Some people seem to use the terms IT security, information security and cybersecurity interchangeably. But I’ve also worked with people who have used these terms in specific ways. For example, some will say there is a larger concept of IT security, which involves physical security, information security and cybersecurity, as shown in the figure below.
But what is the difference in these terms and why does it matter? If it even matters. Keep reading to find out.
What Is IT Security?
The idea captured in the above image is that IT security has three categories:
- Physical Security: Focuses on how you keep people and infrastructure safe. In this category, you focus on securing buildings, server rooms and wiring closets. You focus on proper lighting for buildings and parking lots, for example. It also involves understanding how to use camera guards, as well as actual guards and even guard dogs.
- Information Security: Focuses on keeping all data and derived information safe. This includes physical data (e.g., paper, computers) as well as electronic information. In this category, individuals focus on data backups, as well as monitoring techniques to make sure that no one has tampered with data or exfiltrated information. This category focuses less on the actual equipment and computing resources because it focuses on the data itself. And, yes, I’m distinguishing between data and information: data is raw and unprocessed. Information is derived from data after quite a bit of scrubbing, processing and handling.
- Cybersecurity: Focuses on protecting electronic assets – including Internet, WAN and LAN resources – used to store and transmit that information. Cybersecurity tends to focus on how malicious actors use these resources to attack information. Those individuals interested in cybersecurity are the ones interested in making sure that hackers can’t use electronic means to gain improper access to data and information.
One thing is important about the third category of cybersecurity: Some people don’t use the term information security, and kind of lump it right into cybersecurity, as captured in the image below.
So, which is best? Who is right?
There’s really no definitive discussion, but when IT pros go to create a security plan, they tend to separate out the physical, information and cyber security categories. Sometimes, they don’t even seem to realize it.
Does the Terminology Really Matter?
Many times, these questions arise when IT pros are discussing what certification or training program is best or most appropriate for their security role. Other times, it’s when individuals are trying to organize their security teams and activities appropriately.
I find that unless you’re implementing a security plan in a very specific way, the terminology really doesn’t matter. Implementing security is all about the details and using your terms consistently. So, as long as you focus on the details and start applying security controls according to a common-sense, policy-based approach, I don’t think you can go wrong with your terminology, as long as it’s consistent.
For example, regardless of the terminology you use, I would leverage a combination of red and blue team efforts to ensure that your physical, information and/or cybersecurity approaches are working.
I’ve found that companies are very interested in making sure that they have applied the proper security controls, including detective (e.g., an intrusion detection system or a security information and event management (SIEM)), compensating (e.g., separation of duties) and corrective (e.g., blocking IP addresses).
When it comes to the difference between IT security and cybersecurity, what matters more than terms you use is making sure that you have the correct foundation of knowledge that allows you to better direct red team and blue team operations.