You like potato and I like potahto
You like tomato and I like tomahto
Potato, potahto, tomato, tomahto.
Let’s call the whole thing off…
–Ella Fitzgerald, Let’s Call the Whole Thing Off (featuring Louis Armstrong)
You say information security, I say cybersecurity.
With apologies to Ella and Louis, this 21st Century update on their light-hearted distinction is far from trivial. “Many people use the terms synonymously, and it really isn’t a good idea to do so,” warns Shared Assessments Vice President Tom Garrubba.
Garrubba is not alone on this count. Shared Assessments members recently have reported a similar tendency to use the terms “cybersecurity” and “information security” interchangeably. The two capabilities are related, yet they differ in fundamental ways. When those differences are ignored or poorly delineated it can lead to security lapses, a failure to remedy security gaps, negative reports from auditors and worse.
Avoiding those pitfalls starts with clear definitions:
- Cybersecurity: This term is constantly uttered right now, for good reason, but its ubiquitous use tends to obscure its specific focus on electronic, or digital, data and the network systems and infrastructure where the electronic resides. The protection of electronic data is maintained as the data is accessed, processed, stored and transmitted.
- Information security: This broader term refers to the protection of company data in all formats, which include digital and paper-based information as well as the structures in which they are housed. Cybersecurity is a (crucial) component of an information security capability. Monitoring the anti-virus software on a business-owned laptop is cybersecurity. It’s also information security. Monitoring the alarm system on the office building that has a room filled with spare business-owned laptops is information security. But it’s not cybersecurity.
“When you say ‘information security,’ you’re also referring to paper-based information,” Garrubba notes. “We’re not getting rid of all paper yet, and the data and information on physical documents also requires protection.” Information security, he continues, is established and sustained by ensuring adherence to a triad of underlying principles: Confidentiality, Integrity and Availability (CIA).
The social distancing measure and business closures triggered by COVID-19 presented vivid illustrations of the importance of – and difference between – cybersecurity and information security. Amid the widespread shift to a mobile workforce, business laptops needed to be secure on home Wi-Fi networks (cybersecurity and information security) and teams needed to figure out how to gain access to on-premise systems that were behind locked office doors due to government directives in response to local outbreaks (information security).
The problem with treating information security and cybersecurity interchangeably is that it can become unclear which teams and individuals are responsible for different actions.
“As an auditor, the last thing you want to do when you find a controls deficiency is to assign its remediation to the wrong person or unit,” Garrubba explains. “The remediation often will not occur in those situations. Someone will say, ‘No, that’s not me – I’m a plumber, not an electrician.’” Or worse, no one will say anything and the controls deficiency lingers until it sparks more and larger problems.
A well-defined policy can remedy this type of ambiguity. An effective policy identifies the scope of both activities and lays out specific responsibilities. “A good policy basically says, ‘This is our role, this is what we do and here are some examples of those responsibilities,’” says Garrubba, who notes that basic conversations about differences between cybersecurity and information security can help spread the word about frequently overlooked risks, such as the proper disposal of information assets.
“Without an effective disposal plan in place, old documents can create new security risks,” he adds. “There’s a reason why shredders exist.”
There’s also a reason why you should speak up when a colleague, client or vendor speaks imprecisely. That may not be grounds for calling the whole thing off, but it’s a ripe opportunity to establish clarity that will prevent more serious errors from arising.