Information Security—also called Cybersecurity, or InfoSec—is arguably one of the most interesting professions on the planet. It requires the ability to think like an attaker, to have a defensive mindset, and the ability to constantly adapt to change.
Fundamentally, Information Security is a branch of security, and my favorite definition of security comes from looking at the word itself. It comes from the Latin roots of “worry” and “without”.
se (without) · cura (worry)
Broken down this way, we see that the fundamental goal of security is to allow people to carry on in their life or mission without worrying about their safety. And since that’s the definition of security itself, a good definition of information security is:
The practice of creating and maintaining a state of security with respect to information and information systems.
In order to do this, Information Security practitioners employ a number of tactics, including the use of various types of security assessment.. These are performed in order to find vulnerabilities before attackers do, and it’s important to know the difference between all the assessment types, as well as when to use one vs. the other.
The goal of all security is to allow people go about their lives without being worried about their safety.
One of the most common types of security assessment is the Penetration Test, which is often confused with a Red Team Assessment. The difference between pentesting and red teaming is important because they require different resources and look for different types of issues.
Sales and marketing teams often conflate these definitions, leading to confusion in the industry.
It’s important to know the difference between threats, risks, and vulnerabilities, which are different types of those issues we want to avoid, and that we can discover using security assessments. Threat Modeling can help us identify both Threats and Vulnerabilties, while Risk Assessments can help us idenfiy risks in our environment.
Within Information Security there are also a number of sub-organizations focused on attack and defense These teams are called Red, Blue, and Purple Teams, which perform different security-related functions within an organization. Red Teams generally behave as if they were adversaries, Blue Teams are the defenders within those organizations, and Purple Teams (or functions) ensure that an organization’s hired attackers and defenders are properly coordinating with each other.
Privacy is generally focused on the user and their control over what happens to their data.
Information Security is closely tied to Privacy, and many see it as a completely separate discipline. We see Privacy as a sub-field within Security. If we take the definition of “removing concern”, or “allowing one to function in society without concern”, then Privacy is simply a more specific use case within overall Information protection.
Specifically, Information Security is about protecting information overall, while Privacy is focused on ensuring people have control of who has access to their personal data and what various parties are able to do with it once they have access. So while there is a clear difference between security and privacy, there’s no reason to violently separate the two.
Both Security and Privacy are about making people feel comfortable using information systems.
Getting into Information Security as a career has never been easier. There are countless books, online courses, and YouTube channels available for free that teach various aspects of the profession. It’s possible to enter security from multiple directions—both with a university education or without—but most people get into the field through system administration, network, or development.
There is continuous and extensive debate about the best credentials, skills, and certifications to have to break into the field, but the reality is that many security hiring managers are looking for specific, practical skills in their hires. Many people get jobs in security without any credentials if they can show competence in specific, highly-skilled areas, but it helps if you are prepared to answer a likely set of security interview questions.
Once in the field, or even as you prepare to enter, you’ll want to be familiar with the most common Information Security terminology, such as the difference between events, alerts, and incidents, as well as regularly-used security tools such as
masscan, Shodan, and
Once you’ve been in the field for a while you’ll become familiar with some of its famous debates, such as whether obscurity is a valid security feature or not. Spoiler: It’s a valid control if the thing being hidden is the key and not the mechanism, for example as with a dead drop.
If you’re preparing to enter this exciting field, let me be the first to welcome you! We need all the help we can get, and I’m glad you’re joining the team!