Infosec V Cybersec Firebrand

InfoSec v CyberSec — What’s the difference?

Due to the very nature of data and information systems, Cybersecurity plays a key role in Information Security. Cybersecurity is about protecting the people and systems that create, store, use, transmit and delete data.

A question that crops up from time to time is, “What is the difference between Cyber Security and Information Security?”

And it is almost as often as the question “Is Cybersecurity one word or two?!” (I like it as one word—but I am not too bothered either way!)

The InfoSec/Cybersecurity question is a good one and a tough one to answer in most cases, as it is often unique to your organisation.

Several factors need to be taken into consideration:

  • Sector that you work in
  • Size of your company
  • Number of security staff
  • Technologies employed
  • Governance requirements

Here's my take on it.

Central to most digital security solutions is the protection of the assets under the category of ‘Data’ and ‘Information.’ And Information Security (InfoSec) has this as its core responsibility.

Information Security specialists work within the business to ensure compliance with laws, regulations, and international standards and are key players in the formation of policies.

This team looks at the risks involved in business practices and protecting data/information and how the controls are implemented and maintained.

This includes a lot of skilled areas and knowledge. The roles that work on Information Security are typically:

  • Chief Information Security Officer (CISO)
  • Data Protection Officer (DPO)
  • Governance, Risk and Compliance (GRC) Team
  • Risk Analysts
  • Information Security Auditors

Due to the very nature of data and information systems, Cybersecurity plays a key role in Information Security. Cybersecurity is about protecting the people and systems that create, store, use, transmit and delete data.

The policies that drive this are procedural risk controls which are managed by the infosec team.

The technical controls which are used to implement security, such as defensive systems, scanning and monitoring solutions and incident alerting systems are managed by the Cybersecurity team on behalf of (or, in conjunction with) the CISO and InfoSec team.

Cyber Risk is a separate element of risk to an organisation, and this is one area where there may be a crossover between the InfoSec and Cybersecurity elements.

Cybersecurity Analysts also feed intelligence and information back to the Risk Analysts, GRC team, and ultimately the CISO, so that they can make informed decisions.

Typical Cybersecurity job roles include:

  • Cybersecurity Engineer and Cloud Security Engineer (closely aligned to Infrastructure and IT Admin Security)
  • Security Operations Centre Analyst/Defender & Responder
  • Cybersecurity Threat Intelligence and Risk Analysts (closely aligned to the GRC team)

Cybersecurity aligns with several key areas of business and, in many cases, merges with those departments.

For example:

  • GRC/InfoSec may have a Cybersecurity Risk Analyst as part of their team;
  • IT departments may include Cybersecurity Engineering as part of their function. They may also use third-party Defend-and-Response solutions and manage them.

Both Information Security and Cybersecurity teams also rely on specialist areas of expertise and skill.

These may include:

  • Data Protection Officers trained in particular laws and regulations (DPA, GDPR, etc.),
  • InfoSec teams and auditors that lead on sector-specific regulations and standards (ISO27001/2, PCI-DSS, NIS2, etc.),
  • Penetration Testers,
  • Forensic Investigation teams
  • Offensive/Defensive teams (Red/Blue/Purple teams)

And, as above, there is plenty of crossover between Information Security and Cybersecurity within these teams.

However, both disciplines have the same core values:

  • To protect the business and critical assets.
  • To maintain business continuity.
  • To support business growth and development.
  • To ensure compliance with legal and regulatory requirements.

In my opinion, there is a demarcation between the roles and responsibilities of Information Security and Cybersecurity and the skills required to perform each role. In an ideal world, these can easily be assigned to different teams and, given the budget, capacity, and management opportunities, there would be a difference between IT (and IT Security), Information Security, and Cybersecurity.

However, we don’t operate in an ideal world and budgets and staffing levels may be tight—which is why many organisations adopt a more blended approach to securing their digital assets.

Some may also argue that this joined-up approach is more beneficial, and I can’t disagree, as it is a very personal thing.

Regardless of your approach, it is vital that the individuals and teams involved are properly trained and skilled to meet the needs of your business and, even if you are a ‘jack of all trades,’ you can also be a master of something with the right training and experience!

Another great debate is, 'Should you put milk in first or last when making a cup of tea?' The answer is down to the individual and there is no right or wrong way of doing it—as long as the end result is what you need.