What is information security (InfoSec)?

We need to protect information assets, which might include financial, confidential, personal or sensitive data. These assets can take the form of digital files and data, paper documents, physical media and even human speech. Throughout the data lifecycle, InfoSec oversees functions such as infrastructure, software, testing, auditing and archiving.

Grounded in decades-old principles, information security continually evolves to protect increasingly hybrid and multicloud environments in an ever-changing threat landscape. Given the evolving nature of these threats, multiple teams need to work together to update both the technology and processes used in this defense.

Digital information security, also called data security, receives the most attention from information security professionals today and is the focus of this article.

The terms information security, IT security, cybersecurity and data security are often (and mistakenly) used interchangeably. While these fields overlap and inform one another, they differ primarily in scope.

• Information security is an umbrella term that covers an organization's efforts to protect information. It includes physical IT asset security, endpoint security, data encryption, network security and more.

• IT security is also concerned with protecting physical and digital IT assets and data centers but does not include protection for the storage of paper files and other media. It focuses on the technology assets rather than the information itself.

• Cybersecurity focuses on securing digital information systems. The goal is to help protect digital data and assets from cyberthreats. While an enormous undertaking, cybersecurity has a narrow scope, as it is not concerned with protecting paper or analog data.

• Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its entire lifecycle. It includes the physical security of hardware and storage devices, along with administrative and access controls. It also covers the logical security of software applications and organizational policies and procedures.

Data powers much of the world economy, and cybercriminals recognize its value. Cyberattacks that aim to steal sensitive information—or in the case of ransomware, hold data hostage—have become more common, damaging and costly. InfoSec practices and principles can help secure data in the face of these threats.

According to IBM’s Cost of a Data Breach Report, the average total cost of a data breach is USD 4.44 million.

A data breach costs its victim in multiple ways. The unexpected downtime leads to lost business. A company often loses customers and suffers significant and sometimes irreparable damage to its reputation when customers' sensitive information is exposed. Stolen intellectual property can hurt a company's profitability and erode its competitive edge.

A data breach victim might also face regulatory fines or legal penalties. Government regulations, such as the General Data Protection Regulation (GDPR), and industry regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), require companies to protect their customers' sensitive information. Failure to do so can result in hefty fines.

Companies are investing in information security technology and talent. According to the Cost of a Data Breach Report, 49% of organizations plan to increase security investments after a breach.

The top areas identified for extra investments include incident response planning and testing, data security tools and threat detection and response technologies. Organizations that made extensive security AI and automation investments reported USD 820,000 lower data breach costs compared to the average.

Chief information security officers (CISOs) who oversee information security efforts have become a fixture of corporate C-suites.

Demand is rising for information security analysts holding advanced information security certifications, such as the Certified Information Systems Security Professional (CISSP) certification from ISC2. The Bureau of Labor Statistics projects employment for information security analysts will grow 32% by 2032.¹

Information security practices are grounded in a set of decades-old, ever-evolving principles:

• The CIA triad
• Information assurance
• Nonrepudiation

First suggested by the National Institute of Standards and Technology (NIST) in 1977, the CIA triad is intended to guide organizations in choosing technologies, policies and practices to protect their information systems. The elements of the CIA triad include:

• Confidentiality
• Integrity
• Availability

Confidentiality means ensuring that parties cannot access data they're not authorized to access.

Confidentiality defines a continuum of users, from privileged insiders with access to much of the company's data to outsiders authorized to view only information the public is permitted to view.

Personal information should remain private. Sensitive data is sensitive. If an unauthorized person obtains a password to protected data, it would be a confidentiality breach.

Integrity means ensuring that all information contained within company databases is complete and accurate.

Integrity efforts aim to stop people from tampering with data, such as by unauthorized additions, alterations or deletions. Data integrity applies to preventing both adversaries who intentionally alter data and well-intentioned users who alter data in unauthorized ways.

Availability means ensuring that users can access the information they're authorized to access when they need it.

Availability dictates that information security measures and policies should not interfere with authorized data access. Much of availability is straightforward, such as working to ensure the robustness of hardware and software to prevent an organization’s sites going down.

The ongoing process of achieving confidentiality, integrity and availability of data within an information system is known as “information assurance.”

Nonrepudiation means that a user cannot deny (that is, repudiate) having made a transaction—such as altering data or sending a message—because the user needed to pass authentication to perform the transaction in the first place.

While not technically part of the CIA triad, nonrepudiation does combine aspects of information confidentiality and integrity. Nonrepudiation involves ensuring that only authorized users work with data, and that they can only use or modify data in authorized ways.

Information security professionals apply the principles of InfoSec to information systems by creating information security programs. These programs are collections of information security policies, protections and plans intended to enact information assurance.

Core components of an information security program might include:

• Risk assessment
• Identifying vulnerabilities
• Identifying threats
• Incident response planning

An information security risk assessment audits every aspect of a company’s information system. The assessment helps information security professionals understand the exact risks that they face and choose the most appropriate security measures and technologies to mitigate the risks.

A vulnerability is any weakness in the information technology (IT) infrastructure that adversaries might exploit to gain unauthorized access to data. For example, hackers can take advantage of bugs in a computer program to introduce malware or malicious code into an otherwise legitimate app or service.

Human users can also constitute vulnerabilities in an information system. For example, cybercriminals might manipulate users into sharing sensitive information through social engineering attacks such as phishing.

A threat is anything that can compromise the confidentiality, integrity or availability of an information system. 

A cyberthreat is a threat that exploits a digital vulnerability. For example, a denial of service (DoS) attack is a cyberthreat in which cybercriminals overwhelm part of a company's information system with traffic, causing it to crash. 

Threats can also be physical. Natural disasters, physical or armed assaults and even systemic hardware failures are considered threats to a company's information system.

An incident response plan (IRP) typically guides an organization's efforts in responding to incidents.

Computer security incident response teams (CSIRT) often create and execute IRPs with the participation of stakeholders from across the organization. Members of the CSIRT might include the chief information security officer (CISO), chief AI officer (CAIO), security operations center (SOC), IT staff and representatives from legal, risk management and other nontechnical disciplines.

IRPs detail the mitigation steps that an organization takes when a significant threat is detected. While IRPs vary based on the organizations that craft them and the threats they target, common steps include:

• Assemble the security team, virtually or in person.
  
  
• Verify the source of the threat.
  
  
• Act to contain the threat and halt it as soon as possible.
  
  
• Determine what, if any, damage has occurred.
  
  
• Notify interested parties within the organization, stakeholders and strategic partners.

Information security programs use several different tools and techniques to address specific threats. Common InfoSec tools and techniques include:

• Cryptography
• Data loss prevention (DLP)
• Endpoint detection and response (EDR)
• Firewalls
• Intrusion detection (IDS) and intrusion prevention (IPS) systems
• Information security management systems (ISMS)
• Security information and event management (SIEM)
• Security operations centers (SOC)
• Strong authentication measures
• Threat intelligence
  
• User and entity behavior analytics (UEBA)

Cryptography uses algorithms to obscure information so that only people with the permission and ability to decrypt it can read it.

DLP strategies and tools track data use and movement throughout a network and enforce granular security policies to help prevent data leaks and losses.

EDR solutions continuously monitor files and applications on each device, hunting for suspicious or malicious activity that indicates malware, ransomware or advanced threats.

A firewall is software or hardware that stops suspicious traffic from entering or leaving a network while allowing legitimate traffic through. Firewalls can be deployed at the edges of a network or used internally to divide a larger network into smaller subnetworks. If one part of the network is compromised, hackers are blocked from accessing the rest.

An IDS is a network security tool that monitors incoming network traffic and devices for suspicious activity or security policy violations. An IPS monitors network traffic for potential threats and automatically blocks them. Many organizations use a combined system called an intrusion detection and prevention system (IDPS).

An ISMS includes guidelines and processes that help organizations protect their sensitive data and respond to a data breach. Having guidelines in place also helps with continuity if there is major staff turnover. ISO/IEC 27001 is a widely-used ISMS.

SIEM systems help detect user behavior anomalies and use artificial intelligence (AI) to automate many of the manual processes associated with threat detection and incident response.

A SOC unifies and coordinates all cybersecurity technologies and operations under a team of IT security professionals dedicated to monitoring IT infrastructure security around the clock.

Two-factor authentication (2FA) and multifactor authentication (MFA) are identity verification methods in which users must supply multiple pieces of evidence to prove their identities and gain access to sensitive resources.

Threat intelligence helps security teams be more proactive, enabling them to take effective, data-driven actions to prevent cyberattacks before they occur.

UEBA is a type of security software that uses behavioral analytics and machine learning algorithms to identify abnormal and potentially dangerous user and device behavior.

Organizations face a long list of potential threats to information security.

• Cyberattacks
• Employee error
• Ineffective endpoint security
• Insider threats
• Misconfigurations
• Social engineering

These attacks can attempt to compromise an organization’s data from any number of directions, including advanced persistent threat (APT) attacks, botnets (robot networks), distributed denial-of-service (DDoS), “drive-by” download attacks (which download malicious code automatically), malware, phishing, ransomware, viruses and worms.

People can lose mobile equipment loaded with sensitive information, visit dangerous websites on company equipment or use easy-to-crack passwords.

Any laptop, mobile device or PC can be an entrypoint into an organization’s IT system in the absence of adequate antivirus or endpoint security solutions.

There are two types of insider threats.

• Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information for personal gain or for spite.
  
  
• Negligent insiders are authorized users who unintentionally compromise security by not following security best practices.
  

According to the X-Force Threat Intelligence Index report, a significant number of security incidents involve malicious use of legitimate tools. The incidents include credential theft, reconnaissance, remote access and data exfiltration.

Organizations rely on various IT platforms and tools, including cloud-based data storage options, infrastructure as a service (IaaS), software as a service (SaaS) integrations and web applications from various providers. Improper configurations of any of these assets can pose security risks.

Also, provider or internal changes can lead to “configuration drift,” where valid settings go out-of-date.

The X-Force Threat Intelligence Index reported that during penetration testing engagements, the most observed web application risk across client environments was security misconfiguration, accounting for 30% of the total.

Social engineering attacks trick employees into divulging sensitive information or passwords that open the door to malicious acts.

It can also happen that while trying to promote an organization through social media, employees might mistakenly divulge too much personal or business information that can be used by attackers.

The benefits of a strong InfoSec program can assist teams across entire organizations:

• Business continuity
• Compliance
• Cost savings
• Greater efficiency
• Reputation protection
• Risk reduction

In addition to direct information security threats, organizations face multiple challenges when building and managing a robust InfoSec strategy and system.

• Complacency
• Complexity
• Global connections
• Inflexibility
• Third-party integration

With a new system in place, there might be a tendency to walk away, satisfied that the task is done. But hacking techniques are continually sharpened to keep pace with new security measures. Maintenance and the task of securing data are rarely complete, and constant improvements to security controls are needed.

The ever-changing technological environment requires a sophisticated system and an IT team that is thoroughly up to date to manage those evermore complex systems. This includes safely exchanging information with the Internet of Things (IoT) and all mobile devices.

Complexity can be a time drain: some IT teams find their primary effort is in continually reconfiguring and maintaining their security system.

Businesses around the world might use different computer systems, have different levels of information security and work under different regulations. All of these make secure global data exchange increasingly difficult.

Locking down all information might halt all business progress. The difficult balance is having a constructive data flow within an organization while keeping the data safe within the organization and using it appropriately.

Depending on their level of security, integrating information systems with a third-party vendor or other business partner might be difficult or create new security risks.