Are Cybersecurity and Information Security the same thing

Author: Gary Hibberd

Date: 5 August 2020

 

When you think about Information Security, it’s easy to fall into the trap of thinking that it’s all about digital information. I think this is because we use the term interchangeably with Cybersecurity, but they are not the same thing.

 

Cybersecurity Vs Information Security

Information security is a broad term related to the practices and processes in place to protect information in all its forms. The term generally refers to the Confidentiality, Integrity and Availability (CIA) of information.

Cybersecurity is the state of being protected against the criminal or unauthorised use of electronic data, or the measures taken to achieve this.

It’s understandable that in a world which is increasingly reliant on technology and digital data that there is a keen focus on Cybersecurity. But Information Security has been with us a lot longer than Cybersecurity, and while both are important, I believe it is our intense focus on, and misunderstanding of Cybersecurity which has led to the current increase in Cybercrime and Data breaches.

 

Human Vs Technology

Cybersecurity focuses on the practices and processes involved in handling digital Data. But for many outside of the Cybersecurity profession, this means focusing purely on the technology itself. Forgetting that good Cybersecurity focuses on the practices and processes too.

For example, when asking people about the protection of their Data, the response I often receive is “We have installed a Firewall” or “The Data is in the Cloud” and my personal favourite; “It’s the IT guys job to sort it.”

Of course expecting the ‘IT guy’ to sort our Cybersecurity is like expecting a car mechanic to ensure we have no road accidents.

Technology can only do so much, and take us so far. While Cybersecurity professionals may recognise the human impact on the ability to protect digitised information, Boards and business leaders have an increased sense of security, that may be misplaced.

It’s no good upgrading your technical Firewall if you forget about the Human Firewall.

 

Information Security – Let’s get physical

As an example of how broad Information Security is, we need only look at the International Standard for Information Security Management; ISO 27001. This standard is seen globally as the defacto standard for applying abroad, and best practice approach to Information Security.

Some would argue the merits for other standards and security frameworks, such as PCI DSS, NIST, SANS, SOC2, Cyber Essentials etc, but few would deny that ISO 27001 is a fully rounded and comprehensive security standard. Of course any of these standards applied to an organisation will significantly improve Information Security, in one-way-or-another, and some organisations have used combinations of these to enhance security. But ISO 27001 was the foundation upon which others were then added.

ISO 27001 includes a comprehensive set of controls, known as ‘Annex A’, which includes the following sections, requiring various levels of evidence and structure on a range of topics.

 

Information Security Policies

A set of policies which have been documented, signed off and communicated to the organisation

 

Organisational Security

Outlined roles and responsibilities, identification of ‘special interest groups’, and segregation of duties.

 

HR & Personnel

Processes for onboarding people, training and awareness, and dealing with movements within the organisation.

 

Asset Management

Identification of key information and physical assets

 

Access Control

Both physical and technical access controls are required to be defined

 

Cryptography

How cryptographic controls are implemented and managed

 

Physical & Environmental

The physical controls in place to protect Data, including the environmental controls.

 

Operations Security

Defining how operations are managed; Capacity management, change management, patch management and separation of technical environments.

 

Communications Security

Detailing how network security and Data transfers occur

 

Systems Acquisition, envelopment & Maintenance

Ensuring that information security is designed and implemented within the development lifecycle.

 

Supplier Relationships

To ensure the organisation’s suppliers are managed effectively

 

Incident Management

Ensuring there are plans in place to respond to Data breaches and incidents.

 

Business Continuity

Processes to ensure that Information security is considered in relation to any Business Continuity plans and procedures in place

 

Compliance

Practices and processes to ensure your organisation has considered legal aspects, like IP, copyright and encryption.

 

Having looked through the above let of controls, you’ll see that not everything is focused on IT, or digitised data. Of course IT plays a big part in this, and is a key consideration but it is not the only thing to consider.

 

Conclusion

It’s understandable for the layperson to think of Cybersecurity as a pure IT or digitised data, topic. I know some Cybersecurity professionals who believe it is too. But if we focus too heavily on the technology, we risk losing sight of what we’re trying to do. Again, it’s like focusing on the car, to improve overall road safety.

I prefer the term Information Security, and even better, the term Information Governance. Information Governance is the overall strategy for managing information in an organisation, and therefore covers Confidentiality, Integrity and Availability, without focusing too narrowly on the word ‘security’. 

Perhaps that’s a step too far.  So, for now, let’s all recognise that Cybersecurity and Information Security are essentially the same things, but they approach the need to protect Data, from different directions.

At least.. that’s what I think.