Cybersecurity Vs. Information Security: Is There A Difference?

Jake Olcott | September 15, 2019 | tag: Vendor Risk Management

This post was originally published March 15, 2016 and has been updated for accuracy and comprehensiveness

“Is there a difference between cybersecurity and information security?” Not only is this a great question, but it’s something we’ve heard many times before. Cybersecurity and information security are so closely linked that they’re often thought of as synonymous. But, there are some important distinctions between the two. 

Below, we’ll explain those distinctions, review a couple important areas of overlap, and discuss why this differentiation — and the evolution of these definitions — matters in the security sector.

What is Information Security?

Information security (or “InfoSec”) is another way of saying “data security.” So if you are an information security specialist, your concern is for the confidentiality, integrity, and availability of your data. (This is often referred to as the “CIA.”) Most modern business data resides electronically on servers, desktops, laptops, or somewhere on the internet—but a decade ago, before all confidential information migrated online, it was sitting in a filing cabinet. And some confidential information still is! 

Info security is concerned with making sure data in any form is kept secure and is a bit more broad than cybersecurity. So, someone could likely be an information security expert without being a cybersecurity expert.

What is Cybersecurity?

Cybersecurity is all about protecting data that is found in electronic form (such as computers, servers, networks, mobile devices, etc.) from being compromised or attacked. Part of that is identifying what the critical data is, where it resides, its risk exposure, and the technology you have to implement in order to protect it.

BitSight is a 2021 The Forrester New WaveTM Leader in Cybersecurity Risk. Learn why we are a leader.

Where Information Security and Cybersecurity Overlap

There is a physical security component to both cybersecurity and information security.

If you have a warehouse full of confidential paper documents, you clearly need some physical security in place to prevent anyone from rummaging through the information. And as more data becomes digital, the process to protect that data requires more advanced IT security tools. So, while you can’t put a physical padlock on a desktop computer, you can put a padlock on your server room door. In other words, if your data is stored physically or digitally, you need to be sure you have all the right physical access controls in place to prevent unauthorized individuals from gaining access.

They both take the value of the data into consideration.

If you’re in information security, your main concern is protecting your company's data from unauthorized access of any sort — and if you’re in cybersecurity, your main concern is protecting your company’s data from unauthorized electronic access. But in both scenarios, the value of the data is of utmost importance

Both individuals need to know what data is most critical to the organization so they can focus on placing the right cyber risk management and monitoring controls on that data. In some scenarios, an information security professional would help a cybersecurity professional prioritize data protection — and then the cybersecurity professional would determine the best course of action for the data protection. But with the changing security landscape over the past decade, things aren’t always this black and white.

The Evolution of Information Security and Cybersecurity

Over the last decade, we’ve seen a fusion between cybersecurity and information security, as these previously siloed positions have come together. The challenge is, most teams don’t have an information security professional on staff — so the responsibilities of a cybersecurity professional have expanded dramatically. Cybersecurity professionals traditionally understand the technology, firewalls, and intrusion protection systems needed, but weren’t necessarily brought up in the data evaluation business.

But today, that is changing. 

As this subject becomes increasingly important for businesses, the role of cybersecurity risk management experts is evolving so they can properly protect data. Business partners and investors are increasingly aware of the importance of this topic, and companies are asked regularly about their effectiveness in securing data and managing both physical and cyber risk.

Cybersecurity ratings can help with this task.

What are Cybersecurity Ratings?

Cybersecurity ratings or security ratings are the cyber equivalent of a credit score. Just as lenders view credit scores to grade how responsibly an individual manages their financial obligations over time, organizations can use security ratings to quickly and easily communicate the scale and severity of a risk in their own security performance management or within their supply chain. Because ratings are easy to understand, they are a useful mechanism for communicating internal and vendor risk to a non-technical audience in the C-suite, boardroom, or with the vendor in question. Using this high-level, objectively-derived data can simplify the conversation around risk.

In Summary

Because of the evolution of this position, it’s easy to understand why many people discuss cybersecurity and information security in the same breath. And, you can see how the questions that information security and cybersecurity try to answer are, in essence, the same:

  1.  How do we define what data is critical to us?
  2.  How do we protect that data?

Want to learn how the world's top performing companies are improving their security programs?

Download our free guide to learn more.

New call-to-action


Suggested Posts

BitSight Integrates With ServiceNow to Reduce Risk Throughout Vendor Management Programs

Organizations rely on third-parties to keep competitive in the marketplace. The EY global third-party risk management survey highlights that in 2019–20, over 33% of the 246 global companies surveyed were managing and monitoring...


5 Best Practices for Conducting Cyber Security Assessments

Third parties are essential to helping your business grow and stay competitive. But if you’re not careful, your trusted partnerships can introduce unwanted cyber risk and overhead into your organization.


5 Tips to Improve Cyber Security Monitoring of Your Vendors

What’s the biggest struggle your vendor risk managers face when establishing cyber security monitoring processes? From sudden increases in the use of third-parties by your organization, to not knowing which vendors might be impacted by...


Get the Weekly Cybersecurity Newsletter.