What Is the Difference Between IT Security and Cybersecurity?

by James Stanger | Jun 17, 2019

Some people seem to use the terms IT security, information security and cybersecurity interchangeably. But I’ve also worked with people who have used these terms in specific ways. For example, some will say there is a larger concept of IT security, which involves physical security, information security and cybersecurity, as shown in the figure below.

A diagram showing that IT security includes information security, physical security and cybersecurity

But what is the difference in these terms and why does it matter? If it even matters. Keep reading to find out.

What Is IT Security?

The idea captured in the above image is that IT security has three categories:

  1. Physical Security: Focuses on how you keep people and infrastructure safe. In this category, you focus on securing buildings, server rooms and wiring closets. You focus on proper lighting for buildings and parking lots, for example. It also involves understanding how to use camera guards, as well as actual guards and even guard dogs.
  2. Information Security: Focuses on keeping all data and derived information safe. This includes physical data (e.g., paper, computers) as well as electronic information. In this category, individuals focus on data backups, as well as monitoring techniques to make sure that no one has tampered with data or exfiltrated information. This category focuses less on the actual equipment and computing resources because it focuses on the data itself. And, yes, I’m distinguishing between data and information: data is raw and unprocessed. Information is derived from data after quite a bit of scrubbing, processing and handling.
  3. Cybersecurity: Focuses on protecting electronic assets – including Internet, WAN and LAN resources – used to store and transmit that information. Cybersecurity tends to focus on how malicious actors use these resources to attack information. Those individuals interested in cybersecurity are the ones interested in making sure that hackers can’t use electronic means to gain improper access to data and information.

One thing is important about the third category of cybersecurity: Some people don’t use the term information security, and kind of lump it right into cybersecurity, as captured in the image below.

A diagram showing that information security can include both physical and cybersecurity
So, which is best? Who is right?

There’s really no definitive discussion, but when IT pros go to create a security plan, they tend to separate out the physical, information and cyber security categories. Sometimes, they don’t even seem to realize it.

Does the Terminology Really Matter?

Many times, these questions arise when IT pros are discussing what certification or training program is best or most appropriate for their security role. Other times, it’s when individuals are trying to organize their security teams and activities appropriately.

I find that unless you’re implementing a security plan in a very specific way, the terminology really doesn’t matter. Implementing security is all about the details and using your terms consistently. So, as long as you focus on the details and start applying security controls according to a common-sense, policy-based approach, I don’t think you can go wrong with your terminology, as long as it’s consistent.

For example, regardless of the terminology you use, I would leverage a combination of red and blue team efforts to ensure that your physical, information and/or cybersecurity approaches are working.

I’ve found that companies are very interested in making sure that they have applied the proper security controls, including detective (e.g., an intrusion detection system or a security information and event management (SIEM)), compensating (e.g., separation of duties) and corrective (e.g., blocking IP addresses).

When it comes to the difference between IT security and cybersecurity, what matters more than terms you use is making sure that you have the correct foundation of knowledge that allows you to better direct red team and blue team operations.

Get the skills you need for IT security, information security and cybersecurity with the CompTIA Cybersecurity Career Pathway.


  • Nick

    Friday, June 21, 2019

    Great diagram and summary of the difference between Physical Security, Information Security and Cyber Security.

  • Roger

    Saturday, June 22, 2019

    You guys nailed it!

  • Paul

    Saturday, June 22, 2019

    Great article I use the term IT security and Cybersecurity interchangeability because when I will tell the average person about what I'm studying in IT field as a career and when I will say Cybersecurity they never heard the name, so I will say IT Security.

  • Samuel Akpan

    Saturday, June 22, 2019

    Yes. you are correct. in a nutshell, IT security is though of as data/information security on the physical realm while cybersecurity , usually, brings online platform into the show. whichever way, both try to protect valued data and information and human or gadgets or other resources that these information might depend on or depended upon!

  • Marcus Söderblom

    Saturday, June 22, 2019

    According to American standardization institute (NIST) Information Security is concerned with information and the protection of information whether it be physical or digital. Cyber Security includes protection of cyberspace and use of it against any sort of crime. This makes Cyber Security a subset of Information Security.

  • Keith Rozankowski

    Tuesday, June 25, 2019

    Great way to break down the difference. The diagram explain a good physical image of what to expect when discussing all three sections.

  • Madhavarao Anand

    Thursday, June 27, 2019

    Excellent description with simple diagram, if it maps to the job role like cyber security Analyst, SOC, Security Auditor etc. with IT security, Information Security and cybersecurity will be even more useful.

  • Jose A Lopez

    Saturday, June 29, 2019

    Excellent breakdown and you are correct as to people using the terms in different ways to cover specific areas. But to me Information Security encompasses all the areas, I see it as COMSEC (communication security) which bundles all of the different areas you mentioned. I guess today is a bit more of a "thing" to use all of the concepts separate and make them sound more important or different from each other. I see it on job openings when these areas are used as single concepts instead of a whole security posture.

  • Matt

    Thursday, July 11, 2019

    You hit the nail on the head with the first example. When you think of information security, first think of what it meant before the digital age. When you do this you will start to see the distinction, then think about how we store, use and move that data and information now.

  • David

    Friday, July 19, 2019

    Slightly wrong - most academia and government institutions would have the overarching terminology being Information Security and everything else asa subset of that. IT Security is a bit of an outdated way of referring to information security. There is information/data that needs protecting outside of IT.

  • Lloyd Siyabonga Mfeka

    Friday, July 19, 2019

    Yes, Correct Answer.

  • Hazem

    Friday, July 19, 2019

    Great article

  • Veronica

    Friday, July 19, 2019

    Great explanation! I've often wondered about the distinctions. This gives me an understanding of the facets of IT Security.

  • kendrick

    Friday, July 19, 2019

    Though all are important to a company, each pose their individual risks. Physical security will protect your hardware, information security will protect your data with proper policies and access in place from within the network. And Cyber security will protect your data from inside/outside the network.

  • Jerry

    Friday, July 19, 2019

    Excellent distinction among three critical competencies!

  • AlanW

    Friday, July 19, 2019

    It's good to see this discussion of terminology, because in many cases it does make a difference. It's also good to see that physical security is included with the others - many organizations still keep it separate. Personally, I agree most with the second diagram - "Information Security" is the overarching paradigm, where "IT Security" and "Cybersecurity" are synonymous (they both deal with protecting the technology assets, hardware, software, and data). It all boils down to how individuals and organizations define each of the terms for their own use.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story