what rules they passed, and which machines or demilitarised zones they touched.

SIEM tools such as QRadar and Splunk have been around for decades. More recently, extended detection and response tools have appeared. XDR is often a SIEM enriched with extra data feeds, such as identity or user behaviour, and additional dashboards to make the information easier to understand.

For technology procurement teams, network security typically involves firewall hardware, associated software, monitoring platforms and the services required to implement and run them.

Endpoint security beyond antivirus

Endpoint security started life as antivirus on desktops and laptops, but now refers to any software agents installed on devices to improve security.

This can include:

• Antivirus and anti-malware tools

• Data loss prevention software

• Controls on removable storage like USB drives

Data loss prevention is often rule based. It looks at what is leaving the network or device, and checks whether files, emails or transfers break company policy or regulatory rules. It can also block or monitor the use of removable storage, to stop people copying sensitive information onto a USB drive and walking out with it.

There are also legitimate cases where removable storage must be used, such as in defence environments or air-gapped networks. In those situations, tightly managed and trackable USB devices are used, with clear chain-of-custody between people and organisations.

Endpoints now go far beyond PCs and laptops. Mobile phones and tablets are critical endpoints in their own right. Two main categories of mobile security tools are highlighted:

• Mobile device management, which controls device settings, installed applications and how the phone or tablet behaves

• Mobile application management, which puts controls around specific apps such as Outlook, Teams, Slack or Google Workspace

The aim is to let people communicate and collaborate, while preventing company data, documents or screenshots being stored locally in an uncontrolled way or shared via personal apps like Gmail.

From a procurement point of view, endpoint security means considering the whole estate – desktops, laptops, mobiles, tablets and even operational technology – and understanding what tools are needed where.

Identity and access management and privileged access

Identity and access management is about making sure the person accessing a system is who they claim to be, and that they have the right level of access.

Active Directory, which arrived around the year 2000, became the central directory for users, computers and other devices. It made it easier to build a global directory service. However, in large organisations, particularly those that have grown through mergers and acquisitions, it is common to see dozens of separate Active Directory environments where different divisions wanted to control their own domain.

As software as a service has grown, single sign-on has become an important tool in identity management. Rather than creating a new username and password for every SaaS application, a user logs into their work laptop once and that credential is reused as proof of identity.

This:

• Reduces friction for users juggling multiple tools

• Avoids unmanaged local accounts in SaaS platforms

• Improves attribution, because activity can be traced back to a known identity

Multifactor authentication adds further proof. Older RSA tokens on keyrings still exist in some places, but most organisations now use phone-based apps such as Okta Verify. These allow extra signals to be captured, such as device ID, GPS location or a Face ID challenge, which makes it much more likely that the right person is logging in.

This is important because internet traffic from home workers can appear to come from many different locations, depending on how internet service providers route connections. External IP addresses alone are no longer a reliable identity signal.

Privileged access management is another key part of identity and access. In the past, administrators often had always-on, high-privilege accounts that could reach everything all the time. In sensitive or highly regulated industries, that approach is no longer acceptable.

Privileged access management tools such as CyberArk, BeyondTrust or Delinea:

• Allow temporary elevation of access to make a specific change

• Drop privileges back to normal when the session ends

• Support “four eyes” control, where a second person observes a sensitive change and can pause access

This is especially relevant for highly sensitive systems, such as monitoring platforms for critical national infrastructure.

Data security, GDPR and ownership

Data security is becoming more important as regulations tighten and organisations hold more personal and sensitive information.

Encryption and data loss prevention are part of the picture, but GDPR adds further responsibilities. The regulation unified multiple European country rules into a single framework and introduced clear roles, including data owner and data protection officer.

If nobody explicitly owns a dataset, the default position is often that the managing director is the de facto data owner for any data handled by that business unit.

Tools such as Varonis can help identify likely data owners by analysing who modifies documents most frequently. It is not an exact science, but it gives the data protection officer a shortlist of people to speak to when clarifying who is responsible for what.

For broader GDPR compliance, particularly around subject access requests and deletion requests, tools like those provided by OneTrust support the workflows. For example, if someone contacts an organisation saying “I believe you hold data about me”, the organisation has a set time window to respond and, where requested, delete the data.

From an IT procurement perspective, data security tools raise questions such as:

• How many people need access to each tool

• Whether licensing is based on users, functions or volume of data

• How tools support different roles, from legal through to operations

These choices significantly affect both cost and fit.

Cloud security and vulnerability databases

Cloud security is described as one of the most complex and fast-moving categories. At its heart, it is about dealing with vulnerabilities that arise from missing patches or misconfigurations.

Each vulnerability is formally defined and given a CVE number – a common vulnerability enumeration. Databases of these vulnerabilities describe what the issue is, how severe it is, whether it can lead to data loss, how easy it is to exploit and whether an exploit already exists publicly.

Historically, the main CVE database has been managed in the United States. The conversation notes a recent turning point where a European CVE database has gone live, giving organisations in Europe another authoritative source of vulnerability information to draw on.

For organisations buying cloud security tools as part of technology procurement, the key is to understand how those tools identify vulnerabilities, how they use CVE data, and how they help teams assess risk and prioritise action.

What IT procurement teams should focus on

Across all five categories – network, endpoint, identity, data and cloud – a recurring theme is the importance of understanding terminology and being comfortable asking questions. Cyber security is full of acronyms, and it is easy for sales conversations to become opaque.

Procurement teams need advisers who are willing to demystify the language, explain how tools work together and give clear, practical answers rather than hiding behind jargon.

For organisations that want to make better cyber security decisions as part of their technology procurement, get in touch.

Continue exploring cyber security

• The history of cyber security

• Different services within the cyber supply chain

• Key vendors in cyber

• Summary of cyber