A significant subset of overall cybersecurity, information security (InfoSec) focuses on protecting sensitive data and information from the risks of cyberattacks. It covers but is not limited to:
The fundamental goal of information security is to prevent sensitive data from being compromised by criminals or state actors. InfoSec encompasses a wide range of tasks and practices, spanning from monitoring user behavior to assessing risk to ongoing education. This article will address these topics and provide an introduction to information security.
(Stay up to date with these InfoSec conferences & events and expert-recommended security reading.)
The term "information security (InfoSec)" refers to the protection of information assets, including the methods and techniques you use for that protection. This information may include contract documents, financial data, or operational plans that may contain personal, customer-related or business-confidential information. Often, this information is your competitive edge.
The domain of information security is vital to an organization's survival today. InfoSec allows you to:
Most vulnerable are the records kept on mobile devices such as contact lists, emails, business documents, photos, videos, and more. Any personal information that's overshared or mishandled carries serious social consequences for those involved, especially when the perpetrators have malicious intent. ISO/IEC 27001 is a global standard for InfoSec.
Indeed, as information security has become increasingly important to organizations, the role of the CISO, or chief information security officer, has become significantly more visible. Ways to systematically manage InfoSec, in the form of ISMSs, is also becoming a popular topic.
(Information security is a vital part of cyber hygiene.)
In the IT landscape, security can mean a number of things:
Comparing InfoSec to physical security highlights significant differences when it comes to security in the digital sphere. How might InfoSec differ from physical security?
Finally, the criminal intent differs: a burglar may look to take something valuable, while cybercriminals look for financial gain or intellectual property by using our computers against us. Importantly, though, criminal intent doesn’t have to be present in order for information security to be breached. Often, it's insider threats — like an employee accidentally sharing a document — that can make you vulnerable.
(Understand vulnerabilities, threat, and risk, fundamental security concepts.)
To understand InfoSec in-depth, it's best to break it down into its components and hierarchy. First, we can place InfoSec underneath the larger umbrella of cybersecurity. Cybersecurity covers all aspects of cyber threats and security, including InfoSec. This includes:
So, what comprises InfoSec? The following components are integral considerations within InfoSec.
Hardware includes physical security systems and all the devices we use: computers, laptops, monitors, printers, cell phones, tablets, and more.
Software includes programs installed on company servers such as firewalls, VPNs, anti-virus software, and so forth. You can also consider software that doesn’t specifically support InfoSec — instead, it’s the opposite: the information held in every software and app likely also requires protecting.
(Learn more about IT infrastructure.)
Network security protects all data transmitted through a computer network. Securing the network prevents bad actors from breaching an organization's information or hacking into the cloud or other parts of the organization.
(Related reading: network security monitoring.)
In this context, human resources refer to the files that contain employee information. Depending on the type of organization and how it's managed, this information can be extremely important or it could contain non-sensitive documents that could still be stolen.
Policies document how a company will operate regarding InfoSec issues. These policies should clearly state how a company will respond to events such as an outsider breaching the system and stealing data or whether the company will compensate a victim for any damages due to negligence.
Security assurance means ensuring that companies can protect their data against cyber threats. This usually means taking measures to ensure the company is:
Often part of incident management, breach response is the practical aspect that entails responding after an event such as a breach occurs. This includes contacting the victim and determining information including:
The common challenge with information security is any vulnerability. A vulnerability is a flaw in code that allows somebody else to gain access to resources (e.g., files). It can also be used to gain access to sensitive information such as passwords in cookies. A vulnerability is typically a programming error, but it can also be an issue with the way you set a system up.
Some vulnerabilities are security bugs that may cause loss of data integrity or denial of service. Other vulnerabilities allow the execution of arbitrary code or enable privilege escalation. Some applications become popular targets for attacks because of the number of users using them and their critical nature. (The exploding popularity of ChatGPT and a bevvy of new AIs underscores how genAI can completely change the came for security, both for the good people and the bad actors and hackers.)
A hacker may also use an exploit to bypass a security control such as a buffer overflow or unauthorized access to code that allows it to run on the vulnerable application's machine.
The art of vulnerability management begins with knowing what and where your vulnerabilities are. You can find all sorts of vulnerabilities, and in many places:
The Internet of Things (IoT) poses a challenge unseen before the last decade or so. By enabling the connection of billions of devices, IoT increases an organization's attack surface. With manufacturers not prioritizing security, IoT devices lack sufficient computing resources to deal with the current security threats. Such devices may have weak data encryption posing a risk — such as data privacy violations and data breaches — to end-users, governments, and businesses.
Another challenge that's rapidly approaching: quantum computers (CRQCs) pose a challenge to cryptography. Encryption methods that use complex mathematical problems as their defense mechanism are particularly at risk from quantum computers. Quantum algorithms threaten to break such encryption methods, as they can solve complex problems quickly. Future advanced quantum computers may be able to access, decrypt, and read encrypted information. This will make the entire cybersecurity field rethink how it can protect its assets. An emerging speciality around quantum-safe standards is growing quickly.
The vulnerability assessment process, as defined by the National Institute of Standards and Technology (NIST), is a structured process for:
NIST conducts vulnerability assessments in order to identify potential weaknesses in computer software applications, operating systems, and hardware and communication technologies that potentially affect the confidentiality, integrity, or availability of information resources. (This concept is known as the CIA triad.) The vulnerability assessment process comprises three three phases:
Step one involves identifying security and privacy vulnerabilities within an organization’s systems, hardware, software, policies, and processes. Vulnerabilities come in many types and forms, and they can also arise from supply chain issues, untrustworthy external providers, or system configurations that introduce risks — therefore, keep an eye on these, too.
At this stage, an organization seeks to:
You can then use the confidentiality, integrity, and availability (CIA) triad to help prioritize which vulnerabilities to address first.
After identifying vulnerabilities, you need to analyze each one to determine its potential impact on your organization — this is known as a risk assessment. For each vulnerability, you will:
You can use automated risk assessment tools to ensure continuous and near real-time assessments.
Once vulnerabilities are identified and assessed, it's time to implement appropriate risk remediation or mitigation strategies. This includes evaluating whether the existing controls or processes are sufficient to reduce the risk to acceptable levels.
Non-technical stakeholders, including managers and auditors, are essential in this process. They ensure that the mitigation mechanisms align with organizational goals, policies, privacy regulations, and governance standards. They also perform compliance checks, audits, or assurance activities to validate the effectiveness of implementation.
(Know the differences: risk remeditation vs. risk mitigation.)
There are several methods that organizations should use to reduce the risk of cyberattacks.
First, conduct a risk assessment to estimate and understand how much risk is present. You can rank overall risk as low, medium, high, or extreme, with each level having a different priority.
Example of a risk matrix. (Image source)
The risk assessment will provide an organization with information such as how much money and time it must spend to mitigate the threat. This analysis also goes through technical implementation and provides information regarding necessary resources, such as:
(Related reading: risk appetite vs. risk tolerance.)
Security defenses are the practices and policies that a network employs to:
Defenses include the physical perimeter, authentication and authorization mechanisms, personal firewalls, intrusion detection systems (IDS), honeypots, digital rights management (DRM), encryption, and more. Information security can also involve elements of law enforcement when an organization needs to defend itself against cybercrimes such as hacking.
Many defenses rely on controls and policies to help detect and correct improper or unauthorized access, and we refer to them as security controls. For example, a firewall may provide defense in depth in multiple network access control layers.
(Differences explained: defensive security vs. offensive security.)
InfoSec tools help automate most of manual security tasks, streamlining a company's an overall security posture. Common InfoSec tools include:
These tools help to detect threats, monitor compliance, respond to incidents, manage risks, and more. Ensure that you select the right tools that align with the organization's unique security needs.
(Related reading: SOC modernization.)
(Power your SOC with full visibility and security monitoring from Splunk.)
Train employees to ensure they understand different security vulnerabilities and how to avoid them by following security best practices. Develop a training program based on the organization's security needs. Then, conduct continuous training focusing on the unique risks the organization faces.
Understand that different departments or job roles face unique security risks. So, ensure that the training is role-specific. The roles and responsibilities of an employee determine the security knowledge level they require to keep the organization secure. For instance:
Also, ensure the training content evolves with the security landscape, addressing the newest threats.
In larger organizations, InfoSec is the jurisdiction of one or several teams. The primary task of an InfoSec team is to monitor security measures and assess vulnerabilities. They are responsible for assessing system vulnerabilities, monitoring systems that process sensitive information, identifying attackers within an organization, preventing attacks when possible, and minimizing the effects of attacks that do succeed.
An InfoSec team member's role may be to:
As such, these InfoSec professionals probably deal with a variety of tasks and domains, including vulnerability assessment programs, data privacy policies, encryption techniques, requirements for hardware and software updates, and ongoing training and education efforts.
Typically, InfoSec roles are shared among different teams in an organization. For example, in the development and IT process:
(Learn about all the roles on a security team & check out IT salary trends.)
As technology advances, so do attacks. Information security is a multifaceted issue that requires professionals who have a variety of skills. For example:
An important key to a successful information security program is training employees on all pertinent aspects. All employees must understand how to handle data properly and know where sensitive data should be located so they can protect it.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.