The Tribune

Over the past five years, the increase in data breaches, ransomware, legislation and third-party requirements have compelled companies to recognise the importance of comprehensive information security (infosec) and cyber security strategies. Budgets have increased significantly, resulting in high demands for security, privacy and other risk professionals - from the boardroom to the front line. In parallel with the rise in the profile of cyber security and risk management leaders, challenges have also increased while new ones have emerged. To meet these threats, a growing list of professional specialities and technologies are required.

Ahead of Cyber Security Awareness Month (CSAM), which is held in October, this writer thought it helpful to clarify two dominant career paths often confused by boards of directors, senior management, line staff and even students alike. These are Information Security Governance (ISG) versus Cyber security and InfoSec. Forbes contributor Brandon Galarita wrote: “Confusion between infosec and cyber security can occur since much of the information we want to store, protect and transmit exists in cyber space.”

Defining ISG versus Cyber security

Although the literature gives contrasting views on whether ISG definitions have evolved or have remained constant, authors explain that as part of corporate security governance, ISG establishes what the board and executive management are expected to do. It also ensures they are doing it responsibly by setting roles and responsibilities, ensuring objectives are achieved, monitoring risks and verifying that resources are used appropriately.

On the other hand, cyber security is an assembly of security safeguards designed to maintain the security properties of a company and an individual’s assets in a cyberspace environment that is susceptible to relevant security risks. That is the 2008 definition employed by the International Telecommunications Union (ITU).

Exploring ISG and cyber security differences

Cyber security is concerned with protecting information from cyber attacks, while infosec focuses on protecting data from any threats. Hence, infosec is concerned with all types of information, whereas cyber security is restricted to cyber space. Moreover, infosec attacks target unauthorised access, disclosure modification and disruption, whereas cyber security attacks involve cyber crime, cyber fraud and law enforcement. Finally, infosec professionals are the backbone of data security, while security professionals are responsible for policies, processes and company responsibilities that maintain confidentiality, integrity and availability. Meanwhile, cyber security professionals work to prevent active threats or Advanced Persistent Threats (APTs).

Exploring ISG and Cyber security similarities

While this writer has distinguished between information security and cyber security, there will be a substantial overlap in practices. Cyber security mechanisms designed to protect sensitive data can also be considered information security mechanisms. Password-protecting a database, for example, ensures the security of the information it contains and prevents cyber attacks.

There are circumstances where both cyber and physical security must be addressed together. As an example, consider malicious insiders. Companies must implement physical controls to prevent unauthorised personnel from gaining access to restricted parts of the building, such as the physical records room or a senior employee’s office, where sensitive files may be kept. Simultaneously, it is also important for a company to consider the cyber security risks associated with records that are digitally maintained. Access controls or data encryption are ways digital records can be protected appropriately.

Conclusion

In short, info and cyber security are terms often used interchangeably. They are the same thing in their most basic forms: Confidentiality, integrity, and availability of information. However, there are fundamental differences in practice, scope and the attacks they are supposed to combat.

NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the compliance officer and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.