Information security VS Cybersecurity

Over the past few days, I’ve seen a lot of comments on LinkedIn around words like “cybersecurity”, “information security” and “cyberattack”.

In the media, it seems that every time a computer is involved, there’s always talk of a “cyber attack”, even when it’s a minor incident or not linked to a security breach.

Even the Quebec government has a “Ministère de la Cybersécurité et du Numérique”. I would have preferred it to be called “ Ministère des Services numériques et de la Sécurité de l’information “.

In short, since I work in this field, the choice of words gets to me, so I take a few minutes to explore the difference and their origins.

• Information security: (NSA, ISO/IEC 27001, ISO 27002) born in the 1990s, this word covers the protection of all information – printed, verbal or digital – according to the triad of confidentiality, integrity and availability.
• IT security: (COBIT, NIST SP 800-53) is emerging at the same time as IT systems security. It encompasses the protection of servers, applications, infrastructures and sometimes industrial or connected object networks (OT/ICS).
• Cybersecurity: (NIST Cybersecurity Framework, ENISA) emerged in the early 2000s with the popularity of the Internet and the rise of cyberattacks, focusing on the defense of online networks and data.
• Cyber defense: (MITRE ATT&CK, NATO CCDCOE) Originating in the military field in the late 2000s, it refers to offensive and defensive strategies for detecting, countering and responding to targeted attacks.
• Information Systems Security (ISS): ISO standard term, synonymous with information security, emphasizing the global approach to all information-related systems.
• Operational security: (ISO 22301, ITIL Incident Management) deals with incident management, continuity and resilience of day-to-day IT processes.