While cybersecurity protects the world’s digital roads, information security safeguards the information traveling along them.
Cybersecurity and information security are essential for protecting data and information.
Articles Antonio Magallanes-Villamor Jr., CIA, CRMA, CISA, CISM Dec 11, 2023
Cybersecurity and information security are essential for protecting data and information.
Internal auditors may feel overwhelmed when tasked with providing assurance or advice on organizational information security or cybersecurity. Distinguishing between these two fields can be perplexing. As a result, many internal audit, assurance, and IT professionals are confused about the differences between cybersecurity and information security and the risk areas each considers.
In reality, the core aspects of cybersecurity and information security are the same — both aim to protect data and information while preserving confidentiality, integrity, and availability. One concerns digital roads, while the other concerns traffic. Rather than reflecting on their differences, auditors should focus on what they have in common.
One reason for this confusion is that cybersecurity does not have a uniform definition. For example, the U.S. National Institute of Standards and Technology defines cybersecurity in several ways, including:
Formal definitions aside, cybersecurity encompasses interactions among people, systems, knowledge, networks, devices, instruments, and programs used within and around an organization’s network and the broader cyberspace. These interactions create dependencies among networks of information system infrastructure, telecommunications networks, computer systems, and embedded processors and controllers. All these components require protection from cyber threats that come from both the internet and inappropriate or malicious system usage. Cyber threats become institutional and national security risks when they threaten a nation’s critical infrastructure.
Cybersecurity also is a professional field with several branches, including privacy. Cybersecurity experts are particularly concerned with security issues arising from the significant increase of data. Recently, there has been growing concern that artificial intelligence can be used to develop more sophisticated attacks that replicate human behavior and target low-level systems.
Beyond technology, professions such as psychology, assurance, management, international relations, public policy, physics, and engineering all are involved in research, policy development, and technology improvements to address cybersecurity challenges. Within organizations, it is a concern for IT, audit, risk management, legal, human resources, communications, and physical security teams.
Information security is concerned with protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Specifically, it focuses on the confidentiality, integrity, and availability of systems or procedures that collect, organize, and disseminate information.
Confidentiality is about ensuring that only authorized people and processes can access information. Integrity is about preventing an unauthorized person or process from altering information regardless of its state (i.e., at rest, in transit, or in use). Availability means that authorized personnel or processes can access information whenever needed.
Effective information security demonstrates that an organization has sound information resource management. That requires organizations to have resources, governance, risk management, compliance, and control measures in place to achieve their information security goals.
Moreover, all organizations contributing to the information ecosystem must have effective information security mechanisms to be credible and trusted parties in cyberspace. They should ensure that their information systems and resources are free from potential exploits and would not serve as a source of cyber threats for organizations they interact with online.
To become more resilient, organizations can take measures such as implementing firewalls, intrusion detection systems, encryption, and access controls. They also should put in place secure communication protocols, encrypted data transmission, and secure payment gateways to protect sensitive information. Failure to implement information security rules and procedures can negatively impact an organization’s ability to conduct business over the internet.
At their core, both information security and cybersecurity are concerned with protecting information. Information is a powerful tool that individuals, institutions, and societies use for decision-making and influencing actions. Information and its supply chain should be protected in a hyper-connected world with highly complex information systems. Otherwise, they can be weaponized by people and organizations with harmful intentions.
In March, the European Network and Information Security Agency listed 10 emerging cybersecurity threats and challenges for 2030:
Both information security and cybersecurity threats involve data and information, such as inserting back doors in open-source libraries, identity spoofing, manipulating access to national services, analyzing legacy operational technology equipment for vulnerabilities, and using AI to analyze data from smart devices. Attackers may access space infrastructure to create malfunctions or malware to sabotage other governments, disrupt critical infrastructure, and leverage user and behavior analytics to sow discord. Threat actors can even use public job ads to learn about an organization’s skill gaps and outdated systems.
In response, organizations adopt technology tools to protect data and information confidentiality, integrity, and availability. These tools constantly change in response to many factors, such as the need to innovate and become more efficient in resource use as science and engineering evolve. The tools also must keep up with advances and challenges posed by threat actors. Internal auditors’ appreciation of these developments should progress as technology advances.
Information security and cybersecurity require organizations to manage future risks and respond to current and past incidents. It requires hindsight, insight, and foresight into vulnerabilities and how to prevent or reduce them, including the probabilities of a threat, the costs associated with potential outcomes, and how to mitigate them. Internal auditors should not be intimidated by risks associated with technological advances.
Cybersecurity and information security are essential for protecting data and information. Cybersecurity covers anything and everything in cyberspace, while information security applies to all information wherever it is located. With subtle distinctions, these fields overlap and share many standards, best practices, and control measures.
To feel confident, internal auditors must understand the technologies their organizations have adopted when providing assurance or advice. After all, the goal of information security and cybersecurity is safeguarding the organization’s data and information.
Relevant Guidance for IIA Members:
Learning Resources: