Lately there’s been a lot of swirl in the industry about security organizations, with the term “information security” being used synonymously with “IT security.” These are very different functions and should be distinguished as such. With proper planning, you can ensure that your security functions are purposefully aligned with the business strategy and vision of your CEO and Board of Directors.
Let’s start with information security. Information security is the governance of security, typically within the context of enterprise (i.e., business) operations. Security governance includes tasks such as defining policy and aligning the overall company security strategy with the business strategy. Information security governance solves business-level issues and transcends the IT department. To appropriately govern information security in an enterprise setting, IT must be treated as any other business unit, a consumer of the information security service the same as legal, HR, finance, facilities, etc. This function of information security governance is pervasive to your business and should provide end-to-end coverage.
Now for IT security. IT security is the management of security within IT. IT security management teams should be translating information security strategy into technical IT security requirements. They’re responsible for IT risk management, security operations, security engineering and architecture, and IT compliance. The IT security management function should “plug in” to the information security governance framework.
As an example, if your business is preparing to expand in Europe (i.e., your business strategy), your information security governance might include compliance and certification for US-EU Safe Harbor, and your IT security management teams should planning to implement the security controls to comply with the Safe Harbor regulations. This mechanism of cascading goals and strategy will help ensure a holistic approach to security across the entire business.
So, why should you care? It’s about creating a common definition of security. If we can educate folks about security and establish a common lexicon, our audience will have a platform to think about security and apply the terminology in a way that makes sense to them. When people can correlate an activity or definition to their personal environment, it allows them to make an informed decision and self-select the correct security behavior without external incentives.
If you’re just getting started with security, I highly recommend you check out the work from ISACA, specifically CobIT 5 for information security found here. ISACA’s CobIT 5 is a nice reference point for defining the difference between information security and IT security. ISACA also ties in security business enablers as part of the larger CobIT governance and management framework. Additionally, ISO27001 should not be overlooked. There’s a great collection of artifacts found at ISO27001 Security.
