Information security vs cyber security: distinguishing the expertise

David Steele, managing director and principal security consultant at SecuriCentrix, identifies the differences of information security vs cyber security

The terms ‘information security’ (often shortened to infosec) and ‘cyber security’ are often used interchangeably, but they should be viewed as distinct areas of expertise within organisations.

The overarching field is really information security, which covers all information, be it physical or electronic. Cyber security, meanwhile, is a sub-speciality dealing specifically with the access and protection of electronic data.

What is information security?

When we think of data in this age of tech, we generally think of electronic information. But valuable information still exists in the physical realm — on paper and in files, locked in warehouses, or on removable disks, for example.

Information security looks chiefly at protecting the integrity of information — all information, be it physical or in the form of bits and bytes in a database. Its focus is on guarding the integrity, confidentiality, and availability of data, including securing the physical environment where information is held.

The NIST defines information security as: “The protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability”.

A good information security strategy should include a range of controls, covering procedure, access and controls embedded within technology.

Procedural controls help detect and prevent security risks within the physical environment, such as filing cabinets, access to data centres, and computer systems. This might stretch to awareness-building and education building on issues such as compliance and response plans.

Access controls determine who is allowed access to what data. These might refer to both physical as well as virtual access.

Technical controls include tools like multi-factor authentication for users, firewalls, and antivirus software.

What is cyber security?

The NIST’s definition of cyber security can be broken into a single nugget: “The ability to protect or defend the use of cyberspace from cyber attacks”.

But if you’re in the mood for the full definition, here it is too: “The prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”

While it’s considered just one area of information security, cyber security has become the most important: as the value of data increases, so does its desirability.

It’s no secret that criminal activity around data theft is on the rise, with attacks ranging from aggressive hacking into systems, to the more subversive, luring people in using emotional techniques to access data or dumping malicious software onto devices, and nicking data.

Cyber security also refers to information that originates as digital files, making it distinctly different from information security. Cyber security refers to the protection of digital information, systems, and networks.

Cyber security is about ensuring that all data in cyberspace is kept safe. A solid cyber security strategy will look at network security; application security; cloud security; as well as critical security infrastructure.

  • Network security aims to protect the network from unauthorised access, possible interference, or interruption of service.
  • Application security is about protecting and fixing the app to ensure neither code nor data is breached or robbed.
  • Cloud security refers to policies, controls, and technologies to protect the virtualised IP, data, services and cloud-based infrastructure.
  • The critical infrastructure around cyber security has to do with systems like virus scanners, intrusion prevention software, anti-malware, and so on.

Common ground

The protection of confidentiality and integrity, and the provision of availability is an area of cross-over for infosec and cyber security.

Integrity refers to the protection of data modification or destruction and ensuring information nonrepudiation and authenticity over its lifecycle. Confidentiality is about safeguarding the personal privacy aspect of data, maintaining restrictions on access and disclosure. Ensuring availability means that data can be accessed in a timely and reliable manner, for its intended use.

Both areas take the physical security of assets into account. The concern with physical access to data assets or paper-based information is a generally relevant security matter. With electronic data, the tools to control access are perhaps more sophisticated than a padlock, but physical access to the technology needs to be controlled too.

Although all data is considered to be a highly valuable resource, there is a hierarchy of more and less valuable information in organisations. The concern for both infosec and cyber security areas of expertise, focuses on the protection of information that is shared.

But for those who work in information security, the main concern is to shield company data from any sort of unauthorised access. For the cyber security specialists though, the aim is to protect particularly sensitive data from unauthorised electronic access. Data is prioritised, and cyber security experts will determine how best to protect what is most important.

This plays into the cyber risk management strategy that organisations develop to protect and monitor data activity, the design of which must involve both areas.

Written by David Steele, managing director and principal security consultant at SecuriCentrix

Related:

Overcoming the biggest cyber security staff challenges — Andrew Rose, resident CISO EMEA at Proofpoint, discusses the biggest cyber security staff challenges facing organisations, and how to overcome them.

How to boost internal cyber security training — This article will explore how organisations can boost their cyber security training initiatives to ensure staff are sufficiently equipped with the right skills.

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com