Skip to main content

Comparing Infosec and Cybersecurity: Two Types of Data Security With a Common Goal

Originally published by New Context.

Infosec and cybersecurity are two primary concerns for modern organizations. While they’re separate areas, they’re very closely linked because so much information is in digital storage. This is especially true given the rapid digital acceleration of 2020, where we saw COVID-19 speed the adoption of digital tools by three to four years. Of course, with this rapid innovation comes an increased risk of security breaches.

Managing both infosec and cybersecurity effectively in such an environment requires a complete culture shift. Employees must be empowered to take ownership of their information security. On top of that, developers need to establish and follow best practices to protect the infrastructure that guards this information.

Comparing Infosec and Cybersecurity

Infosec and cybersecurity are closely linked, but not the same thing. The two have a parent/child relationship, with infosec being the parent and cybersecurity the child. As a result, they’re managed in different ways, often by disparate departments.

 

Infosec

Cybersecurity

Infosec is a broad term that applies to protecting data. While today it’s frequently used in connection with computers, software, and servers, it’s been around far longer than such technology has existed. Any information which requires confidentiality has some infosec policies applied to it. Modern infosec responsibility typically falls under the realm of a compliance or legal department. The goal is to ensure adherence to industry data standards.

 

Medical providers will have teams dedicated to the Health Insurance Portability and Accountability Act (HIPAA), financial firms may focus on the Gramm-Leach-Bliley Act, and so on. The compliance department will establish the infosec policies for that information and then pass on the requirements to those responsible for its cybersecurity. One common focus of infosec is adherence with the security principles of the CIA triad, which covers.

  • Confidentiality: Is the data safe from bad actors?

  • Integrity: Is the information accurate and protected from unauthorized changes?

  • Availability: Can those who need to use the data obtain it easily?

As these are broad philosophies, they’re easy to apply across the board, whether infosec managers handle servers and databases or simple paper files.

Cybersecurity covers the technology required to protect the information in a digital environment. It deals with threat models, where the organization reviews its vulnerabilities and establishes options for safeguarding against them. It also covers the overall architecture of the programs and any policies in place designed to control access.

 

Zero trust is a common philosophy here in that developers establish programs where trust is never granted by default. All traffic and users are verified. As this is a technical area, it’s typically the responsibility of developers within the organization. They focus on building an overall system architecture that protects information within the system. They may often adopt DIE model principles to further these efforts.

  • Distributed: Systems are broken down into multiple components to eliminate the risk of failures from depending too much on a single portion.

  • Immutable: Infrastructure as code is a big part of the immutable structure in that it’s not changed. Instead, it’s disposed of in the event of an error and rebuilt.

  • Ephemeral: Ephemeral means that the systems are temporary enough to be eliminated in the event of a breach without losing anything of value.

 

Addressing both of these components can be a challenge because they’re the purview of different parts of an organization with opposing skill sets. Attorneys managing the data compliance challenges of an organization will have little technical cybersecurity knowledge. Meanwhile, developers may not be familiar with all the ins and outs of the laws which must be codified into their system. Managing both requires a collaborative approach that becomes a standard part of the culture.

 

Addressing Cybersecurity and Infosec with Culture

Infosec and cybersecurity need to be addressed by the entire organization, which is often a challenge because two separate departments handle them. Ingraining security awareness into the overall culture of an organization helps to ensure adherence to most policies. Building that culture requires three key components:

  1. Communication. Every person in an organization should know what is expected of them concerning infosec and confidentiality. Clearly written policies are a good start, but it’s important to reiterate these policies regularly.

  2. Transparency. Transparency is where a lot of companies fall flat in their communication efforts. Often, they tell employees what to do, but they don’t explain why it’s essential. Employees should understand the risk of not following procedures. Tying the risks to current events either in the world or the organization can help to solidify this.

  3. Example. Culture filters from the top down. To establish a secure culture, leaders must set the standard by following proper procedures and requiring managers to do the same.

When it comes to the development of cybersecurity procedures, best practices are vital. Developers should know what tactics they must follow in the code they write, the programs they adopt, and the strategies they use. Clear guidelines ensure a clean system that’s easier to manage.

Infosec and cybersecurity work together, so organizations must collaborate to support them. A supportive culture is one where employees are empowered to take ownership of security by managers who lead by example.