Demystifying the Distinction: Cybersecurity vs. Information Security
There’s so much to learn, when you’re trying to get into cybersecurity. You study, learn, and network. Then along the way, you notice that occasionally people say information security, instead of cybersecurity. Some people use the two interchangeably. The usage is confusing, but you may be reluctant to ask.
The confusion is understandable. Many professionals in the field—yours truly included—regularly switch between the two terms or simply use the wrong one. Why? More on that shortly. First let us inquire, what is the difference between cybersecurity and information security?
Allow me to provide a non-technical analogy.
Everybody knows what a dog is, right? (One is sleeping next to me as I write this.) Regularly, we refer to dogs as canines. In fact, we act as if canine is simply a fancy word for dog. Here’s the thing… Dogs and canines aren’t necessarily the same thing. Sure, dogs are canines. But wolves, coyotes, and jackals are canines too. Yet when a police cruiser labeled “K-9 Unit” drives by, you would never expect a 120-pound wolf to stick its head out the window. Yet, despite the inaccuracy we still regularly treat dog and canine as synonyms in English.
In this analogy cybersecurity is the dog and information security is the canine. Cybersecurity involves confidentiality, integrity, and availability—known as the CIA Triad—for computer systems and networks. Information security is broader, encompassing domains such as identity and asset management (IAM), security assurance, security architecture, and more. Cybersecurity is part of information security, but information security is bigger than just cybersecurity.
So why do professionals in the field mix the two up? Largely because cybersecurity has developed a brand and awareness. Everyone has heard of cybersecurity nowadays. Even if they cannot explain precisely what cybersecurity is, they know it has to do with stopping bad guys on computers. It took a few decades for cybersecurity to enter the public’s consciousness. Thus it’s simpler to say cybersecurity, when you really mean information security.
Cybersecurity is part of information security, but information security is bigger than just cybersecurity.
To be fair, as people move around in their career, they may move from a cybersecurity role to an information security role, then back to another cybersecurity role. Of note however, the top job in this field is called the Chief Information Security Officer (CISO), not the Chief Cybersecurity Officer.
While professionals in the field are capable of in-depth discussions about the difference between cybersecurity and information security, rest assured that our friends and families have little interest in hearing them. Thus, if you bump into us at a barbecue, we’re likely to just say we work in cybersecurity. Even though we know, it’s an imperfect answer.