If you’re considering what career specializations you could pursue with an online Master of Science in Management Information Systems (MS MIS) from UAB, some form of computer or data security might be of interest. But you might be wondering, what’s the difference between cybersecurity and information security?
Although information security and cybersecurity are related disciplines, they aren’t synonymous. Let’s explore the similarities and differences between cybersecurity and information security, and what it takes to enter either field with an online MS MIS degree.
What Is Cybersecurity — and Why Does It Matter?
As defined by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), “Cybersecurity is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring confidentiality, integrity, and availability of information.”
Because so much of personal and commercial life revolves around the use of computers, servers, mobile devices, networks, and related systems and tools, the technologies and sensitive data they store can be vulnerable to various types of attacks. Some common types of cyberattacks and threats include:
- Malware: Any type of malicious software program designed to cause harm to a device, network, or server
- Computer viruses: A type of malware that embeds itself in a computer system, wreaks havoc, and then spreads to other systems
- Ransomware: Malware through which a cyberattacker demands a monetary ransom in exchange for the return of compromised data
- SQL injections: Hackers input malicious code that forces servers managing data using the SQL programming language to expose sensitive data
- DDoS attacks: During a distributed denial-of-service attack, the perpetrator will overwhelm a website or computer network with a significant amount of traffic
- Trojan horses: This type of malware will appear innocuous by concealing itself as a legitimate, trustworthy program before revealing its malicious intent and launching an attack
- Phishing: A cybercriminal fraudulently poses as a trusted individual, thereby obtaining sensitive information from victims
- Zero-day exploits: When cybercriminals launch attacks on a compromised network between the time a vulnerability is identified and when it is patched
Given the variety of potential risks and mitigating security measures that must be taken, cybersecurity is organized into several different subsets, each of which deals with protection of a different asset or environment. Disciplines that fall under the cybersecurity umbrella include:
- Network security: the protection of computer networks
- Internet security: the protection of activities that occur over the internet and in web browsers
- Application security: the protection of mobile applications
- Operational security: the protection of information that could be exploited by an attacker
- Information security: the protection of data and information
- Disaster recovery: the procedure for incident response and recovering compromised data and systems
A comprehensive cybersecurity strategy will address many or all of these vulnerabilities and precautions to ensure that an organization’s entire cyber realm is as safe from malicious intent and harm as possible.
However, not all enterprises pay close attention to the risks. Lax computer security, weak passwords, and other corner-cutting measures in the information technology (IT) department can cost businesses dearly. According to a 2020 Accenture study, the average cost per attack or incident is $380,000 for organizations that don’t have industry-leading cybersecurity programs in place. If these organizations improved their cybersecurity posture, Accenture estimated that this would result in savings of $6 million per year.
This just goes to show that the business world needs qualified, experienced cybersecurity professionals who can keep cyberspace a safer place.
What Is Information Security — and Why Does It Matter?
As we’ve noted, information security is a subset of cybersecurity. Essentially, this set of risk management practices and security protocols helps keep various forms of data and information safe against cyberthreats and attacks.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) defines information security as: “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
Protecting information against data breaches and other threats is becoming increasingly important as virtually all industries — from hospitals and banks to retailers and human resources departments within small businesses — rely more heavily on electronic data storage. And it is an extremely valuable aspect of cybersecurity. After all, what is the point in keeping a computer’s hard drive safe from manipulation if the personal information stored in that device is readily available for access and misuse by unauthorized parties?
In an increasingly digital age, information security matters to everyone from business leaders to customers to families around the world. People should be able to confidently make online purchases, conduct business transactions, log into mobile apps, and share photos with friends on social media with the appropriate degree of confidentiality — as well as the confidence that their actions and the information they’re sharing are secure. When an organization experiences a cyberattack, this not only exposes sensitive data and can cause significant problems for the victims, but it also causes a breach of trust.
A 2019 data privacy survey by the Pew Research Center found that 81% of the U.S. public believes the potential risks of sharing data with companies outweigh the benefits. And, with more stringent data protection laws being implemented, including the European Union’s General Data Protection Regulation (GDPR) in 2018, entities that collect, process, or store data online are held to higher standards than ever before.
For this reason, organizational leaders need the support of experts who can help protect their information assets and improve their security ratings. With the help of information security teams, organizations can use their data-wielding powers for good and assure customers and clients that the data they collect is protected from the many cybersecurity risks out there.
What’s the Difference Between Information Security and Cybersecurity?
Despite what some people might think, cybersecurity and information security aren’t synonymous — and cybersecurity is not a subset of information security. Rather, information security is one facet of the broader category of cybersecurity.
There is certainly some overlap between the disciplines. For instance, securing computer networks and mobile apps may be a critical step toward ensuring information security. However, information security places the emphasis on the data itself. Attention to the various systems and pieces of equipment that handle this data become secondary priorities that support the main objective.
As explained by digital magazine CSO, information security consists of certain measures that may or may not align with other cybersecurity measures:
- Establishing an information security policy containing overall goals, access controls, password protocols, and guidance around employees’ roles and responsibilities
- Organizing an internal information security unit
- Incorporating information security responsibilities into various roles across the organization
- Providing the necessary training and raising awareness around possible data breaches and vulnerabilities to keep staff vigilant
- Keeping hardware and software secure through various technical security measures
- Ensuring data centers and offices are physically secure from unauthorized personnel
How Do You Become a Cybersecurity or Information Security Professional?
Now that you know the answer to the commonly asked question, “What’s the difference between cybersecurity and information security?” you can start thinking about whether to set your career sights on either of these focus areas.
According to the U.S. Bureau of Labor Statistics (BLS), a bachelor’s degree is typically required for entry-level positions. However, employers looking for true experts in the field will often seek applicants who hold a relevant graduate degree, such as a Master of Business Administration (MBA) or an online Master of Science in Management Information Systems.
Experience working in an IT department role such as network or computer systems administrator can prepare graduates for the more complex role of a security analyst. Given the many facets of the cybersecurity field, employers may also prioritize candidates who come with previous experience in a specific subset of cybersecurity, as well as in a particular industry.
Beyond the security analyst role, qualified professionals may be able to enter the C-suite as chief security officers (CSO) or take on similar organizational leadership positions.
What Is the Job Outlook for Information Security and Cybersecurity?
Because of the important role they play in the business world, information security and cybersecurity experts are in demand. Gartner predicts the global information security market to reach $170.4 billion by 2022, marking a five-year compound annual growth rate of 8.5% since 2018.
According to the BLS, the number of jobs across all computer occupations will experience an 11% increase between 2019 and 2029, which is significantly higher than the 4% pace across all fields. However, the market for information security analysts is expanding even more rapidly, at a rate of 31%. This will bring the total number of information security jobs up to 171,900 by 2029.
In fact, these figures make the information security analyst the No. 10 fastest-growing occupation. U.S. News & World Report also considers this role to be the fifth-best technology job of 2020.
The BLS does not publish data for cybersecurity professionals specifically. But, given the many other specific careers that fall under its umbrella, it is safe to say that cybersecurity at large is experiencing some of this same rapid growth.
For instance, a 2019 report published by the International Information System Security Certification Consortium, also known as (ISC)², predicts that the cybersecurity talent pool will need to grow by 62% within the U.S., and 145% globally, to fill skills gaps and meet the demands of the workforce. If, as (ISC)² estimates, there are roughly 805,000 cybersecurity professionals currently working in the U.S., this high demand suggests that there will be a significant number of job opportunities available to security experts over the next several years.
How Much Can You Make in an Information Security or Cybersecurity Career?
A career in either cybersecurity or information security can be lucrative, and, for some professionals, it comes with a six-figure salary. The BLS notes that the median annual salary for information security analysts in May 2019 was $99,730, and the highest 10% of earners made at least $158,860 per year.
Naturally, the highest-paid roles involve the highest level of responsibility and expertise. According to the InfoSec Institute, the following are the top-paying jobs in information security:
- Ethical hacker or penetration tester: $71,660 median
- Information security consultant: $84,000 median
- Network security engineer: $114,000 average
- Information security engineer: $120,570 median
- Information security director: $137,000 median
- Information security architect: $140,820 average
- Information security manager: $152,500 average
- Chief information security officer: $140,000 or higher, up to $500,000
Similarly, top-paying jobs in cybersecurity include the following, according to Indeed:
- Information manager: $99,930 average
- Security engineer: $101,808 average
- Risk manager: $108,465 average
- Software architect: $117,633 average
- Cloud engineer: $126,628 average
- Application security engineer: $128,128 average
Despite the high demand and high pay, according to Indeed, overall competition and interest are relatively low. Between 2017 and 2018, the job listing site noted a 7.2% increase in the number of cybersecurity job postings in the U.S., as well as a 1.3% decrease in the number of clicks on those job ads. However, other employment markets including Israel, the Netherlands, and Australia witnessed a spike in the number of clicks, where Indeed calculated 18%, 13%, and 11% increases, respectively.
Industry leaders in the U.S. have a harder time generating buzz around these opportunities, and the field as a whole, due to a lack of real awareness about the career possibilities, compounded by confusing jargon and hard-to-match requirements in job listings, according to Indeed.
However, this is a positive for prospective security professionals. With a high demand and comparatively low supply of qualified candidates in cybersecurity and information security, professionals may be able to secure desirable positions more quickly or consider competitive offers.
Prepare for an In-Demand Occupation at UAB
Find out how you can take your education to the next level to prepare for a career in cybersecurity, information security, or another in-demand field. Discover the online MS MIS at UAB and contact an enrollment advisor to plan your path.