If you're in the business of safeguarding data and the systems that process it, what do you call your profession? Are you in cybersecurity? Information security? Computer security, perhaps? The words we use, and the way in which the meaning we assign to them evolves, reflects the reality behind our language. If we examine the factors that influence our desire to use one security title over the other, we'll better understand the nature of the industry and its driving forces.
Until recently, I've had no doubts about describing my calling as an information security professional. Yet, the term cybersecurity is growing in popularity. This might be because the industry continues to embrace the lexicon used in government and military circles, where cyber reigns supreme. Moreover, this is due to the familiarity with the word cyber among non-experts.
When I asked on Twitter about people's opinions on these terms, I received several responses, including the following:
- Danny Akacki was surprised to discover, after some research, that the origin of cyber goes deeper than the marketing buzzword that many industry professionals believe it to be.
- Paul Melson and Loren Dealy Mahler viewed cybersecurity as a subset of information security. Loren suggested that cyber focuses on technology, while Paul considered cyber as a set of practices related to interfacing with adversaries.
- Maggie O'Reilly mentioned Gartner's model that, in contrast, used cybersecurity as the overarching discipline that encompasses information security and other components.
- Rik Ferguson also advocated for cybersecurity over information security, viewing cyber as a term that encompasses muliple components: people, systems, as well as information.
- Jessica Barker explained that "people outside of our industry relate more to cyber," proposing that if we want them to engage with us, "we would benefit from embracing the term."
In line with Danny's initial negative reaction to the word cyber, I've perceived cybersecurity as a term associated with heavy-handed marketing practices. Also, like Paul, Loren, Maggie and Rik, I have a sense that cybersecurity and information security are interrelated and somehow overlap. Jessica's point regarding laypersons relating to cyber piqued my interest and, ultimately, changed my opinion of this term.
There is a way to dig into cybersecurity and information security to define them as distinct terms. For instance, NIST defines cybersecurity as:
"Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation."
Compare that description to NIST's definition of information security:
"The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
From NIST's perspective, cybersecurity is about safeguarding electronic communications, while information security is about protecting information in all forms. This implies that, at least according to NIST, information security is a subset of cybersecurity. While this nuance might be important in some contexts, such as regulations, the distinction probably won't remain relevant for long, because of the points Jessica Barker raised.
Jessica's insightful post on the topic highlights the need for security professionals to use language that our non-specialist stakeholders and people at large understand. She outlines a brief history that lends credence to the word cyber. She also explains that while most practitioners seem to prefer information security, this term is least understood by the public, where cybersecurity is much more popular. She explains that:
"The media have embraced cyber. The board has embraced cyber. The public have embraced cyber. Far from being meaningless, it resonates far more effectively than 'information' or 'data'. So, for me, the use of cyber comes down to one question: what is our goal? If our goal is to engage with and educate as broad a range of people as possible, using 'cyber' will help us do that. A bridge has been built, and I suggest we use it."
Technology and the role it plays in our lives continues to change. Our language evolves with it. I'm convinced that the distinction between cybersecurity and information security will soon become purely academic and ultimately irrelevant even among industry insiders. If the world has embraced cyber, security professionals will end up doing so as well. While I'm unlikely to wean myself off information security right away, I'm starting to gradually transition toward cybersecurity.