In the last five years, the increase in breaches, ransomware, legislation, and third-party requirements have compelled executives outside of the security organisation to recognise the importance of comprehensive information security (infosec) and cybersecurity strategy. Consequently, budgets have increased significantly, resulting in high demands for security, privacy, and other risk professionals from the boardroom to the front line. In parallel with the rise in the profile of security and risk leaders in the organisation, however, there has been an increase in new challenges. To meet these challenges, a growing list of professional specialities and technologies are required.

Ahead of Cyber Security Awareness Month (CSAM), held in October, this writer thought it helpful to clarify two dominant career paths often confused by board of directors, senior management, line staff and even,  students alike – Information Security Governance (ISG) versus Cyber security versus InfoSec. Forbes contributor Brandon Galarita wrote, “Confusion between infosec and cybersecurity can occur since much of the information we want to store, protect and transmit exists in cyberspace.”

Defining ISG versus Cybersecurity

Although when reviewing the literature, there are contrasting views on whether ISG definitions have transformed (Williams et al., 2013) or whether they have remained constant (B. von Solms, 2005; McFadzean et al., 2007), Tan et al., (2017) explained that as part of corporate security governance, ISG establishes what the board and executive management are expected to do and ensures that they are doing it responsibly by setting roles and responsibilities, ensuring objectives are achieved, monitoring risks, and verifying that resources are used appropriately.

On the other hand, Cybersecurity is an assembly of security safeguards designed to maintain the security properties of an organisation and an individual's assets in a cyberspace environment susceptible to relevant security risks (International Telecommunication Union (ITU), 2008).

Exploring IS and Cybersecurity differences

Cybersecurity is concerned with protecting information from cyber-attacks, while infosec focuses on protecting data from any threats. Hence, infosec is concerned with all types of information, whereas cybersecurity is restricted to cyberspace. Moreover, infosec attacks target unauthorised access, disclosure modification, and disruption, whereas cybersecurity attacks target cybercrime, cyber fraud, and law enforcement. Finally, infosec professionals are the backbone of data security, and security professionals are responsible for policies, processes, and organisational responsibilities that maintain confidentiality, integrity and availability. Meanwhile, cyber security professionals work to prevent active threats, or Advanced Persistent Threats (APTs). 

Exploring IS and Cybersecurity similarities

While this writer has distinguished between information security and cyber security in this article, there will be a substantial overlap in practices.

Cybersecurity mechanisms designed to protect sensitive data can also be considered information security mechanisms. Password-protecting a database, for example, ensures the security of the information it contains and prevents cyber attacks.

There are circumstances where both cyber and physical security must be dually addressed. As an example, consider malicious insiders. Organisations must implement physical controls to prevent unauthorised personnel from gaining access to restricted parts of the building, such as a physical records room or a senior employee's office where sensitive files may be kept. Simultaneously, it is also important for the organisation to consider the cyber security risks associated with records that are digitally maintained. Access controls or data encryption are ways digital records can be safeguarded appropriately.

Conclusion

In short, info and cyber security are often used interchangeably. As a matter of fact, they are the same thing in their most basic forms: confidentiality, integrity, and availability of information. However, there are fundamental differences in practice, scope and attacks.

Sources:

Williams, S. P., Hardy, C. A., & Holgate, J. A. (2013). Information security governance practices in critical infrastructure organisations: A socio-technical and institutional logic perspective. Electronic Markets, 23(4), 341–354. https://doi.org/10.1007/s12525-013-0137-3

McFadzean, E., Ezingeard, J., & Birchall, D. (2007). Perception of risk and the strategic impact of existing IT on information security strategy at board level. Online Information Review

Tan, T., Maynard, S., Ahmad, A., & Ruighaver, T. (2017). Information Security Governance: A Case Study of the Strategic Context of Information Security.

International Telecommunication Union (ITU). (2008, April). Series X: Data Networks, Open System Communications and Security: overview of Cybersecurity.