There are many ways to help safeguard sensitive and confidential information within an enterprise. Amongst the most popular are information assurance and cybersecurity. Often these terms are used interchangeably but there are key differences between the two. So what are they, why are they important and what does this mean for security professionals?
On October 30th 1942, German U-boat U-559 was boarded and the course of the Second World War was changed forever. The allies were able to seize codes for the enigma machine and the rest is history. One little known outcome of this historic event, according to many experts, is that it marked the birth of information assurance.
The allies realized the importance of protecting information and, as a result, the US Department of Defense established its Information Assurance Branch. A lot has changed since then with modern information assurance having a whole range of new technologies and techniques at its disposal. However, the need to understand the information you have and ensure it’s fully protected hasn’t changed.
The beginning of cybersecurity may not have as cool an origin story, but in today’s increasingly online and digital world it is no less important. The differences between cyber security and information assurance are interesting to note, however, for complete computer security, information assurance and cybersecurity must be applied together when protecting an organization.
A holistic approach for securing digital information
It’s estimated that cybercrime will cost the global economy $10.5 trillion annually by 2025. Experts suggest that, in 2021, businesses will fall victim to ransomware attacks every 11 seconds. And the cost of data breaches can be enormous. The average cost per breach is $3.86 million.
While a good deal of focus has been placed on high profile hacks and the work of malicious actors outside the company, insider threats should not be downplayed. In 2019, 60% of all data breaches were caused either deliberately or accidentally by people within the organization. This figure had risen a staggering 47% from the previous year.
The need to protect sensitive information both digital and physical, has never been greater and it takes a combination of disciplines, methods, and technologies to achieve the level of cyber resilience that organization need today. That includes cybersecurity and information assurance so let’s begin by defining our terms.
What is information assurance?
You can define information assurance as the practice of ensuring that information systems will perform as needed when needed, while remaining securely accessible to authorized users. PC Magazine calls information assurance: ‘the technical and managerial measures designed to ensure the confidentiality, possession or control, integrity, authenticity, availability and utility of information and information systems’. It’s all about information assets, valuations, optimization, strategy, and continuous assessment. The major roles of information assurance professionals revolve around the management, planning, auditing, and governance of an organization’s information.
What is cybersecurity?
According to the National Institute of Standards and Technology, cybersecurity is: ‘ the ability to defend or protect the use of cyberspace from cyber attacks’. It comprises a range of technologies and techniques focused on preventing and defending against attacks and unauthorized use of computer systems, including network security, applications, and data. Potential threats are identified, analyzed, and evaluated to determine the appropriate actions to be taken. Prevention, using firewalls, and other deterrence measures is another core aspect of the role for cybersecurity experts. Because they deal with data in all its forms, cyber security professionals and specialists are usually better qualified to address vulnerabilities associated with non-traditional information systems and computing devices, such as Internet of Things (IoT) devices.
Key differences between cybersecurity and information assurance
While it’s clear that there are overlaps between the two disciplines, the differences are important for any organization looking to make the most of information assurance and security management in their digital business. These differences include:
Information vs data
If you think of data as the bits and bytes within the computer system, then information is that data when there’s context applied to it. For one educational establishment when describing its computer science degrees made the distinction that information assurance professionals were responsible for protecting the information while cybersecurity was really about protecting the data that underpinned it. With information assurance, we make judgments on the importance of information and prioritize the levels of protection. Cybersecurity experts are likely to view each data set as important and look to protect everything.
Strategy vs practice
Information Assurance experts seek to know how a company uses information, how valuable that information is to the company, and how exposed that information happens to be so that they can guide the organization on how to prioritize tasks to protect it. A good deal of their work is strategic. The work within cybersecurity is more technical, looking to create solutions to protect and defend against a cyber attack.
It’s too simple to say that information assurance is strategic and cybersecurity is practical. There is of course a lot of practice involved in information assurance and a lot of strategy in cybersecurity. So perhaps this difference can be summed up as information assurance professionals will use information assurance solutions to do their job. Cybersecurity professionals will as well, but they will also create new cybersecurity tools where they see a need.
Attack vector
This is perhaps one of the biggest differences between cyber security and information assurance. Cybersecurity, by its nature, has grown up to defend against the growing threats posed by the rapid adoption of the Internet. But the Internet is not the only area of attack covered by cybersecurity solutions. Any computer-to-computer attack – such as malware on a USB stick – falls within the remit of cybersecurity professionals.
However, that’s only a subset of what’s covered by information assurance. This discipline involves all sensitive information regardless of where it is, what format it’s in and who’s using it. Information assurance solutions must be able to cope with the prospect of insider attacks and breach attempts that span the increasing surface area of corporate networks as more computing and IoT devices, as well as customer, suppliers, and partners connect in a greater ecosystem of people, applications and things. Of course, information assurance will rely on cybersecurity to help it achieve at least some of its goals.
Risk management
Risk management is the key reason for the existence of both information assurance and cybersecurity but they have slightly different focuses on risk. Information assurance professionals take in the totality of what is and has happened with corporate information as well as what will happen in the future. An information assurance risk assessment should cover past attacks, the type of information hackers target, how people are using the information and what new demands business strategy will place on information provision and management.
For cybersecurity experts, it’s the present that’s most important. They have to concern themselves with immediate risk and their ability to stop attacks happening now. Even proactive cyber defense is designed to address threats that are seen to be somewhat immediate. The reason for this is that they are constantly working to keep up with the technology being used in the attacks. Cybersecurity professionals can be thought of as participating in an ever-escalating cybersecurity arms race.
Offensive and defensive
Information assurance can be thought of as primarily defensive in nature. It’s designed to protect information across the organization as well as to help quickly identify and remediate where the worst does occur. That said, smart organizations are becoming increasingly proactive. They are working out where all their data is, what data they have and in what format so it can be quickly retrieved when required for litigation or regulatory enquiries.[CV1] .
For most cybersecurity professionals, the job is primarily defensive as well, but there is a strong offensive component to cybersecurity. It’s not just about reacting to attack, it’s also about proactively going out to identify potential areas of weakness and construct defense before anything actually happens. A proactive cyber defense involves knowing what’s happening on your network and identifying threats to determine if and when the next cyber attack may occur.
Why information assurance vs. cybersecurity is a false premise
It seems if you ask ten different IT security experts, you’ll get ten different views of how all the security disciplines fit together. Some say that information security and cyber security are subsets of information security. For others, information assurance and cybersecurity are parts of information security. There’s even talk of cyber information assurance but is it really sensible to talk ofinformation assurance in cyber security?
In truth, it’s a debate with little heat or light. Any security professional knows that it is a combination of techniques and technologies that are needed to properly protect your information. Cybersecurity, information assurance, information security, they all work together to get the job done.
Why work with OpenText for information assurance and cyber security?
OpenText is one of the world’s leading suppliers of information assurance solutions. Companies around the world have been relying on our eDiscovery and digital forensic solutions for many years. Today, OpenText EnCase Information Assurance is the gold standard in forensically sound data identification, capture and collection. Implementing data discovery based on forensic principles is the best approach to deliver the visibility and control required to uncover relevant information accurately and completely.
Learn more about OpenText Enterprise Information Security solutions.
Author: Alexis Robbins, Senior Product Marketing Manager
