Home > Uncategorized > Information Security versus IT Security

Information Security versus IT Security

IT security and information security are viewed by many as being the same, but they are in many respects worlds apart. Information security addresses a wide range of security-related risks, benefits and processes associated with information and information processing resources. Additionally, information security is generally driven by executive management, usually with at least some level of support from the board of directors. In contrast, IT security focuses on technology—the technology needed to achieve security and is typically driven by the CIO. In IT security risk mitigation translates to using tools such as firewalls, intrusion detection and intrusion prevention systems, virtual private networks, anti-virus and anti-spyware tools, third party authentication solutions, and more.

Information security and IT security are not diametrically opposed to each other. For example, information security does not by any means eschew security technology; an effective information security practice in fact uses security technology liberally. Without firewalls, intrusion detection and prevention systems, and so on it is virtually impossible to adequately manage security risk.  At the same time, however, the emphasis of information security is on the business of the organization that it serves. According to this view, technology exists only to serve the business; technology that is not related to business drivers is a wasteful mistake.

Until the last few years, the overwhelming emphasis within the information security arena was on IT security. Major breakthroughs in security technology helped to make this trend inevitable. In the last few years, however, things have changed considerably in that information security is starting to gain the upper hand. One of the most important indicators of this change is the fact that information security managers, formerly often buried somewhere within IT organizations, are now more than ever C-level officers of organizations; they frequently report directly to the CEO, or if not to someone other than the CIO. Information security is also often now a board-level issue. Previously, information security managers frequently held one or more degrees in computer science; today’s information security managers increasingly hold one or more degrees in business or a related discipline.

Although information security is starting to gain the upper hand, IT security is still well-entrenched and is likely to be with us for a long, long time. The tendency to make security-related decisions based purely on technological considerations is likely to persist. But doing this is foolish, and in time information security is bound to prevail because it is far more closely aligned with organizations’ business drivers than is a pure technological approach. Again, technology does not drive the business. Business should instead drive technology, and the more that it does, the better technology’s return on investment is.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.