What Is InfoSec? Information Security Explained

A significant subset of overall cybersecurity, information security (InfoSec) focuses on protecting sensitive data and information from the risks of cyberattacks. It covers but is not limited to:

• Computer systems
• Mobile devices
• Networks, both on-premises and in the cloud

The fundamental goal of information security is to prevent sensitive data from being compromised by criminals or state actors. InfoSec encompasses a wide range of tasks and practices, spanning from monitoring user behavior to assessing risk to ongoing education. This article will address these topics and provide an introduction to information security.

(Stay up to date with these InfoSec conferences & events and expert-recommended security reading.)

What is information security? InfoSec definition

The term "information security (InfoSec)" refers to the protection of information assets, including the methods and techniques you use for that protection. This information may include contract documents, financial data, or operational plans that may contain personal, customer-related or business-confidential information. Often, this information is your competitive edge.

The domain of information security is vital to an organization's survival today. InfoSec allows you to:

• Maintain legitimate communications.
• Prevent the misuse of sensitive information.

Most vulnerable are the records kept on mobile devices such as contact lists, emails, business documents, photos, videos, and more. Any personal information that's overshared or mishandled carries serious social consequences for those involved, especially when the perpetrators have malicious intent. ISO/IEC 27001 is a global standard for InfoSec.

Indeed, as information security has become increasingly important to organizations, the role of the CISO, or chief information security officer, has become significantly more visible. Ways to systematically manage InfoSec, in the form of ISMSs, is also becoming a popular topic.

(Information security is a vital part of cyber hygiene.)

InfoSec vs. other security types

In the IT landscape, security can mean a number of things:

• Network security
• Infrastructure security
• The overarching enterprise security, which encompasses all security across an enterprise

Comparing InfoSec to physical security highlights significant differences when it comes to security in the digital sphere. How might InfoSec differ from physical security?

1. For one thing, you can't always see an attacker in virtual spaces. 
2. Second, you can use encryption to protect your digital assets property. This, of course, doesn't work with physical theft.

Finally, the criminal intent differs: a burglar may look to take something valuable, while cybercriminals look for financial gain or intellectual property by using our computers against us. Importantly, though, criminal intent doesn’t have to be present in order for information security to be breached. Often, it's insider threats — like an employee accidentally sharing a document — that can make you vulnerable.

(Understand vulnerabilities, threat, and risk, fundamental security concepts.)

Components of InfoSec

To understand InfoSec in-depth, it's best to break it down into its components and hierarchy. First, we can place InfoSec underneath the larger umbrella of cybersecurity. Cybersecurity covers all aspects of cyber threats and security, including InfoSec. This includes:

• Making sure your company stays up to date on the latest software and hardware.
• Training staff on how to ensure their systems are secure.

So, what comprises InfoSec? The following components are integral considerations within InfoSec.

Hardware and software

Hardware includes physical security systems and all the devices we use: computers, laptops, monitors, printers, cell phones, tablets, and more.

Software includes programs installed on company servers such as firewalls, VPNs, anti-virus software, and so forth. You can also consider software that doesn’t specifically support InfoSec — instead, it’s the opposite: the information held in every software and app likely also requires protecting.

(Learn more about IT infrastructure.)

Network security

Network security protects all data transmitted through a computer network. Securing the network prevents bad actors from breaching an organization's information or hacking into the cloud or other parts of the organization.

(Related reading: network security monitoring.)

Human Resource (HR) security

In this context, human resources refer to the files that contain employee information. Depending on the type of organization and how it's managed, this information can be extremely important or it could contain non-sensitive documents that could still be stolen.

Information security policies

Policies document how a company will operate regarding InfoSec issues. These policies should clearly state how a company will respond to events such as an outsider breaching the system and stealing data or whether the company will compensate a victim for any damages due to negligence.

Security assurance

Security assurance means ensuring that companies can protect their data against cyber threats. This usually means taking measures to ensure the company is:

• Using appropriate software and hardware.
• Installing or updating it as needed.
• Training staff on how to ensure they have security programs in place.

Breach response

Often part of incident management, breach response is the practical aspect that entails responding after an event such as a breach occurs. This includes contacting the victim and determining information including:

• What data may have been stolen
• The methods used to steal it
• The damages and potential damages

Current challenges in information security

The common challenge with information security is any vulnerability. A vulnerability is a flaw in code that allows somebody else to gain access to resources (e.g., files). It can also be used to gain access to sensitive information such as passwords in cookies. A vulnerability is typically a programming error, but it can also be an issue with the way you set a system up.

Some vulnerabilities are security bugs that may cause loss of data integrity or denial of service. Other vulnerabilities allow the execution of arbitrary code or enable privilege escalation. Some applications become popular targets for attacks because of the number of users using them and their critical nature. (The exploding popularity of ChatGPT and a bevvy of new AIs underscores how genAI can completely change the came for security, both for the good people and the bad actors and hackers.)

A hacker may also use an exploit to bypass a security control such as a buffer overflow or unauthorized access to code that allows it to run on the vulnerable application's machine.

Pinpointing vulnerabilities

The art of vulnerability management begins with knowing what and where your vulnerabilities are. You can find all sorts of vulnerabilities, and in many places:

• One of the fastest-growing areas is embedded software, which includes computer systems such as personal digital assistants (PDAs) and automotive systems.
• Many operating system kernels have vulnerabilities that allow local privilege escalation because of faulty design or kernel bugs.
• Some hardware devices have flaws that allow unauthorized access to their electronic control units. Others allow unauthorized access to the system firmware, including the BIOS and OS images.

The Internet of Things (IoT) poses a challenge unseen before the last decade or so. By enabling the connection of billions of devices, IoT increases an organization's attack surface. With manufacturers not prioritizing security, IoT devices lack sufficient computing resources to deal with the current security threats. Such devices may have weak data encryption posing a risk — such as data privacy violations and data breaches — to end-users, governments, and businesses.

Another challenge that's rapidly approaching: quantum computers (CRQCs) pose a challenge to cryptography. Encryption methods that use complex mathematical problems as their defense mechanism are particularly at risk from quantum computers. Quantum algorithms threaten to break such encryption methods, as they can solve complex problems quickly. Future advanced quantum computers may be able to access, decrypt, and read encrypted information. This will make the entire cybersecurity field rethink how it can protect its assets. An emerging speciality around quantum-safe standards is growing quickly.

(Source: Slide 25 of Professor Michele Mosca's PDF, sourced from an annual quantum conference run by ETSI in winter 2022.)

How to assess InfoSec vulnerability

The vulnerability assessment process, as defined by the National Institute of Standards and Technology (NIST), is a structured process for:

1. Identifying vulnerable code, apps, systems, and loopholes.
2. Understanding their risk exposures.

NIST conducts vulnerability assessments in order to identify potential weaknesses in computer software applications, operating systems, and hardware and communication technologies that potentially affect the confidentiality, integrity, or availability of information resources. (This concept is known as the CIA triad.) The vulnerability assessment process comprises three three phases:

1. Finding and assessing vulnerabilities

Step one involves identifying security and privacy vulnerabilities within an organization’s systems, hardware, software, policies, and processes. Vulnerabilities come in many types and forms, and they can also arise from supply chain issues, untrustworthy external providers, or system configurations that introduce risks​ — therefore, keep an eye on these, too.

At this stage, an organization seeks to:

1. Define the scope of vulnerabilities.
2. Deploy methods to identify weaknesses.

You can then use the confidentiality, integrity, and availability (CIA) triad to help prioritize which vulnerabilities to address first.

2. Assessing the risk of the vulnervailities

After identifying vulnerabilities, you need to analyze each one to determine its potential impact on your organization — this is known as a risk assessment. For each vulnerability, you will:

1. Assess the likelihood of a successful exploit. You can use a framework like the CVSS. 
2. Then, conduct an impact analysis to understand how much harm can occur if a vulnerability is exploited. 
3. Finally, rank or score the risks based on likelihood and impact so that you can address the most severe vulnerabilities first. 

You can use automated risk assessment tools to ensure continuous and near real-time assessments.

3. Providing an implementation assurance review

Once vulnerabilities are identified and assessed, it's time to implement appropriate risk remediation or mitigation strategies. This includes evaluating whether the existing controls or processes are sufficient to reduce the risk to acceptable levels.

Non-technical stakeholders, including managers and auditors, are essential in this process. They ensure that the mitigation mechanisms align with organizational goals, policies, privacy regulations, and governance standards. They also perform compliance checks, audits, or assurance activities to validate the effectiveness of implementation.

(Know the differences: risk remeditation vs. risk mitigation.)

Achieving InfoSec: best practices

There are several methods that organizations should use to reduce the risk of cyberattacks.

Assessing risk and implementing improvements

First, conduct a risk assessment to estimate and understand how much risk is present. You can rank overall risk as low, medium, high, or extreme, with each level having a different priority.

Example of a risk matrix. (Image source)

The risk assessment will provide an organization with information such as how much money and time it must spend to mitigate the threat. This analysis also goes through technical implementation and provides information regarding necessary resources, such as:

• Specifications required for hardware and software updates.
• The personnel dedicated to supporting and maintaining information security.

(Related reading: risk appetite vs. risk tolerance.)

Putting security defenses into place

Security defenses are the practices and policies that a network employs to:

• Prevent unauthorized access.
• Detect and correct improper access attempts.
• Mitigate potential threats.

Defenses include the physical perimeter, authentication and authorization mechanisms, personal firewalls, intrusion detection systems (IDS), honeypots, digital rights management (DRM), encryption, and more. Information security can also involve elements of law enforcement when an organization needs to defend itself against cybercrimes such as hacking.

Many defenses rely on controls and policies to help detect and correct improper or unauthorized access, and we refer to them as security controls. For example, a firewall may provide defense in depth in multiple network access control layers.

(Differences explained: defensive security vs. offensive security.)

Incorporating InfoSec tooling

InfoSec tools help automate most of manual security tasks, streamlining a company's an overall security posture. Common InfoSec tools include:

• Security information and event management (SIEM)
• Data loss prevention (DLP)
• Intrusion detection systems (IDS) and intrusion prevention systems (IPS)
• Vulnerability scanners 
• Security orchestration, automation and response (SOAR) systems

These tools help to detect threats, monitor compliance, respond to incidents, manage risks, and more. Ensure that you select the right tools that align with the organization's unique security needs.

(Related reading: SOC modernization.)

(Power your SOC with full visibility and security monitoring from Splunk.)

Training and educating employees

Train employees to ensure they understand different security vulnerabilities and how to avoid them by following security best practices. Develop a training program based on the organization's security needs. Then, conduct continuous training focusing on the unique risks the organization faces.

Understand that different departments or job roles face unique security risks. So, ensure that the training is role-specific. The roles and responsibilities of an employee determine the security knowledge level they require to keep the organization secure. For instance:

• The IT team needs comprehensive InfoSec training, especially on the tools, techniques, and processes in place to support InfoSec. 
• The marketing and finance team needs to learn how to identify and deal with social engineering and phishing attempts.

Also, ensure the training content evolves with the security landscape, addressing the newest threats.

Creating and enabling an InfoSec team

In larger organizations, InfoSec is the jurisdiction of one or several teams. The primary task of an InfoSec team is to monitor security measures and assess vulnerabilities. They are responsible for assessing system vulnerabilities, monitoring systems that process sensitive information, identifying attackers within an organization, preventing attacks when possible, and minimizing the effects of attacks that do succeed.

An InfoSec team member's role may be to:

• Implement and enforce policies.
• Develop a threat management program.
• Publicize security policies.
• Educate users regarding security issues.

As such, these InfoSec professionals probably deal with a variety of tasks and domains, including vulnerability assessment programs, data privacy policies, encryption techniques, requirements for hardware and software updates, and ongoing training and education efforts.

Typically, InfoSec roles are shared among different teams in an organization. For example, in the development and IT process:

• DevSecOps and DevOps teams integrate security tools into the development pipeline.
• Sysadmins and network engineers ensure infrastructure security.
• Software developers write, review, and secure code to address vulnerabilities.
• Quality assurance (QA) teams ensure that software is free from security defects before its release.
• Penetration testers evaluate an organization's security posture.
• Database administrators (DBAs) secure the organization's databases.

(Learn about all the roles on a security team & check out IT salary trends.)

Information security will require more attention

As technology advances, so do attacks. Information security is a multifaceted issue that requires professionals who have a variety of skills. For example:

• A system administrator must understand the security of the hardware and software they support.
• A network engineer must understand network security and how data is transmitted.
• A programmer must know how to write secure code.

An important key to a successful information security program is training employees on all pertinent aspects. All employees must understand how to handle data properly and know where sensitive data should be located so they can protect it.