When combined cyber security and information security help provide organisations with a modern day approach to building a strong security posture. The two security practices also help develop the organisation’s security resilience.
Both cyber security and information security are two critical areas of assurance that affect the entire organisation, and they can be complicated to manage. However, before creating a security program, it is important first to understand the difference between the security terms, and most importantly how they can work together.
Cyber security and information security are often linked synonymously. However, there are some crucial distinctions between the two areas of security which are key to understand.
In this article, we are going to look at the difference between cyber security and information security, and reveal the value that both security areas can add to your organisation’s protection.
What is cyber security?
There are hundreds of definitions available for cyber security.
The National Institute of Standard and Technology (NIST) states that cyber security constitutes:
“The ability to protect or defend the use of cyberspace from cyber-attacks”. NIST
A subsection of information security, cyber security practices the role of defending your organisation’s networks, computers and data from unauthorised digital access, attack or damage by executing security processes, technologies and procedures.
The key term is digital. Cyber security relates to the protection of critical data that is digital or electronic.
A vital part of cyber security comes from determining three key questions:
- What represents your organisation's critical data?
- Where is the data stored?
- What security do you have in place to protect it?
What is information security?
ISACA (formerly known as the Information Systems Audit and Control Association) state that information security "Ensures that only authorised users (confidentiality) have access to accurate and complete information (integrity) when required (availability).”
Information security (InfoSec or IS) protects both physical and digital data. Its essential tasks are to prevent:
- Unauthorised access
In contrast to cybersecurity, InfoSec aims to defend data in any form, while cybersecurity is only concerned with electronically held data.
The main areas of storing data include servers, desktops, laptops, or the internet. However, in particular, business sectors or situations, critical data resides in physical form.
Often referred to InfoSec is as another way of alluding to data security. Before embarking on a new security program, look at your information security as it is the bedrock of data security.
IS specialists are focused on CIA (the confidentiality, integrity and availability) of data.
What is the CIA Triad?
Information security professionals use the CIA (confidentiality, integrity and availability) triad as a guide for creating and developing security policies and procedures.
There are three key elements of the CIA triad:
- Through confidentiality, information is inaccessible to unauthorised personnel
- Encryption is the preferred method of enforcement
- Safeguards both information and systems from modification
- Maintains data accuracy and fidelity
- Guarantees the safe access of authorised people at all times
- Maintainance of hardware and software
As the industry standard example for keeping your organisation secure and protected, the CIA triad ensures through its three fundamental principles that your data is confidential, maintains its integrity and remains available at all times.
However, maintaining the integrity of the critical data through the CIA model has its challenges as highlighted in the 2016 US Elections.
Summarised differences between cyber security and information security
Protects data and information stored digitally
Safeguards information assets that are both digital and physical
Protects anything in cyberspace from unauthorised electronic access
Focuses on the confidentiality, integrity and availability of data or the CIA triad model
Manages impending Advanced Persistent Threats (APTs)
InfoSec is the foundation of data security
Concerned with cyber threats alike phishing, baiting or data breaches
Deals with a multitude of risks and ensure use of the correct security practices
Separate security policies become regulation
It is critical for large organisations such as financial institutions and banks to understand and uphold the differences between cyber security and information security because they have a regulatory duty to do so.
Financial regulatory associations like the Monetary Authority of Singapore have asked banks to devise individual cyber security and IS policies.
Culture, politics and audience can denote security meaning
Despite the synonymous linkage between cyber security and information security used by many across the world. There are distinct cultural and political usages of the terms in different countries. For example, in American, there is a general use of the term ‘cyber security’. However, in Russia, they prefer to say ‘information security’ generally.
The worldwide Google search volume for the term ‘information security’ has been historically higher than cyber security. However, in 2018 each term is deriving similar search volumes.
Moreover, the search volume in Google is greater for the phrase ‘cyber security’ as two words compared to ‘cybersecurity’ typed as one word.
Google search volumes do show a positive trend for both. It would be interesting to compare the results in a years time to see if the words show any decline in popularity by country, term, spelling, business sector and or general usage.
Security professionals also utilise the terms interchangeably depending on their audience. For example, in an article for NovaInfosec one security expert writes “…[for the] government world as well as those not familiar with our field, cybersecurity is my go-to term. When chatting about it amongst my peers, infosec it is.”
Identifying mission-critical data
Mission critical systems and data are both fundamental to the existence of a company.
If a mission-critical system fails or is disrupted, the organisation's operations are notably impacted.
If criminals steal mission-critical data, the organisation could face a fine and or be held to ransom.
Either way, unprotected critical data and information are the lifeblood of an organisation, and if a breach is suffered, then the impact could be financial, legal, reputational as well as the threat of damages or penalties.
Four steps to follow1. Map the data
- Examine the data handled in the company
- Determine who trades confidential information in the business
- What commitments does your company have to safeguard information?
- What would happen if the information was leaked?
- How significant is the information you hold?
- Measure the security level
- Determine the protection levels of information corresponding with the importance to the business
- Share best security practice and policy with all staff
The identification of critical information is the beginning of the planning process for information security.
Why do cyber-security experts need to work closely with information security staff?
In the past ten years, cybersecurity and information security have blended and developed from the once siloed positions.
Today, it is more common for an organisation to have cyber security personnel than IS professionals in the team of staff, and this has led to the expansion of the cyber security role.
In an organisation where dedicated security resources reside in separate teams, it is vital that both parties work together to create a data protection agenda.
The IS team are committed to the protection of data, while the cybersecurity team develop the protocol for data protection.
Traditionally the remit of the cyber professional did not include data evaluation but covered technology, firewalls, and the intrusion protection systems (IPS). However, as cyber security becomes increasingly important to the organisation, the role of cybersecurity experts is evolving so they can adequately protect data.
With the ever-present threat of cybercrime, business stakeholders are becoming increasingly aware of the importance of this topic. Stakeholders such as investors are now questioning the effectiveness of organisations in securing its critical data and managing risk in both cyber and physical forms. For they know that a security breach can damage the reputation of even the most well-regarded business.
“The Greatest Harm a Cyber-Attacker Can Cause—Loss of Customers’ Trust” VMWare
In summary, while sometimes cybersecurity can be viewed as a subset of information security, ultimately both focus on the protection of business-critical data and information.
Through the evolution of technology and the development of security threats, it is easy to understand why many people discuss cyber security and information security interchangeably.
Moreover, it is easy to see how the challenges that information security and cyber security face are profoundly linked.