From time to time I see journalists, various IT specialists or marketers confuse the concepts of Cybersecurity and Information Security, substituting concepts and misleading people, either intentionally or due to misunderstanding the difference. I tried to sort out the flies and the cutlets separately.
Match
Cybersecurity is the security of IT systems (equipment and programs). Information security is the security of information, usually of an organization or company, including in IT systems. Cybersecurity is part of the Information Security of any organization.
Examples
How protected is your home computer or your website from hacking by hackers is a question of cybersecurity. But whether you attach a sticker with a written password from your computer or social network profile to your monitor screen is a question of your Information Security.
On job search sites, you can often find ads like “information security specialist needed,” where the task description indicates “monitoring system administration,” “antivirus administration,” “system vulnerability analysis (pentester)” – these are all narrow tasks of cybersecurity specialists. An information security specialist must be able to do much more, including organizing employee training on information security issues, implementing information security projects, risk analysis, analyzing the company for compliance with regulatory or legislative requirements, etc.
Often, sellers of various IT equipment and IT products offer “information security solutions,” although in fact they offer cybersecurity solutions – antiviruses, firewalls, network screens, etc. If you buy an expensive router with advanced security features or an expensive software product that detects and neutralizes viruses, you are covering one of the tasks of the international information security standard ISO 27001 on protection against malicious code, and in general, this IS standard contains dozens of different tasks that every organization needs to solve in order for its information to be protected.
A good example of the correct use of terms is the title of the draft Law of Ukraine “On the Basic Principles of Ensuring Cybersecurity in Ukraine”. Although there are many comments on the draft law itself, which were set out in detail by my colleagues from the Kyiv branch of the global association for the development of methodologies and standards in the field of management, audit and security of information technologies ISACA (Information Systems Audit and Control Association), in essence this document covers exactly the issue of cybersecurity.
On the other hand, we have a not entirely successful example of the use of the phrase “information security” in the document “Doctrine of Information Security of Ukraine”. This document mainly describes the goals and actions that the state should take to counter Russia in the information field (television, radio, Internet). The document mentions the State Service for Special Communications and Information Protection of Ukraine (SSCI), but only in the context of protecting special communications, protecting information, telecommunications, and using the radio frequency resource of Ukraine. A more successful name for this document would be “Doctrine of Information Policy of Ukraine”, in my opinion. Because in order for this document to cover all issues of information security of the state, it is also necessary to regulate not only the issue of ensuring the security of information systems in the state, but also the analysis of these systems for compliance (audit of IT systems), to regulate the issue of educational activities to increase and maintain at the proper level of knowledge of citizens on information security issues, to regulate the issue of analysis and response to IS incidents (what CERT-UA is doing), the issue of continuity of operation of state IT systems. All this is not in the current “Information Security Doctrine”, and in general these issues remain unregulated at the state level, therefore, many open questions remain regarding the information security of Ukraine.
Hackers, who are they?
Hackers, as everyone knows, are mainly cybersecurity specialists. They study how various IT systems are built in order to find weaknesses in them and use them to obtain benefits, whether financial or for other purposes. Hackers are opposed not only by White Hats, who also find vulnerabilities in our IT systems, but do so openly to help us close existing problem areas, but also by information security specialists, because to penetrate an organization, not only direct methods of hacking a particular system can be used, but also simple human weaknesses – saved passwords in open places, excessive talkativeness of employees, phishing, spam, social engineering techniques by phone, email, etc.
How to distinguish a cybersecurity specialist from an IS specialist?
The easiest and most obvious way is through certification. There are a huge number of cybersecurity and IS certifications in the world, but there are several of the most common and popular.
Cyber Security Specialists:
- CEH (Certified Ethical Hacker);
- CISSP (Certified Information System Security Professional);
- CCSP (Cisco Certified Security Professional).
Information Security Specialists:
- CISM (Certified Information Security Manager);
- CISA (Certified Information Systems Auditor); ISO 27001 Lead Implementer;
- ISO 27001 Lead Auditor.
There is also often confusion with IT auditors. A classic IT auditor clearly knows the set of procedures and methodological practices that must be followed to analyze any IT system according to the set goals. There are also Pentesters, who sometimes position themselves as IT auditors, but perform completely different tasks. The task of a Pentester is to hack a system, while the task of an IT auditor is to analyze the system, for example, for compliance of the settings with the vendor’s recommendations. If you need to check your system for strength – a Pentester, CEH, White Hat will come in handy here. If you just need to analyze how adequate the settings of the IT system are, or the order of user rights in the system – an IT Auditor, CISA will help