Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data secure from unauthorized access or alterations, both when it’s being stored and when it’s being transmitted from one machine or physical location to another. You might sometimes see it referred to as data security. As knowledge has become one of the 21st century’s most important assets, efforts to keep information secure have correspondingly become increasingly important.
The SANS Institute offers a somewhat more expansive definition:
Because information technology has become the accepted corporate buzzphrase that means, basically, “computers and related stuff,” you will sometimes see information security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader practice of defending IT assets from attack, and information security is a specific discipline under the cybersecurity umbrella. Network security and application security are sister practices to infosec, focusing on networks and app code, respectively.
Obviously, there’s some overlap here. You can’t secure data transmitted across an insecure network or manipulated by a leaky application. As well, there is plenty of information that isn’t stored electronically that also needs to be protected. Thus, the infosec pro’s remit is necessarily broad.
The basic components of information security are most often summed up by the so-called CIA triad: confidentiality, integrity, and availability.
In an ideal world, your data should always be kept confidential, in its correct state, and available; in practice, of course, you often need to make choices about which information security principles to emphasize, and that requires assessing your data. If you’re storing sensitive medical information, for instance, you’ll focus on confidentiality, whereas a financial institution might emphasize data integrity to ensure that nobody’s bank account is credited or debited incorrectly.
The means by which these principles are applied to an organization take the form of a security policy. This isn’t a piece of security hardware or software; rather, it’s a document that an enterprise draws up, based on its own specific needs and quirks, to establish what data needs to be protected and in what ways. These policies guide the organization’s decisions around procuring cybersecurity tools, and also mandate employee behavior and responsibilities.
Among other things, your company’s information security policy should include:
One important thing to keep in mind is that, in a world where many companies outsource some computer services or store data in the cloud, your security policy needs to cover more than just the assets you own. You need to know how you’ll deal with everything from personally identifying information stored on AWS instances to third-party contractors who need to be able to authenticate to access sensitive corporate info.
As should be clear by now, just about all the technical measures associated with cybersecurity touch on information security to a certain degree, but there it is worthwhile to think about infosec measures in a big-picture way:
It’s no secret that cybersecurity jobs are in high demand, and in 2019 information security was at the top of every CIO’s hiring wishlist, according to Mondo’s IT Security Guide. There are two major motivations: There have been many high-profile security breaches that have resulted in damage to corporate finances and reputation, and most companies are continuing to stockpile customer data and give more and more departments access to it, increasing their potential attack surface and making it more and more likely they’ll be the next victim.
There are a variety of different job titles in the infosec world. The same job title can mean different things in different companies, and you should also keep in mind our caveat from up top: a lot of people use “information” just to mean “computer-y stuff,” so some of these roles aren’t restricted to just information security in the strict sense. But there are general conclusions one can draw.
Information security analyst: Duties and salary
Let’s take a look at one such job: information security analyst, which is generally towards the entry level of an infosec career path. CSO’s Christina Wood describes the job as follows:
Information security analysts are definitely one of those infosec roles where there aren’t enough candidates to meet the demand for them: in 2017 and 2018, there were more than 100,000 information security analyst jobs that were unfilled in the United States. This means that infosec analyst is a lucrative gig: the Bureau of Labor Statistics pegged the median salary at $95,510 (PayScale.com has it a bit lower, at $71,398).
How does one get a job in information security? An undergraduate degree in computer science certainly doesn’t hurt, although it’s by no means the only way in; tech remains an industry where, for instance, participation in open source projects or hacking collectives can serve as a valuable calling card.
Still, infosec is becoming increasingly professionalized, which means that institutions are offering more by way of formal credentials. Many universities now offer graduate degrees focusing on information security. These programs may be best suited for those already in the field looking to expand their knowledge and prove that they have what it takes to climb the ladder.
At the other end of the spectrum are free and low-cost online courses in infosec, many of them fairly narrowly focused. The world of online education is something of a wild west; Tripwire breaks down eleven highly regarded providers offering information security courses that may be worth your time and effort.
If you’re already in the field and are looking to stay up-to-date on the latest developments—both for your own sake and as a signal to potential employers—you might want to look into an information security certification. Among the top certifications for information security analysts are:
Many of the online courses listed by Tripwire are designed to prepare you for these certification exams. Best of luck in your exploration!
This story, “What is information security? Definition, principles, and jobs” was originally published by
Josh Fruhlinger is a writer and editor who lives in Los Angeles.
Copyright © 2020 IDG Communications, Inc.