There is a tendency to use the terms Cybersecurity (CS) and Information Security (IS) interchangeably. Even though the underlying principle is similar, there are differences between them that should be clear and understood.
Cybersecurity and Information Security are closely linked but are not synonymous. Let’s examine first what information security and cybersecurity are.
What is information security?
Also known as “InfoSec”, information security refers to the procedures and practices that organizations employ to protect their data.
NIST defines information security as “the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.“
Information Security Objectives
Information security covers three objectives: confidentiality, integrity, and availability commonly known as CIA.
Information, especially sensitive information such as personal data, has to be kept confidential and safe from unauthorized access.
The “integrity” objective is to ensure that information is stored and transmitted without unauthorized alteration.
Lastly, the “availability” objective is to ensure that information shall be available anytime needed by authorized personnel.
Information Security Controls
Information security controls are safeguards to avoid, detect, deter and minimize security risks to physical property, and organizational assets, either physical or digital (e.g. computer systems and networks).
Security Control Types and Functions
Classification of IS Controls can be made by type and by function.
Controls can belong to different types of control functions. For example, a CCTV security system can be preventive, since a person may hesitate to try and break into a building, but it can also be a detective since you can review the footage of the CCTV and find out if and how an incident has occurred.
These controls and their respective functions, help organizations ensure the confidentiality, integrity, and availability of information.
What is Cybersecurity?
Cybersecurity refers to all actions to be taken by an organization to defend computers, servers, mobile devices, networks, and data from malicious attacks.
Some of the areas Cybersecurity focuses on are:
- network security
- endpoint security
- application security
- cloud security
Cybersecurity deals with the digital realm and the ways to defend against cyber attacks. In a widely and deeply interconnected world where cyber-attacks are constantly increasing, the term “cybersecurity” has become more famous and typically used in relation to the protection of information.
The differences between Information Security and Cybersecurity
Cybersecurity is mostly technical in nature
There are areas where Information Security and Cybersecurity surely overlap with each other, but information security has a more holistic approach to the protection of information.
When designing a secure network, for example, you will need to select technical, administrative, and physical controls.
You will place firewalls and IPSs, web application firewalls, and antivirus software as technical security controls.
As administrative security controls, you will surely, or hopefully, establish policies and procedures on who can make changes. And for physical controls, you will place valuable assets behind locked doors, with alarm systems and CCTV installed.
You see that the technical controls will overlap with the controls Cybersecurity will be involved with, but not with the administrative or physical aspect of the security controls.
Information Security encompasses governance and compliance
Without security governance, a security program will only be as good as the skills, experience, and knowledge of the people dealing only with technical security controls.
Security governance needs organizational structure, roles and responsibilities, metrics, processes, and oversight, as it specifically impacts the security program. It needs a combined set of tools, personnel, and processes that provide for formalized risk management.
Cybersecurity does not focus on these requirements that make a security program operational, efficient, measurable, and capable to provide information for formally measuring risk.
Information security has a better understanding of measuring risk
Understanding the value of information is vital both for information security and cybersecurity functions.
Not all information is created equal.
The protection of information must be prioritized according to its value to the organization.
There is no point in utilizing human resources and money to protect information that, if lost or stolen, will have no impact on the organization. Infosec professionals have an understanding of how to prioritize the protection of information. They will assess its importance and design a strategy for its protection.
So, is there a difference between cybersecurity and information security?
The answer is a bold YES.
Just like physical security for information assets is a subset of information security, the same can be said for cybersecurity.
Information security is the “umbrella” which cybersecurity resides under. When implementing a defense-in-depth approach to the protection of your information assets, information security encompasses all the efforts needed including cybersecurity-related ones.
You are not installing firewalls, EDRs, WAFs, etc. just for the sake of it.
You are doing so as part of a larger strategic Information Security plan the organization commits to, and cybersecurity is only a part of it.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.