We have all the heard of cyber threats and seen the investment in anything that has the term cyber associated with it. Is this just an evolution of terms? First there was IT security that looked at protecting IT systems themselves. Then came information security as the emphasis moved away from the hardware to what was really important – the information. The trouble was the information security was still closely associated with IT security. The next logical step was to embrace all controls that addressed risks to information including physical security, people awareness and training as well as the all-important governance processes within an organisation. This is where information assurance (IA) came into being. So, if IA embraces everything to do with information what is cyber security all about, does it differ and does it matter?
Cyber is about a particular threat group
The quick and simple answer is that cyber security is primarily aimed at addressing risks originating from cyber-space. And what/where is that exactly? Cyber-space is primarily associated with the Internet but not uniquely. It also extends to any form of computer-to-computer communications. Malicious code embedded within a USB memory stick would be considered a cyber-space risk as would a hacker downloading the organisation’s intellectual property. Cyber security includes the defensive controls that are needed to address the threat from cyber-space. The vast majority of these controls will be technical in nature but that is not to say they are exclusively technical. Training & education, personnel clearances and incident management could all be addressed by cyber security.
So how does IA differ?
IA however goes further than just the cyber-space threat groups. IA addresses all risks to information systems and all manner of controls including technical, physical, procedural and personnel. Cyber threats are just another threat group that needs to be considered within IA.
What about non-information systems?
IA has always encapsulated the less obvious information systems like SCADA (Supervisory Control & Data Acquisition) and safety systems. Traditionally these systems have been very isolated which has limited the threat groups that could attack them. Advances in technology and the ubiquitous Internet now allow for these systems to be centrally and remotely managed bringing cyber-space threats into play. Cyber has bought these systems into sharper focus although both IA and cyber include the protection of these vital assets from threats from cyber-space.
Cyber goes on the offensive
Here is where the real difference is: IA is generally about defensive measures put in place to ensure vulnerabilities are kept to a minimum and if an attack were to happen that it would be detected and an organisation would be able to recover. Cyber security also considers offensive measures to deter and disrupt the intentions of those would be attackers.
The UK Cyber Security Strategy makes this offensive nature very clear. The UK Government is committed to making the UK the best place in the world to do online business. This means that it not only needs to address defensive measures but also take on the bad guys at their own game. Cyber offensive measures increase the chances of them getting caught if they target the UK and disrupts their ability to launch attacks in the first place. This is the critical difference between cyber and IA.
Can there be cyber without IA?
Most organisations don’t (and should not!) do any offensive controls to mitigate the cyber-space threat. They concentrate on the delivery and management of defensive controls to manage risks to their information assets. Any business in UK is now exposed to cyber threat that needs to be addressed. A good information risk management process as part of an overall IA strategy will assess the cyber threat as just another threat group. Risk mitigation will introduce appropriate defensive controls to manage those risks. So, to answer the question, no, you can’t have one without the other. Cyber is part of IA just with another, albeit more trendy, name.
Does it matter?
Leaving the offensive nature of cyber to governments to sort out, it doesn’t matter what name is used to address risk. The most important thing is that all risks are identified and appropriate measures put in place. Call it cyber, IA, IT security, information risk management – it doesn’t matter as long as it gets done!
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.
Article by Dave James, MD of Ascentor.