How do you define cybersecurity?
How do you define data security?
Let's look at the difference between the two terms.
Before we do, a quick level set about the term information security. While is is often used interchangeably with cybersecurity, it seems information security is more closely aligned with the term data security.
Because information is data.
So let's start by defining data security.
Data security definition
Many refer to information security when they are really talking about data security. Our team likes the way Experian (a data company) defines data security. Here it is:
"Data Security concerns the protection of data from accidental or intentional but unauthorized modification, destruction or disclosure through the use of physical security, administrative controls, logical controls, and other safeguards to limit accessibility. Ways of securing your data include:
- Data Encryption — converting the data into a code that cannot be easily read without a key that unlocks it.
- Data Masking — masking certain areas of data so personnel without the required authorization cannot look at it.
- Data Erasure — ensuring that no longer used data is completely removed and cannot be recovered by unauthorized people.
- Data Backup — creating copies of data so it can be recovered if the original copy is lost.
General good practice, however, goes beyond these methods."
So data security seems to be primarily focused on the data itself, along with identity and access management. That is, who can access or remove that data?
What about defining cybersecurity?
We think it makes the most sense to look at how the National Institute of Standards and Technology (NIST) is defining the term.
After all, the NIST Cybersecurity Framework appears to be the gold standard of cybersecurity frameworks on a global basis.
One NIST publication defines cybersecurity in stages:
"The process of protecting information by preventing, detecting, and responding to attacks."
However, another publication gives the detailed NIST definition of cybersecurity:
"Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation."
And we found a third way that NIST talks about cybersecurity:
"The ability to protect or defend the use of cyberspace from cyber attacks."
The difference between cybersecurity and data safety
So if we're interpreting things correctly, it seems that data security is a relatively narrow term, primarily about the data itself. Makes sense, right?
And cybersecurity is a more sweeping term that includes the data and the systems that make moving, storing, and authenticating that data possible. Plus, the great vastness of "cyberspace."
Cybersecurity vs. cyber safety
But is it possible we need an even wider view of what's at stake when we talk about cybersecurity?
This is what we've been hearing at our SecureWorld regional cybersecurity conferences.
JPMorgan Chase CISO Jason Witty told us during an interview that he believes we've moved beyond cybersecurity to cyber safety:
"It's not just making sure your data is safe anymore, it's making sure whatever that physical manifestation is that is connected to you, that's connected to the hospital you are in for care or the car you're driving or the pacemaker that's in your chest. It's about making sure those things aren't going to actually kill you."
No matter how you define these terms, clearly, they are significant.
Even to the point of protecting life itself.