Posted on Nov 15, 2017
We are in a time when, thanks to the constant development of technology, businesses are more technically savvy and digitally advanced. With these advancements come the need for businesses to have the proper security framework and procedures in place to protect their most important assets. Prior to putting a proper security framework in place, however, the business must understand the difference between Information Security and Cybersecurity. How are they different, and why are these terms so often confused?
Information refers to any data that has meaning and comes in any form (digital or not), so information security is primarily refers to protecting the confidentiality, integrity, and availability of data regardless of its form. Per the NIST standard, integrity, confidentiality, and availability are defined as follows:
Cybersecurity, on the other hand, is the framework of protecting and securing anything that is vulnerable to a hacks, attacks, or unauthorized access, which mainly consists of computers, networks, servers, and programs. Unlike information security, cybersecurity pertains exclusively to the protection of data that originates in a digital form.
Some of the confusion comes from the fact that data and information are often stored digitally on a network, computer, server or in the cloud. Hackers gain access to this information to exploit its value.
The value of the data is the biggest concern for both types of security. As referenced above, in information security, the primary concern is protecting the confidentiality, integrity, and availability of the data. In cybersecurity, the primary concern is protecting unauthorized electronic access to the data. In both circumstances, it is important to understand what data, if accessed without authorization, is most damaging to the organization so a framework can be established with proper controls in place to prevent unauthorized access.
Where there are dedicated resources in separate teams, it is likely that both teams will work together to establish a data protection framework-- with the information security team prioritizing the data to be protected and the cybersecurity team developing the protocol for data protection.3
In sum, while cybersecurity can be viewed as a subset of information security, ultimately both focus on data protection. Both cybersecurity and information security personnel need to be aware of the scope and the shared mission to secure the enterprise.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.