What Is the Difference Between IT Security and Cybersecurity?

by James Stanger | Jun 17, 2019

Some people seem to use the terms IT security, information security and cybersecurity interchangeably. But I’ve also worked with people who have used these terms in specific ways. For example, some will say there is a larger concept of IT security, which involves physical security, information security and cybersecurity, as shown in the figure below.

A diagram showing that IT security includes information security, physical security and cybersecurity

But what is the difference in these terms and why does it matter? If it even matters. Keep reading to find out.

What Is IT Security?

The idea captured in the above image is that IT security has three categories:

  1. Physical Security: Focuses on how you keep people and infrastructure safe. In this category, you focus on securing buildings, server rooms and wiring closets. You focus on proper lighting for buildings and parking lots, for example. It also involves understanding how to use camera guards, as well as actual guards and even guard dogs.
  2. Information Security: Focuses on keeping all data and derived information safe. This includes physical data (e.g., paper, computers) as well as electronic information. In this category, individuals focus on data backups, as well as monitoring techniques to make sure that no one has tampered with data or exfiltrated information. This category focuses less on the actual equipment and computing resources because it focuses on the data itself. And, yes, I’m distinguishing between data and information: data is raw and unprocessed. Information is derived from data after quite a bit of scrubbing, processing and handling.
  3. Cybersecurity: Focuses on protecting electronic assets – including Internet, WAN and LAN resources – used to store and transmit that information. Cybersecurity tends to focus on how malicious actors use these resources to attack information. Those individuals interested in cybersecurity are the ones interested in making sure that hackers can’t use electronic means to gain improper access to data and information.

One thing is important about the third category of cybersecurity: Some people don’t use the term information security, and kind of lump it right into cybersecurity, as captured in the image below.

A diagram showing that information security can include both physical and cybersecurity
So, which is best? Who is right?

There’s really no definitive discussion, but when IT pros go to create a security plan, they tend to separate out the physical, information and cyber security categories. Sometimes, they don’t even seem to realize it.

Does the Terminology Really Matter?

Many times, these questions arise when IT pros are discussing what certification or training program is best or most appropriate for their security role. Other times, it’s when individuals are trying to organize their security teams and activities appropriately.

I find that unless you’re implementing a security plan in a very specific way, the terminology really doesn’t matter. Implementing security is all about the details and using your terms consistently. So, as long as you focus on the details and start applying security controls according to a common-sense, policy-based approach, I don’t think you can go wrong with your terminology, as long as it’s consistent.

For example, regardless of the terminology you use, I would leverage a combination of red and blue team efforts to ensure that your physical, information and/or cybersecurity approaches are working.

I’ve found that companies are very interested in making sure that they have applied the proper security controls, including detective (e.g., an intrusion detection system or a security information and event management (SIEM)), compensating (e.g., separation of duties) and corrective (e.g., blocking IP addresses).

When it comes to the difference between IT security and cybersecurity, what matters more than terms you use is making sure that you have the correct foundation of knowledge that allows you to better direct red team and blue team operations.

Get the skills you need for IT security, information security and cybersecurity with the CompTIA Cybersecurity Career Pathway.

34 Comments

  • Nick

    Friday, June 21, 2019

    Great diagram and summary of the difference between Physical Security, Information Security and Cyber Security.

  • Roger

    Saturday, June 22, 2019

    You guys nailed it!

  • Paul

    Saturday, June 22, 2019

    Great article I use the term IT security and Cybersecurity interchangeability because when I will tell the average person about what I'm studying in IT field as a career and when I will say Cybersecurity they never heard the name, so I will say IT Security.

  • Samuel Akpan

    Saturday, June 22, 2019

    Yes. you are correct. in a nutshell, IT security is though of as data/information security on the physical realm while cybersecurity , usually, brings online platform into the show. whichever way, both try to protect valued data and information and human or gadgets or other resources that these information might depend on or depended upon!

  • Marcus Söderblom

    Saturday, June 22, 2019

    According to American standardization institute (NIST) Information Security is concerned with information and the protection of information whether it be physical or digital. Cyber Security includes protection of cyberspace and use of it against any sort of crime. This makes Cyber Security a subset of Information Security.

  • Keith Rozankowski

    Tuesday, June 25, 2019

    Great way to break down the difference. The diagram explain a good physical image of what to expect when discussing all three sections.

  • Madhavarao Anand

    Thursday, June 27, 2019

    Excellent description with simple diagram, if it maps to the job role like cyber security Analyst, SOC, Security Auditor etc. with IT security, Information Security and cybersecurity will be even more useful.

  • Jose A Lopez

    Saturday, June 29, 2019

    Excellent breakdown and you are correct as to people using the terms in different ways to cover specific areas. But to me Information Security encompasses all the areas, I see it as COMSEC (communication security) which bundles all of the different areas you mentioned. I guess today is a bit more of a "thing" to use all of the concepts separate and make them sound more important or different from each other. I see it on job openings when these areas are used as single concepts instead of a whole security posture.

  • Matt

    Thursday, July 11, 2019

    You hit the nail on the head with the first example. When you think of information security, first think of what it meant before the digital age. When you do this you will start to see the distinction, then think about how we store, use and move that data and information now.

  • David

    Friday, July 19, 2019

    Slightly wrong - most academia and government institutions would have the overarching terminology being Information Security and everything else asa subset of that. IT Security is a bit of an outdated way of referring to information security. There is information/data that needs protecting outside of IT.

  • Lloyd Siyabonga Mfeka

    Friday, July 19, 2019

    Yes, Correct Answer.

  • Hazem

    Friday, July 19, 2019

    Great article

  • Veronica

    Friday, July 19, 2019

    Great explanation! I've often wondered about the distinctions. This gives me an understanding of the facets of IT Security.

  • kendrick

    Friday, July 19, 2019

    Though all are important to a company, each pose their individual risks. Physical security will protect your hardware, information security will protect your data with proper policies and access in place from within the network. And Cyber security will protect your data from inside/outside the network.

  • Jerry

    Friday, July 19, 2019

    Excellent distinction among three critical competencies!

  • AlanW

    Friday, July 19, 2019

    It's good to see this discussion of terminology, because in many cases it does make a difference. It's also good to see that physical security is included with the others - many organizations still keep it separate. Personally, I agree most with the second diagram - "Information Security" is the overarching paradigm, where "IT Security" and "Cybersecurity" are synonymous (they both deal with protecting the technology assets, hardware, software, and data). It all boils down to how individuals and organizations define each of the terms for their own use.

  • Eddie

    Friday, July 19, 2019

    Nice text

  • Gech

    Friday, July 19, 2019

    Hello fellas, I had completed A+, security+ and Linux (centos). Now am looking for a job. If anyone interested to help me contact me @ yalgabira@gmail.com. thanks.

  • Heerah

    Saturday, July 20, 2019

    What a great article. Your article is easy to read and understand.

  • Pedro Garza

    Saturday, July 20, 2019

    You are spot on, cyber is a slightly different, yet extremely important aspect of the CIA triad!

  • Aweke A

    Saturday, July 20, 2019

    I do not think terminologies matter, its all about protecting or securing information physical or Cyber from intruders. The important matter here is making sure our data is protected and secured!

  • Ewere Airhihen

    Monday, July 22, 2019

    Considering that an air-gapped computer does not have the cyber component, we will talk of IT security with such systems. Printed paper with confidential content is Information Security. The correct diagram ought to be the second with IT Security as a subset.

  • Oluwasegun Olaosebikan

    Monday, July 22, 2019

    Awesome article.

  • Eric Fors, II

    Monday, July 22, 2019

    This is a good discussion. I wonder however if the distinction should be set with 'security' as the over arching concept and physical, cyber, information, personnel security being inter-related but definably distinct areas of security consideration. https://photos.google.com/photo/AF1QipOXYwZXmIDEMcIHD2O2-dWfluRWwLyORIIEtbgm

  • Eric Fors, II

    Monday, July 22, 2019

    This is a good discussion. I wonder however if the distinction should be set with 'security' as the over arching concept and physical, cyber, information, personnel security being inter-related but definably distinct areas of security consideration.

  • sarek

    Monday, July 22, 2019

    I think your First top diagram is the correct model we as a community should be using. I say this because many in the military services seem to like the term Cyber but don't seem to realize that it is fundamentaly rooted in Information Technology concepts. Many people i have met seem to think that they don't have to learn or have experience in some fashion with the core principles of: software eng, comp science, System Admin, and Network infrastructure. it is kinda of a shame and yes i like your top level model but if i may state, adding in "COMSEC," would be smart and logical, as a Fourth sub bubble under the IT security umbrella. It addresses "communication on the Move" concept and that is important.

  • Cyberspec

    Monday, July 22, 2019

    Your logic is sound, but the unfortunate truth is that at least in the federal government "cybersecurity" is actually all encompassing of "information" that is contained within the systems. Both NSPD-54 definition of cybersecurity as well as the DoD Instruction 8500.01 use it as such which is why the term "information assurance" was replaced with "cybersecurity" in that same instruction. ""cyberecurity'' means prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communication semces, wire ' · communication, and electronic comntunication, includinginformation contained therein, to ensure its availability~ integrity, authentication, confidentiality, an4·non-repudiation;" This includes any security controls to perform said prevention/protection, which includes physical security for example... Is it right? Or does it matter? Meh which is why I say your logic is sound. But an audit nerd in the federal government won't see it the same...

  • Mandla

    Monday, July 22, 2019

    Great explaination & distinguish so we can understand ' what makes them differ from each other

  • Empty Tea Cup

    Tuesday, July 23, 2019

    Great work and thanks for sharing. I have been wondering and trying to understand the differences.

  • Jones

    Thursday, July 25, 2019

    Terms matter. If not people would spent lots of time arguing with each other, when they talking the same thing, just using different terms. In all kind of knowledge it´s important to use the correct terms.

  • Tasmin

    Sunday, July 28, 2019

    Is an A+ & N+ certificate required, if one wanted to do Cyber-security? Thanks

  • dmccraw

    Monday, July 29, 2019

    Hi, Tasmin! Thanks for your question. Many cybersecurity jobs are not entry-level, which means in addition to certifications, you'll need some on-the-job experience. Certifications like A+, Network+ and Security+ are a good start, as well as tech support and/or systems/network admin roles. In today's IT environment, you'll gain security experience at all levels that will help you as you advance in your career. Good luck!

  • Minh Tran

    Wednesday, August 21, 2019

    Information security should be the overarching term, which involves physical, IT, and cyber security. For example, sensitive information written on a sticky note should be secured physically, but it has nothing to do with IT or cyber. IT equipment that transmit/store/process information also need to be protected, both electronically (through its data processing or transmission) and physically (secured facilities). These IT equipment may or may not be within the cyber space. Cyber involves the use of IT equipment to transmit/store/process information through the Internet protocols. IT and cyber sometimes are used synonymously, but they're actually different. IT is only cyber if it goes into the cyber space. IT equipment can exist without being part of the cyber space, such as standalone, non-Internet-connected devices. All three (physical, IT, and cyber) transmit/store/process information in their own respective way, but all fall under the information security umbrella.

  • VNW

    Monday, August 26, 2019

    Excellent breakdown between the two.

Leave a Comment

Boost your Career with a Certification

Find out more about our Certifications

How to get Certified

4 Steps to Certification

Already certified? Let us and others know!

Share Your Story