Information security and IT security are often used interchangeably. Even among InfoSec professionals. The terms are interrelated and often share the common goals of protecting the confidentiality, integrity and availability of information, however; there are significant differences between them.
IT security is only concerned with the systems that store, process, transfer and make available electronic data.
Information security goes far beyond that. It encompasses classification of information across an organization, information security policies and procedures, physical security aspects, legal protections, HR, awareness, and retention of information, regardless of information format. Even when the information is on paper or in employees’ heads.
Examples of information security controls are: background checks on personnel, physical security, policies for retention and disposal of printed materials, and awareness of HUMINT attacks. Typically, these controls are not considered under IT security.
Photo above is an example of a concern of information security, but not of IT security.
For example, a telco store might take a copy of a customer’s credit card as part of the ID process for new subscribers. What happens with that paper after the store faxes it to the processing center is not within the scope of IT security. However, it is very much within the scope of information security.
Since that piece of paper contains credit card data, it is also a concern for PCI DSS. PCI DSS is one example of an integrated approach to information security that goes beyond the boundaries of IT security.
Another example is ISO 27001. Less than 50% of controls in ISO 27001 are IT related.
It follows that PCI DSS or ISO 27001 projects, for example, should not be IT-led projects. Information risks are business risks and these projects should ideally be business-led projects.
In terms of organizational structure, information security function is most efficient when it’s outside of IT organization and in its own functional structure. It should report to CSO, CRO or CIRO or another appropriate business role that has visibility at executive or board level.
To sum it up, IT security is an operational objective. Information security is a broader risk management exercise that is concerned with all data in an organization and should be a sub-function of corporate governance.