Cybersecurity is becoming a mainstream topic.
…well, it’s getting there.
It’s not that rare to see the story of a victim of cybercrime hit the mainstream news outlets. Cybercriminals are getting better and better at making money and a lot of that is easy money.
Organizations are—unfortunately—feeling the impact of cybercrime on their bottom line and that’s finally spurring awareness and action.
If there is any bright spot, it’s that increased awareness and more actions being taken to prevent cybercrime.
What Is Cybersecurity?
While we can agree that cybersecurity is becoming a mainstream topic, does everyone agree on what it actually is?
That’s a weird question but a fair one with any technical subject. If you’re not actively in a technical field, your understanding of that field will depend on your exposure to it.
Are you just getting the headlines? Doing some in-depth reading? Getting more of your awareness from movies and TV?
That’s not a horrible definition.
Using this wording, cybersecurity is basically what you do to what sure that hackers don’t get into your computer systems. Pretty straight forward and it gets the point across.
If you ask a practitioner, you’ll probably get some slight variation of this technical definition, to protect the integrity, availability, and confidentiality of data.
This comes from the CISSP certification material
. This certification has long been a “gold standard” to getting into the field of corporate cybersecurity.
What most don’t realize or remember, is that’s the definition for information security.
And information security is different than cybersecurity.
The Security Umbrella
Security is a broad term. It covers a lot of nuance, all dealing with protecting something against something undesired.
There are essentially four areas of security;
- Physical security
- Information security
- Operational security
Each of these areas are important and rarely done in isolation.
We already know that cybersecurity is all about protecting computer systems from unauthorized access or attack.
protects people, property, and other assets from events that cause damage or loss. Security guards in buildings, access passes, gates, etc. are all examples of physical security controls.
Information security or INFOSEC
is a set of practices that ensure that information and ideas are safe from unauthorized access and modification. This echoes the CISSP
answer from above.
Operational security or OPSEC
can be a little harder to wrap your head. It’s a set of practices and procedures that make sure you aren’t providing information unintentionally that could help break the other types of security.
One of the biggest challenges facing organizations today is that far too much time and attention is spent on cybersecurity and not enough on information security.
This may seem like splitting hairs. After all, aren’t computers an example of “information technology” (IT)? Wouldn’t that make protecting them part of information security?
While you could make that argument, I think it’s a matter of scope.
Cybersecurity is a lower level task more concerned with specific aspects of larger, more complex systems.
Making sure that your phone isn’t being hacked. Verifying that the server only allows authorized users to download files. Getting users to use multi-factor authentication
to log in.
All of these 👆 are examples of cybersecurity.
What we’re seeing in cybercrime (another confusing name but let’s not go there right now) is that these criminals are looking at other aspects of how information flows in an organization to find weakness.
If a production application has a strong security posture and a motivated attacker can’t get in, they just don’t give up. They will look at other aspects of the system that could be weaker.
This is where information security comes back into play. While it’s not a perfect divide, the idea of INFOSEC lends itself more to the larger system.
While the production application is hard to access, what about a developer who has access to it? Are they are a vulnerability?
Maybe the attacker could use malware to gain access to the developers laptop. Or use a system on their home network to gain the permissions required to attack the production application.
Or, let’s get really evil here, they could attack or bribe the developer themselves.
You see what’s really important is the information on how to access production. Whether that’s a digital access key or username/password stored in a developers head.
It’s the information, not the system hosting it that the attacker is after.
XKCD put it best…