Tuesday, June 25, 2013

"Cyber security" is a superset of "information security", not a synonym

Over at the Security Sceptic blog, Dave Piscitello has a post titled, "Stop Saying Cybersecurity When You Mean Infosec (and vice-versa)" where he makes a good case for not using "cyber security" and "information security" interchangably.
"There is perhaps no term more overhyped, overused, overloaded and misunderstood in infosec and politics today than cybersecurity. Infosec and cybersecurity are often used interchangeably..."
Many InfoSec pros bash the use of the qualifying term "cyber" and consider it a sign of incompetence on the part of the speaker or writer.   They also see it as a sign that the field is being over-run by Beltway policy types, military types, and lawyers who really know nothing about it.

Rather than try to banish it, I agree with Dave that it should be used to mean a superset of information security, and not used as a synonym.  If enough people use it that way, it might catch on.

Dave suggests this distinction:
"Label as infosec activities that seek to fix actual security defects (i.e., cure, manage or improve health). This would include categories like secure code development, best practices and technology to identify or mitigage suboptimal (vulnerable) configuration, SIEM, identity and data/privacy protection. Label as cybersecurity activities that are offensive, reliatory or surveillance (military intelligence)."
This is OK, but I suggest a broader definition:

  • "Cyber security" -- the confluence of information security, industrial control security, privacy, identity, and digital rights, along with civil liberties and national/homeland security in the digital domain.

What do you think?   If someone can come up with a better umbrella term, I'm all for it.

(Edit 6/26/13: added "identity" to the definition.  It's a key integrating thread. Also added "industrial control security".)


  1. 'Cybersecurity' also includes industrial control system security, something completely different than infosec. It would also include some parts of communications security, particularly the overlap between comsec and infosec.

  2. Agreed. I edited the post to include industrial control security.