Cybersecurity vs Information Security
As our ability to collect, transmit and store data continues to grow at a parabolic rate, the task of securing our data becomes ever more complex. If you work in IT, you’ve certainly seen the recent increase in usage of the terms cybersecurity and information security. You’ve probably even seen them used interchangeably. But are they the same? Let’s take a look.
We’ll start with definitions for both terms as defined by the NIST (National Institute of Standard and Technology), [Source- http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf]
Cybersecurity: The ability to protect or defend the use of cyberspace from cyber attacks.
Information Security (1): The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
Information Security (2): Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide —
1) integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity;
2) confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
3) availability, which means ensuring timely and reliable access to and use of information.
From the NIST definitions, we can see a clear distinction between protecting “the use of cyberspace” itself and protecting “information” overall. In the Cybersecurity definition, we also see the use of “cyberspace.” If we define cyberspace as the virtual computer world that facilitates communication, we can limit the cybersecurity discipline to the “online” realm. But we should be careful not to assume “online” is limited to only the internet as it can include everything within ICT (Information and Communication Technology).
There is some overlap between the disciplines when it comes to protecting information. Cybersecurity has a role in protecting information by securing access to it through cyberspace. While information security is tasked with securing all “information” regardless of where it is located or how it is accessed.
Within information security, we must also understand that all data are not necessarily information. To be information, data requires context and meaning. A driver’s license number is just a sequence of alphanumeric numbers and can be stored simply as data. Not until it is understood to be a driver’s license number does it become information. Cybersecurity protects data regardless if it is in context as information where information security would not. But cybersecurity would only protect the information in the cyber realm. If the license number is written on paper, it would fall within the discipline of information security and it would be far from the realm of cybersecurity.
Another significant difference between the two disciplines appears when we look at what else is not information besides data. Within cybersecurity, there are vast systems and resources that require protection such as hardware and software; however, they are not considered information. Protecting servers, switches, routers firewalls, and even the control of autonomous vehicles could all fall within the cybersecurity discipline but not information security.
The simplest way to understand the difference is to remember that cybersecurity secures everything within the cyber realm (even non-information) and information security is concerned with securing all information (even non-digital information).