Author: Gary Hibberd
Date: 5 August 2020
When you think about Information Security, it’s easy to fall into the trap of thinking that it’s all about digital information. I think this is because we use the term interchangeably with Cybersecurity, but they are not the same thing.
Cybersecurity Vs Information Security
Information security is a broad term related to the practices and processes in place to protect information in all its forms. The term generally refers to the Confidentiality, Integrity and Availability (CIA) of information.
Cybersecurity is the state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this.
It’s understandable that in a world which is increasingly reliant on technology and digital data that there is a keen focus on Cybersecurity. But Information Security has been with us a lot longer than Cybersecurity, and while both are important, I believe it is our intense focus on, and misunderstanding of Cybersecurity which has led to the current increase in Cybercrime and Data breaches.
Human Vs Technology
Cybersecurity focuses on the practices and processes involved in handling digital Data. But for many outside of the Cybersecurity profession, this means focusing purely on the technology itself. Forgetting that good Cybersecurity focuses on the practices and processes too.
For example, when asking people about the protection of their Data, the response I often receive is “We have installed a Firewall” or “The Data is in the Cloud” and my personal favourite; “It’s the IT guys job to sort it.”
Of course expecting the ‘IT guy’ to sort our Cybersecurity is like expecting a car mechanic to ensure we have no road accidents.
Technology can only do so much, and take us so far. While Cybersecurity professionals may recognise the human impact on the ability to protect digitised information, Boards and business leaders have an increased sense of security, that may be misplaced.
It’s no good upgrading your technical Firewall if you forget about the Human Firewall.
Information Security – Let’s get physical
As an example of how broad Information Security is, we need only look at the International Standard for Information Security Management; ISO 27001. This standard is seen globally as the defacto standard for applying abroad, and best practice approach to Information Security.
Some would argue the merits for other standards and security frameworks, such as PCI DSS, NIST, SANS, SOC2, Cyber Essentials etc, but few would deny that ISO 27001 is a fully rounded and comprehensive security standard. Of course any of these standards applied to an organisation will significantly improve Information Security, in one-way-or-another, and some organisations have used combinations of these to enhance security. But ISO 27001 was the foundation upon which others were then added.
ISO 27001 includes a comprehensive set of controls, known as ‘Annex A’, which includes the following sections, requiring various levels of evidence and structure on a range of topics.
Information Security Policies
A set of policies which have been documented, signed off and communicated to the organisation
Outlined roles and responsibilities, identification of ‘special interest groups’, and segregation of duties.
HR & Personnel
Processes for onboarding people, training and awareness, and dealing with movements within the organisation.
Identification of key information and physical assets
Both physical and technical access controls are required to be defined
How cryptographic controls are implemented and managed
Physical & Environmental
The physical controls in place to protect Data, including the environmental controls.
Defining how operations are managed; Capacity management, change management, patch management and separation of technical environments.
Detailing how network security and Data transfers occur
Systems Acquisition, envelopment & Maintenance
Ensuring that information security is designed and implemented within the development lifecycle.
To ensure the organisation’s suppliers are managed effectively
Ensuring there are plans in place to respond to Data breaches and incidents.
Processes to ensure that Information security is considered in relation to any Business Continuity plans and procedures in place
Practices and processes to ensure your organisation has considered legal aspects, like IP, copyright and encryption.
Having looked through the above let of controls, you’ll see that not everything is focused on IT, or digitised data. Of course IT plays a big part in this, and is a key consideration but it is not the only thing to consider.
It’s understandable for the layperson to think of Cybersecurity as a pure IT or digitised data, topic. I know some Cybersecurity professionals who believe it is too. But if we focus too heavily on the technology, we risk losing sight of what we’re trying to do. Again, it’s like focusing on the car, to improve overall road safety.
I prefer the term Information Security, and even better, the term Information Governance. Information Governance is the overall strategy for managing information in an organisation, and therefore covers Confidentiality, Integrity and Availability, without focusing too narrowly on the word ‘security’.
Perhaps that’s a step too far. So, for now, let’s all recognise that Cybersecurity and Information Security are essentially the same things, but they approach the need to protect Data, from different directions.
At least.. that’s what I think.
What is Consultancy?
Our cybersecurity consultants will assess your infrastructure, systems and networks before devising solutions to protect your business based on your needs.
Why is it important?
Cyber consulting services bring in a broad range of skills, experience and technologies that can be difficult to acquire, develop and retain internally.
How can we help you?
Wherever you are on your cyber journey, we can analyse your business based on our decades of experience, and provide pragmatic advice to help your business succeed and grow.