Information Security vs Cybersecurity
The terms Information Security and Cybersecurity are often used in the media on a daily basis and when words such as attack, threat and breach are thrown into the mix it can all be a little overwhelming. Organisations and individuals are becoming increasingly concerned about the threats but “what are the risks to me, what matters most and where do I start?”
In this post we’ll provide a run-down of both terms and cut through the jargon to provide clarity on what’s important and where to start.
What is Information Security?
Information Security, or InfoSec, is concerned with information. The term information pre-dates the information technology industry by centuries, first appearing sometime around the 14th century. The Oxford dictionary defines information as “facts provided or learned about something or someone”. Information can exist in many forms from physical paper copies to records on a computer system.
The primary focus of Information Security is people and the way they operate. Information Security is concerned with the protection of information regardless of what technology is used to store, access or modify the information. Protecting the information involves the prevention of a wide range of scenarios including unauthorised access, corruption, depletion and disclosure.
A strong security culture is the single most important capability you can have to protect information, data and personal privacy. Education is part of developing an organisational security culture and education program that builds on an understanding of the needs of people, the business and information is the best place to start.
Protection of Information is achieved through a collaborative risk management approach which balances protection of:
- Confidentiality – Requirements related to the privacy and secrecy of information
- Integrity – The consistency and lack of corruption of the information
- Availability – The who, what, where and how of the availability of the information
The combination of these three areas is often referred to as the CIA rating. It is common practice to assign a CIA rating to information and use this as the basis for determining the inherent risk level in the context of potential threats, vulnerabilities and impacts. From here, risks can be identified, risk mitigation approaches can be developed and a plan of action – where required – can be commenced. Business leaders who are responsible for the services and related information are best placed to determine the CIA and help prioritise any measures taken to protect information.
Threats and considerations related to information are continually changing and as a result Information Security doesn’t stop at the plan of action. Ongoing monitoring is required to detect issues and understand ongoing changes in requirements.
What is Cybersecurity?
Cybersecurity is specifically focused on network connected technology components from end user devices through to systems housed in data centres and the network technology itself. Cybersecurity capability protection of computer systems and networks from attack resulting in the disruption of services and or unauthorised theft or damage to data, hardware or software.
Technology components are protected through a range of measures including but not limited to:
- End user security training to reduce human error, the most common factor across all breaches
- Designing software to be secure from the ground up
- Defining and implementing access controls to manage end user access to critical systems
- Continually identifying, remediating and mitigating vulnerabilities across the ICT environment
- Managing the response to breaches from detection through to remediation
Cybersecurity practices are critical to the mitigation of risks to data and information. When an Information Risk is identified more often than not the remediation activity will involve the mitigation of vulnerabilities within the ICT environment.
How to get started improving security?
The aim of security teams should be to reduce risk which starts with an understanding of the organisation along with the information and assets being managed. From there a plan should be developed which not only secures critical assets but also drives the growth of your organisation’s security culture.
Breaking the approach down into four steps:
- Understand your Organisation – Step back and carefully consider your organisation’s current mode of operation. What’s the mission and vision? What are the current plans and strategies? Most importantly, who are the key people involved from customers through to employees, partners and suppliers and what information is being managed?
- Identify Critical Information Assets – The next step is to identify the critical Information Assets. These are the systems and tools which access, process and store the information. Clearly identify the data in these systems and review the criticality of the information to be protected.
- Understand how information is being managed – Once the information and assets have been identified consider how the information is being accessed and managed. This gets down to the “Who?, What?, When?, How? and Why?”
- Develop a plan – With clarity on the information and data that needs to be protected you’re now ready to develop a plan. A cornerstone of a successful plan is the development of an organisational side security culture. In a practical sense this is about understanding the challenges business people face in ensuring that the services they provide as part of the operation secure the information. With the business playing an active role in information security the Cyber Security team can then play supporting role in securing the technology components in support of the information security.
Conclusion
In summary, Information Security is concerned with people and how they operate whilst Cybersecurity is focussed on protecting the connected technology components which capture, process and store information. Maximising success in all areas is primarily dependent on a strong security culture, a clear understanding of the information being handled and collaboration between the business and IT where responsibilities are not seen as an “IT problem”.
Call-to-Action
Gain an understanding of the information assets across your business and build relationships with key business stakeholders. Many organisations find it hard to get started or change the way they currently work and this is where we can help you at any point from forming your high level approach or strategy through to implementing technology controls across Cyber security to reduce business risk to information assets.
If you are looking for expert support in building and implementing a security strategy please reach out to our specialist team at Mantel Group.