Information Technology vs. Information Security – What’s the difference?

DAVIN: I appreciate that. I do want to touch on that. Kindsey mentioned the word “MSSP.” It’s what we are, a managed security service provider. You’re going to hear that term thrown around a little bit today. You’re going to learn some new terms, hear some old terms. I’m really excited to talk about this topic here today: Information Technology (IT) vs InfoSec (Information Security).

First we’ll jump right in. Let’s get this going. First we’re going to start with a question. Quick poll, simple. It’ll pop up. You can answer accordingly. Who is handling your cybersecurity? Is it your IT person, your IT company that you outsource? Is it you? Are you the person who is making sure everybody changes their passwords or making sure everyone is up to date with what’s going on in cybersecurity? Do you use an MSSP, infosec team? A lot of the time we get the answer, “I’m not too sure, really. We’re not too sure what we do for our cybersecurity.”

About 75% showing “my IT person” or “my IT company.” 25% showing “MSSP.” We’ll move on, but that’s interesting to see who you’re relying on for your cybersecurity.

What we’ll do first is jump into, what is information technology? What do they do? The definition of IT, information technology, is simple, out the book, “the use of any computers, storage, networking, and other physical devices, infrastructure, and processes to create, process, store, secure, and exchange all forms of electronic data.” That’s super wordy. A lot of people understand IT as the people who make our stuff work, the people who make our tech work.

And for lack of better words, that is what they do. They are operations-focused. They keep everything running smooth, making sure your monitor turns on, or making sure you turn on your monitor. IT are operations-focused. They make sure network systems work and everything is functioning properly.

Another thing is communications. If you’re a larger organization, or smaller, you may have multiple office locations in a certain area. You may all have to access a server with data that you need to run your day-to-day business, or if you need to see clients and you need to pull up their information, things like that, medical clients. You have to be able to have one interconnected network that’s working smoothly and that doesn’t go down.

I actually recently spoke with a new client of ours, and before they came on to work with us as a partner of ours, they were having to restart their server every two or three days. That simple inconvenience put them out of an hour or two of work because everything shut down, and nobody could communicate. No one had the access. So IT took care of that, fixed that, of course. It’s a communication issue.

Another thing we don’t think of is that IT is managing your technology assets. Technology is getting crazy today. Teslas, touchscreen laptops, all kinds of things. But they get old and they have to be replaced, and they need to be considered assets. What IT does is make sure everything’s up to date and is as new as possible to keep your operations running smoothly, functioning correctly.

I do want you to realize that I keep going back to the word “operations” going smoothly, making sure they’re working. There’s two different types of IT providers. There’s a break-fix that everyone has been using for a while now; they come in, they set everything up originally, and then hopefully you don’t see them for a while, but if something breaks, you call them. They come and fix it. Hence the word break-fix.

But there’s now I guess you could call it a newer type of IT, a way to run a business called managed IT. You’ll hear the word MSP, which stands for managed service provider. That’s what a lot of IT organizations or companies are moving towards. They’re moving away from the break-fix and moving towards a more all-inclusive type of business. They come in, set everything up, of course, and then they are continuously monitoring and managing that IT environment. So hopefully they can prevent the breaks before they happen, so then they don’t have to come out and fix it.

A lot of people that have gone with break-fix, it breaks, they fix it, you send them the bill. Managed IT is more of the all-inclusive one monthly bill, unlimited help desk hours, things like that, where they’re continuously monitoring and making sure your operations are running smoothly.

Now, what is information security? By the book, by the definition, information security is simply protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability. It’s a big long definition, but overall, you can just take it out of the title: information security is focused on security. They are creating a security-first environment. Everything they do, they approach with integrity, confidentiality, and making sure whatever operation or whatever action is needed is done in a safe way.

Their focus is making sure you have the best security tools available, making sure that you’re compliant with the security requirements of your operation, of your type of business. They’re making sure that you and them – first you have to understand your current risk and vulnerabilities. You have to understand what you have to protect, or you’re just basically throwing a dart out there hoping to hit something.

Your information security team or team of professionals should start with helping you understand what they need to protect. Then from there, you develop a plan and orchestrate some security controls to take care of those risks and those vulnerabilities, and then from that, you have the tools in place to detect and monitor changing threats.

I’ll stick on this real quick because – I think it was our first webinar of this deeper dive series, we jumped into why antivirus isn’t enough. Everyone here may be using an antivirus or a tool as such. I’ll keep it short and simple: antivirus just doesn’t do it anymore. Any information security specialist will tell you the same thing. That’s because the way antivirus works, it’s looking for certain virus signatures that are known to be malicious. For them to be known, they have to have been active for 3 to 6 months, and they have to have successful attacks so they can be whitelisted and the antivirus can be looking for those known malicious virus signatures.

We need something to monitor and protect us in real time. 3 to 6 months down the road is not good enough. I need to stop an attack before any damage is done. So from an information security standpoint, you have to upgrade your defenses. You have to change your security efforts to match the way and how cyberattacks are changing. We’ll go into different tools, EDRs, things like that.

But IT, that’s not their main focus. They’re focused on operations and then security. From an information security standpoint, they’re taking that security-first approach. In our world, it’s security over convenience compared to other firms or organizations that may approach things from convenience first and then “Okay, we’ll deal with security down the road.” That’s just not doing it anymore. It has to be a security-first approach.

They also make sure what you need, like we were talking about, understanding what needs to be protected, make sure it is kept protected and kept confidential. Keeping information that’s supposed to be confidential, confidential. They also adapt and change to what’s going on in the world. I’ll go into this later in the webinar, but information security specialists, their day-to-day, 24/7, keeping up to date with what’s going on in the cybersecurity world, cyber threat world. Like I said, antivirus isn’t good enough.

Well, what is, then? That’s what information security specialists would know. Then you need an EDR. You need something that doesn’t rely on those virus signatures, a tool that can monitor in real time to stop those attacks before they’re an issue. That’s what you go to your specialist for. They know what’s going on. They know where the threats are coming. They know how they’re changing. They know that you have to have cybersecurity, and they’re there to protect you. That’s why they’re information security specialists.

I do want to touch on one more point. Information security just isn’t about the security tools and things like that. They go into compliance and cyber insurance. A lot of organizations are being required to have cyber insurance policies now, but cyber insurance organizations aren’t paying out because organizations don’t have the preventative measures to stop a cyberattack.

Last year, we saw cyber insurance claims not being paid out, or we saw hundreds of thousands of dollars being paid out from cyber insurance organizations because of the increase in cyberattacks, and simply, organizations weren’t prepared. In 2022, cyber insurance policies premiums are skyrocketing, but the requirements from a security standpoint are getting stricter as well. They’re requiring tools such as the EDR. Some even require you to have an information security team. Information security isn’t something new. It’s just changing and becoming more important than ever before.

I have a short video. We talked about MSSP, how it’s a managed security service provider. Different from the MSP. You’ll see those words thrown around, and here in 2022 and in years moving forward, I have a slide coming up – you’ll have an MSSP team working for you, making sure everything’s protected on your end, but also you’ll have an MSP team making sure your operations are running smoothly and taken care of. The goal for your organization is to have your MSP and your MSSP working together for you, making sure all your operations are running smoothly, but that they’re protected and everything’s going perfectly smooth in a safe way.

I have a short video here just briefly explaining information security. It explains it a little bit better.

Video

Information and data are exchanged by people, processes, and systems. Daily processes are virtually impossible to carry out without the processing of data and information. Information security ensures that people deal with reliable information and data regarding confidentiality, integrity, and availability.

And there’s an important prerequisite in the pursuit of a better and, above all, more reliable service offering. Failure of computer systems, databases falling into the wrong hands, or the abuse of confidential information can have serious consequences for organizations, businesses, and citizens. These include loss of image, compensation claims, and even political consequences.

An information security management system is how you ensure information security within an organization. Think of information, risks, business tools, norms, the process of information security, but also the business and IT processes. How do you ensure that this enormous playing field is visible and under control? How can you ensure that information security becomes…

DAVIN: That’s a brief description of information security, but it this all the points. It talks about the risks that come with not having your organization secure, not having the proper controls in place to protect not only your organization, your clients, your employees.

This chart here moves into the section of what organizations are going to look like, what their org charts are going to look like and may look like now. In some of your organizations, the titles may look a little different; it may not say infosec, but it may say CIO, chief information officer, or a CISO, a chief information security officer.

I show this because originally you may have seen an org chart where it has CEO, and below that, IT head, accounting head, operations head, marketing head, and then information security reporting to IT. We talked about creating a security-first culture, so the IT guy might go to accounting, “Hey, we need this, this, and this.” The finance person, “It’s too expensive. We can’t afford that. Maybe later down the road, maybe years down the road.” From a security standpoint, that information security specialist is like, “If we can’t afford that, here’s the risks that are going to come with it. If we’re putting convenience over security, we need to be prepared to accept the risk of a possible breach or maybe not even being compliant or maybe not being HIPAA compliant.”

That’s what an infosec specialist is thinking about. IT, accounting, they’re not thinking about those things. So now we see this new org chart, CEO, and then under that, infosec, accounting, operations, marketing, things like that are all on the same level, and IT is reporting to information security. They’re reporting to that head because it’s creating that security-first culture, approaching everything with, “Are the doors locked? Are the passwords being changed? Do we have strong passwords? Are the backups being monitored?” And then going to an operation standpoint, putting security over convenience.

Which brings us to the point, what’s the real difference between infosec and IT? It comes down mainly to the objectives of both. IT are following a more “fix it first” approach, “then we’ll deal with security.” Information security is following a “secure it first” approach. IT, fix it first; information security, secure it first.

They both have a different specialty. I like to think of it from a medical view; say you have a heart attack. Knock on wood; I’m a young man. I had my brussels sprouts and green beans last night, but I want to make sure no bad luck on me. But say you have an ailment, a heart attack. We’ll go with heart attack specifically. There is a heart surgeon and a brain surgeon. They both work in the medical field, but they both have different specialties. Specifically for myself, I’ve watched enough of Grey’s Anatomy to know the difference between a brain surgeon and a heart surgeon and how they operate. So specifically for my body, I would pray and hope that that heart surgeon would be available to operate on me because I would have the best chances of being safe and healthy.

Same thing for IT and infosec. They both work in the technology realm, but they both have their different specialties. We learned about information technology are responsible for hardware and different software and the network components operating and being functional for the organization. Information security’s main responsibility is protecting that network, protecting that data and the assets within the organization.

We’ve seen an increase in ransom attacks like crazy just in the past year. I believe it was last June, the percentage was 38% of organizations experienced a ransomware attack in 2021. By the end of 2021, beginning of this year, that percentage had jumped up to 48%. So it’s almost a flip of a coin chance that your organization is going to experience a cyberattack or ransomware attack. You have to have the proper security in place to combat that, to be ready, to make sure that the organization you’ve been working to build for the past 10-20 years doesn’t crumble to nothing in a matter of a day or two, hours really. It depends on the attack. That’s what we’re seeing. But if you have the mindset of a security-first culture, then you’re ready. You’re prepared. You have your ducks in a row. You’ll be all right.

That’s why it’s so important to create that security-first environment, because cyberattacks and cybersecurity is not just a little thing anymore. And it’s not going away anytime soon. It’s something that organizations are going to have to live with and prepare for and adapt to for years moving forward.

Got a little off track with that. It’s very important to me to secure not only your organization, but of course, your employees. Like water associations, we’ve been working a lot with them; a community relies on them. Taking security first is extremely, extremely important.

When we dive into the differences, managed security services provider, managed services provider, but overall both are necessary. They’re not going anywhere. They both should be treated separately because of their specialties. Every organization needs and has to have both, but it’s the simple step of taking that step, “Okay, I have IT. Now I really, really, really need to focus on information security. I need to secure my organization.”

You can see this next slide is actually a piece of ours regarding the difference and what to expect from your IT, your MSP, and your security specialist, your MSSP. You can see your IT person should take care of help desk, managing your network, desktop, making sure your patches and updates are taken care of on patch management, things like that. That’s also a security responsibility as well.

Talking about software updates and patch updates, most of the time in those patch updates and software updates, there is a security feature that needs to be updated. A lot of times people see, “I have an update coming up. I’ll get to it tomorrow or two days down the road.” You’re at risk in that time. By putting it off, that’s where you’re most at risk. From a security standpoint, your MSSP, your information security specialist, that’s important to them. They will make sure that you update, or they may even have the ability to update it for you. That’s just the way they think about it.

Deployment and management, making sure you run as efficiently as possible. That is the goal of your IT.

Now with MSSP, you see security awareness training, making sure your front line of defense, which is your employees, are up to date, they’re trained on cyber threats, where they’re coming from, how to protect not only themselves but your organization from those attacks as well. Making sure there’s a plan, a security response plan in place, making sure those processes and procedures are ready to go. If something does happen, no problem, we’re up and running, we’re taking care of it.

Privacy is key. That’s what they’re about: security and privacy. Monitoring, detecting those threats. This is a good list to refer back to. If you need to take a screenshot, I would advise it. This is what you should expect from your MSP, your IT provider, and this is a list of things you should expect from your managed security service provider as well.

What do we do from here? I have IT, I know I need infosec. What’s the next step? Where do I start? It’s simple. You speak with an information security specialist. You speak with someone that’s day in and day out dealing with cyberattacks, dealing with the way cyberattacks are changing 24/7, actually in the field protecting organizations. You speak to them.

You see right here there’s a link to where you can schedule a meeting directly, connected to my calendar. There’s an email. There’s also my personal line up there. Please call at any time. That first meeting, like I said, it’s not “You need this, you need this.” No. Like I said, there’s are process. You have to understand what you have to protect. You have to understand where your risk and vulnerabilities are. And then from that, from a professional standpoint, you have to orchestrate and develop that plan to make sure all ends are met, make sure you’re doing what you’re supposed to do, what you should be doing to protect your organization, your clients, your employees, and for some of you, your community. Making sure you’re doing your part.

Recently – I’ll save time for questions and then I’ll get into it in a second. Does anybody have any questions, or is there a part you’d like me to touch on a little bit more?

Hey, Jan, from out there in Alabama. I see you in the chat. Kindsey has put the link in the chat box if you need to schedule a meeting. I’ll leave some extra time for questions. I know we’ve got about two minutes left on here. While we’re waiting on questions, I do have a quick story.

Anne Neuberger released a White House letter. She works for the NSA and is Head of Cybersecurity and all these different titles. She is a cybersecurity specialist here to protect and help advise protecting our country. But one thing that stood out to me that she said, and we’ve been hearing it a lot recently, is that especially with everything going on around the world, cybersecurity isn’t just a one person problem. It’s not just the government’s problem or anything like that. It’s everyone’s responsibility to protect their organization and do their part. It’s everyone’s responsibility to take cybersecurity serious.

You’re hearing things about critical infrastructure organizations and things like that. There’s laws currently in motion where you may even have to report that you’ve experienced a cyberattack within 72 hours of it happening, or you even have to report within 24 to 48 hours that you’ve made a ransomware payment.

Those things are happening. These things are changing. Cyber threats are changing. It’s serious, and it is everyone’s responsibility. You know what you need. You know that’s important. You know where to start.

This deeper dive series, we’re talking on different topics every single week, every Tuesday at 2 p.m. Central Time. So if you missed the ones before, of course you can still go watch recordings, as well as we have the next one coming up next Tuesday, same time. We’ll make sure you get an invite. Share it with your friends, your colleagues. Security awareness is the first step, and then acting on it is the second.

I appreciate everyone coming. If there’s no questions – I’ll double check.

KINDSEY: Yeah, I’m not seeing anything on here.

DAVIN: All right.

KINDSEY: Yeah, thank you, everybody, for joining us this afternoon. Next Tuesday, Davin’s going to be presenting on 5 things you should know about password managers.

DAVIN: Yes. Very, very good topic. It’ll be good

KINDSEY: Everyone have a great afternoon, and we’ll see you guys next time.

DAVIN: See ya.