Changes needed in Information and Cyber Security – Part 3
By Hylton Stewart
Why Information Security Needs to change
In the last blog post, I covered some of the reasons why Information and Cyber Security need to mature in order to become a business enabler, as well as some of the ways that this evolution needs to manifest. In this blog post, I am going to expand on some of the areas of change needed in both Information Security and Cyber Security.
What is Information Security and Cyber Security?
There is often a lot of confusion around what Information Security and Cyber Security are, and how they relate to each other. As I discussed in the first blog post in this series (covering the origins of Information Security), it is generally understood that modern InfoSec grew out of the need to protect electronic information, resulting from the rise of the internet and connected networks. Thus, the common perception is that InfoSec relates to IT and technology. The protection of information is in fact much older than that. Information Security is an umbrella concept relating to the protection of all information that has value to a person, or more recently an organisation. This includes information that is in any format, be it paper, electronic, spoken conversations, or even stone tablets – to take an ancient example.
Cyber Security is a much newer subset of InfoSec, and probably is closer to what we commonly conceive InfoSec to be over the last decades – IT/Tech focussed. CyberSec is focussed on the ‘Cyber’ realm; that is the electronic and internet arenas where modern information is predominantly stored. While InfoSec generally defines the business’s policies, procedures and best practices, CyberSec plans, implements, and manages the technological methods of protecting electronic information and assets, both internally and on the internet or cloud.
Changes needed in Information Security
I mentioned in the last blog post that Information Security needs to mature in two main ways: – the ability of InfoSec professionals to understand business objectives and strategy, and their ability to communicate with people at all organisation levels. InfoSec has often been at odds with the business as they have been seen as a blocker to progress and meeting the organisation’s objectives. The InfoSec mindset has resulted in a disconnect between what the organisation is trying to achieve, and what InfoSec is trying to protect. More often than not, this is because InfoSec professionals come from a technical background, and as such do not have a strong grasp of business practices.
In order to truly assist and protect organisations, InfoSec professionals need to develop an understanding of how business works and become good at understanding how different organisations operate. Once they can truly understand the objectives and drivers of an organisation at the business level, they can then identify the actual risks that are relevant to each specific organisation. This will enable InfoSec professionals to make recommendations that management actually understands, allow the organisation to meet its business objectives, whilst still protecting its information.
Closely tied in with the above lack of understanding of business objectives, and probably due to their technical backgrounds, InfoSec professionals are often not able to communicate clearly with either Senior Management or the employees of the organisation. This includes communicating both the reasons for the security controls and policies as well as how they relate to the business objectives. The result of this lack of clear and effective communication is that most people leave a conversation with an InfoSec professional feeling slightly vague about what was discussed, how it relates to their job function, and what exactly is required. This means that not only do Senior Management often fail to support and approve the budget for InfoSec initiatives within the business, but employees fail to comply with the requirements – as they do not understand either the applicability or the reasons for the imposed InfoSec initiatives.
Once InfoSec professionals can truly understand an organisation and what it is trying to achieve at a business level, and they are trained communicate clearly and with relevance to all levels of the organisation, then they will be able to truly protect and enable organisations while taking their rightful and needed place in the C-Suite.
Changes needed in Cyber Security
Cyber Security is most often concerned with the technical measures and solutions put in place by organisations to protect their assets and information. This is the realm of the Security Operations Centre (SOC), network and event monitoring and threat detection solutions as examples.
Cyber security is a relatively new field and is continually evolving at a pace that is almost impossible for most organizations and professionals to keep up with. While InfoSec does change (GDPR is an example of a recent InfoSec or policy change), these changes are much slower than those occurring in the CyberSec arena. Due to the ever-increasing need to protect organisations from a myriad of constantly evolving threats, there are many solutions available on the market today, almost all of which claim to be the answer to protecting an organisation from threats.
This pace of change and the volume of solutions available, combined with a serious shortage of Cyber skills has resulted in CyberSec deployments within many organisations being ad-hoc implementations that try their best to protect the organisation. At best these only address a portion of the areas that need protecting and more often than not hinder employees in the execution of their daily jobs. Added to this is the fact that most CyberSec implementations are notoriously difficult to determine a return on investment for, and you have a perception of CyberSec that is very similar to that of InfoSec.
As with Information Security, Cyber Security also needs to learn how to recognise and determine the needs of the business and its objectives, and align the solutions and controls implemented with these business objectives. Once these needs and objectives are understood, solutions can be implemented that are holistic and protect all of the organisation’s assets from the risks that are actually relevant to the organisation, instead of having a multitude of disconnected systems trying to protect different parts of the organisation.
This shift will not only allow CyberSec to support and enable users in their daily job functions but will improve the perception of security within the organisation and truly make the organisation more secure from the inside out. An important side effect of this improved perception of CyberSec is that users and executives will be less likely to resist proper security initiatives and will work with internal or outsourced security teams to increase understanding. This helps to further secure the organisation as it strives to meet its goals and objectives.
In the rest of this series, I will look at some of the possibilities for the future of both Cyber Security and Information Security, and how these disciplines may continue to evolve more in line with business needs.
If you have any questions about the information security of your business, do get in touch with one of the experts at the Conosco Security Division: email@example.com