QA | 30 June 2014
I recently attended a forum on Cyber Security Education and we discussed many aspects of preparing organisations to manage their risk through staff development...
I recently attended a forum on Cyber Security Education and we discussed many aspects of preparing organisations to manage their risk through staff development, recruitment, incentivising, etc. The panel included journalists, public sector, private sector and academics.
What struck me was that all the people in the room had a different understandings of the key terms Information Security, Information Assurance and Cyber Security. In many ways the definitions people had didn't fit the problems they were describing, and their approaches didn't overlap. They recounted "tales of woe" where all the Information Assurance efforts didn't prepare them when they were breached, instances of their cyber security teams had understood the technology but not the business needs, and where senior management had not heard anything except the cost.
So I wanted to take a look at each term to help determine the lines between each definition:
- Information Security. This is the easiest to comprehend as the "catch-all" term for every area. Any technology, any medium any storage technique -from encrypted file-store to warehouses full of paper records. In many respects, there-in lies the problem; to be good at information security you need to be good at every aspect of it. Information Security is a great top-level term, but doesn't provide the detail - in order to acquire the necessary skills to successfully implement Information Security you need a good firm grounding like CISSP then more detailed skills in both IA and Cyber Security.
- This is the risk analysis, management and mitigation discipline that identifies the assets, the level of threat, and the risk appetite, etc. - followed by using the below formalised methods to calculate the level of risk and identify appropriate policies and mitigation strategies. Information Assurance (IA).
As you can see IA entails a hefty portfolio of responsibilities, providing an umbrella for all the information security concerns.
- On the other hand, cyber security tends to be more of a technical discipline and encompasses the hardware and software controls, plus an up-to-date awareness of the changing threat landscape. This aspect often involves poachers turned game-keepers. These people are often not good at policy, and formal methods they just want to use cool technology to protect systems and data from the bad guys. In depth knowledge of tools, techniques and vulnerabilities are needed to identify the weaknesses and defend them. Cyber Security.
The critical thing to spot is that both terms have implicit perspectives - IA is defence-centric and helps you better understand your organisation so that you can defend it. Cyber security is threat-centric and helps you understand how attackers operate so that you can stop them.
The attacker is more often than not from outside the organisation. They often neither know, nor care, about the policy structures and procedures for testing compliance to standards and legislation etc. But if the assets aren't well understood and protected, then as soon as they get in to your systems they can perform massive damage and cause major problems.
Q: So what does this all mean?
A: It means we need all three perspectives and skill sets.
- The people at the top-level need to deeply understand Information Security so they can make informed decisions when presented with the facts.
- We need IA to understand and structure our security to inform the best investment and management decisions we can make.
- We need cyber security teams to design, test and manage our threats and attack surfaces.
None are more important than the other, and all are essential. Each aspect needs differing levels of investment and emphasis in different organisations, which is where the Chief Information Security Office (CISO) comes in. The CISO should be tailoring the security stance to match the organisation using the skills of the IA and cyber teams.
The three areas are different and complementary. But, it is also important to understand where you come from, everyone has a natural leaning to one of the three areas; what is yours?
For view our cyber security curriculum, visit www.qa.com/cybersecurity .