Information security (also known as InfoSec) is a series of systems and policies designed to protect the confidentiality, integrity and availability of information (usually data) from unauthorised agents.
The information economy is so pivotal to business that Infosec is governed by a variety of compliance requirements, including the Data Protection Act, Computer Misuse Act and GDPR to name but a few.
Information security is governed by 3 core tenets, known as the CIA of information security. In order to adapt to today’s business world, some industry leaders believe in an expanded 6 tenet system, also known as the hexad.
Information security has grown out of a necessity to include a wide range of business-critical services, including:
Confidentiality, integrity and availability (CIA) is at the heart of InfoSec. You can think of it as a mission statement.
In information security, confidentiality "is the property, that information is not made available or disclosed to unauthorized individuals, entities, or processes." That’s simple enough. The first step in information security is defining what is confidential and who has authority.
Integrity means maintaining and assuring the accuracy and completeness of data over its entire lifecycle. This means that data cannot be modified in an unauthorized or undetected manner.
Information has no value if you can’t use it. So, you need availability. For InfoSec, this means governing the means of access. This applies to both granting access and allowing data to be accessible. So, you need to consider data recovery, prevent DDoS attacks etc.
Cybersecurity provides the data protection from attacks that use technology to infiltrate your network. Along with physical security, cybersecurity is one of the tools used by InfoSec as part of your wider business security.
Like information security, cybersecurity includes best practice documents, data management policies and compliance standards. But these are all in service to information security, which will also include aspects such as who has access to the building, your BYOD policy, and even social media policy.
So, within IT, you can imagine a structure with Infosec at the top, with cybersecurity and physical security underneath. Together, they provide your business with the tools and the strategy for protecting the sensitive data that is so critical to your business.
Whether you store your information in a box file or a server, your data needs protecting. Both InfoSec and cybersecurity are focused on ensuring that these protections remain in place.
Your InfoSec team’s main concern is protecting your company’s data from unauthorised access. Your cybersecurity team cares about the same thing, only through electronic access. They all agree that your data is valuable.
What they need to know is how valuable your data is. In order to put the right controls in place and manage budgets accordingly, they need to know what is most critical to your business.
Do you need more locks or more firewalls? Better training or deeper insight?
The reality is that with so much data being lifted to the cloud, cybersecurity is becoming more important than ever. Therefore, in many people’s eyes it is eclipsing InfoSec altogether. This is why so many people struggle to see the difference between InfoSec and cybersecurity. To them, its all the same.
The problem for smaller businesses is that this kind of thinking means that more and more is expected from the IT Manager. Not only do they have to manage the day-to-day cybersecurity issues, they must write policies, and ensure compliance. In some cases, they must devise strategies for scenarios that have nothing to do with IT, but everything to do with data.
The more we rely on technology to help run our businesses, the greyer the line between information security and cybersecurity becomes. But remember the difference:
InfoSec is the strategy for protecting your data. Cybersecurity is just one of the tools you can use to protect it.