This post seeks to clarify the terms to avoid further misuse and mischaracterization of the terms when they are referred to in business and in entity operations, policy implementations, and in legal discussions. As they are loosely used, they are given the meaning for protecting information from unauthorized access, and that had made some sense. The failure to distinguish allows for gaps in insurance coverage and misdiagnosed issues in audits and in personnel evaluations for their performance measures. The same can be said that by the failure to make the valid distinction, appropriate information technology performance is as well misdiagnosed. In governmental policy circles cybersecurity is the prevailing nomenclature, however, the federal legal provision that addresses cybersecurity is termed as the Federal Information Security Management Act (FISMA). Among information technology professionals and in select industries, such as in accounting, financial, and in the medical areas, the term referred to as is information insecurity. Yet that terminology requires clarification because an important consideration is the actual form of of the information.
As we consider the form of information and its means, we also need to realize the differences. The Internet and the digital age is here and the information that we derive from digital networks and process means can be termed data, digital documents, digital records, as opposed to physical information. Once that physical information is digitized, it becomes digital data. For purposes of addressing systems, networks, and platforms, cyber security is most appropriate. For purposes of addressing the element of communication, or what is being transferred, sent, stored, or received, data security is most appropriate. As files are maintained any entity’s concern is appropriately with its network integrity or network security. Because of the interface of servers being accessed amid multiple users accessing, transmitting, and sharing the data, the practical reference is cybersecurity as it addresses the integrity of the system managing the activities and functions of the digital features of the data. So, cybersecurity is the macro systemic interface activity of networks, Internet, Intranet, email trunks, remote access relays, and data channels involved in the transmission, storage, and maintenance. Hence, cyber security is about the system. The technical application of the term is cyber security involves the technologies, algorithms, software, networks, and devices to protect the amalgamation that comprises the computing system from intrusions and to conduct diagnostics of its security system.
Data security is the process of addressing unauthorized access. As data-security is applied, the issues discussed cover unauthorized disclosure and access, breach of confidentiality, and misappropriation. Such characterization gives rise to a focus on the management or administration of data that is transmitted through the system. This gives rise to the concepts of data hygiene, analytics, and data governance. The data lives in the system. Data security is about what is transmitted through the system. Another way to describe the distinction is that data security involves the interaction of humans, artificial intelligence (AI), encryption, technology management, and software processes for the digital realm, in securing and protecting data from breaches within the cyber system. Essentially, data security is the intended benefit of cyber security or of protecting the system, network or platform.
The Internet function blurs the distinction for many businesses and entities. This blurring has given rise to debates on how to address information security, protection of data, data governance, Internet governance, network protection, Internet of Things security, and Industrial Internet of Things security. The debates will continue even among governments, organizations, and private entities about responding to cybercrimes and addressing Internet governance, vis-à-vis billions of individuals resorting to the Internet for freedom, freedom of expression, pursuit of knowledge, conduct business, transferring and transmitting records, even executing financial transactions. The terms appear related and they are; but the practical approach to resolving how best to address the critical events faced daily with every cyber incident, requires a clearer distinction. Until we have a clear understanding, the lag between law being at step with cyber events will widen and the learning curve for employees, managers, corporate officers, and government officials and lawmakers will, as well, continue.