Information Security versus IT Security

July 6, 2008

So many Information Security articles I read use the terms Information Security and IT Security interchangeably. Although I think in reality most security practitioners will already understand the difference — after all it’s not rocket science! — here is a brief interpretation and a picture for those that don’t or could do with a little clarity.

IT Security is Operations Security

As far as I see it there are two major streams within Information Security, firstly you have the gritty, get your hands dirty, all important operational security tasks which may include anything from maintaining security infrastructure to security event monitoring, auditing and incident (response) management.

Primarily, IT Security is focused on technical vulnerabilities and the infrastructure that has been created and deployed to mitigate those vulnerabilities (environmental controls, firewalls, anti-x, backup etc).  It makes good sense that because of this technology focus that this function be a part of IT.

Information Security is Risk Management

In addition to the security technology infrastructure, Information Security is responsible for the protection of information, information residing on IT systems AND outside of IT systems, information that may be written or spoken in electronic form (e.g. emails and VoIP) or otherwise (e.g. paper and water cooler discussions).

To remain relevant and facilitate business alignment Information Security is becoming increasingly focused on Risk Management.  As Information Security becomes imbedded into organisations it may even become a virtual function with its activities undertaken by business focused Information Risk professionals and technology focused IT Security professionals.

Governance

In smaller organisations the IT Security and Information Security functions may be one of the same, this is understandable given the resources constraints such organisation face.  In larger organisation the two functions are likely to be performed by two different/independent business units (Risk and IT).

In both cases there should be recognition that the two distinct streams are undertaken within Information Security and need to have different governance arrangements.  The diagram illustrates how the operational IT Security may report through the CIO and the risk based Information Security function through the CRO (though its only one option).

Partnership

With the recognition of two distinct streams and implementation of suitable governance arrangements, a strong partnership between the two steams must be fostered to ensure effectiveness.  The teams may be physically proximate or have a clear communication plan for regular liaison, meetings and reporting.