The Debate on Defining CybersecurityPwC's Vishal Salvi on Cybersecurity vs. Information Security
Recently, a friend of mine - a CISO - mentioned that his board has asked him to make a presentation on his organization's cybersecurity preparedness. He had heretofore never been asked to do this for information security.
It is only very recently that cybersecurity has caught everyone's imagination, and that, alas, has also resulted in use of the terms "cybersecurity" and "information security" interchangeably. Using these terms in lieu of each other would be fine so long as they mean the same thing. However, a problem arises when different stakeholders define these terms differently and attribute different meaning and scope to them - especially when some purists have very strong objections to the use of cybersecurity in place of information security.
A problem arises when different stakeholders define these terms differently and attribute different meaning and scope to them.
It is apparent that the word "cyber" is very appealing and has a better connection with people through its broad use in the media today. So, perhaps it's fair to say that cybersecurity may currently be a more engaging term for our stakeholders. Having said that, let's try to understand and define these two terms and clarify their respective contexts. There are some differing views that I will explore in some detail.
View # 1: Information Security is a Super-Set of Cybersecurity
To understand this perspective, let's review how NIST defines cybersecurity and information security:
Cybersecurity: Defined as the ability to protect or defend the use of cyberspace from cyber-attacks.
Information security: Defined as the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction in order to provide confidentiality, integrity and availability (CIA).
Based on the above, cybersecurity involves anything security-related in the cyber realm (or cyberspace). Information security involves the security of information or information systems regardless of the realm it occurs in. Since anything that occurs in the cyber realm would involve the protection of information and information systems in some way, you can conclude that information security is a super-set of cybersecurity.
View # 2: They Are Mutually Exclusive
This view conceptualizes the two as mutually exclusive programs - one focusing on information assets and protecting CIA, while the other focuses on protecting the organization from cyber-attacks.
View # 3: Cybersecurity is a Super-Set of Information Security
This view states that cybersecurity has emerged bigger in recent times due to the advent of advanced threats and the always-on online world. This has necessitated the need for agile cybersecurity strategy, which makes the current "Plan, Do, Check, Act" model of information security not so relevant. Therefore, cybersecurity subsumes information security as a fundamental building block, but assumes a larger role in comparison. Very few in the industry agree to this.
View #4: Cybersecurity and Information Security Overlap
Many threats from cyberspace connect to the CIA of information systems - the traditional remit of the information security function. Likewise, information security fundamentals, including controls, standards and governance, go a long way in addressing threats from cyberspace. This underlines the fact the two fields have a fair amount in common - hence an overlap. This overlap establishes a relationship between the two, and that makes this an extended or evolved practice. This overlap also allows for existing InfoSec teams to extend and perform the cybersecurity function, rather than build a separate team to tackle cybersecurity as recommended by some.
View # 5: Integrated Approach to Cybersecurity
Getting the fundamentals right is important, as we know that the goal post is always moving. But this does not mean information security is the same as cybersecurity. To be secure in cyberspace, organizations must address additional threats that go far beyond CIA. These non-CIA threats include reputation damage from hacktivism, cybercrime, Identity thefts, etc.
Also, CIA threats to enterprise systems exposed online get magnified and need an integrated approach for protection. Lastly, in spite of our best efforts in managing the information security and cybersecurity risks, there will be risk of unknown and unpredictable events taking place, and therefore organizations need to also focus on cyber resilience (detection and response).
What's in a Name?
It's important to recognize cybersecurity as a new and prominent term in the life of an InfoSec professional. There is a general consensus that the term has more mass appeal and therefore is very powerful in communicating the message to our stakeholders. Having said that, getting the fundamentals right is extremely important; one cannot ignore information security in the quest for cybersecurity.
There would be a temptation to see cybersecurity as a new function and very distinct from information security. It all depends on the maturity of the organizations' information security function. If it's already playing a broader information security role beyond technology, then its best placed to scale and enhance the current roles to perform a cybersecurity and cyber-resilience function.
Frankly, the information security world has historically suffered the lack of standard taxonomy, and that continues to be the case even here. As InfoSec professionals, we need to use these terms carefully and define them clearly, lest we confuse the industry and our stakeholders.
We cannot discount the popularity of the term "cybersecurity," but neither can we ignore the purists. Hence a deeper and open-minded debate may be required to develop a clear definition and standard that could be used by the security industry.
As they say, we cannot manage what we cannot measure, and we cannot measure what's not defined.
Vishal Salvi is Partner Advisory - Cyber Security at PricewaterhouseCoopers and was until recently the CISO at HDFC Bank. Views expressed are personal.