What's the difference between cybersecurity and information security?

While most businesses have robust cybersecurity precautions in place, many often lack a dedicated information security strategy, and are therefore at risk of losing valuable data. Understanding the differences between cybersecurity and information security is the first step in ensuring that businesses can effectively protect their information in the modern threat landscape.


This is a contributed article by Sébastien Marotte, President of EMEA at Box.


From multinational corporations to small businesses, every organisation has business-critical content. Whether you’re an independent merchant storing customer’s personal information on record, or a large pharmaceutical company with blueprints for the next life-saving drug, all organisations have content that needs to be protected from third-party attackers and other unauthorised users.

With 39% of UK businesses having reported a cybersecurity breach within the past 12 months, it has never been more imperative for businesses to have robust security measures. But while most businesses have robust cybersecurity precautions in place, many lack a dedicated information security strategy and, as a result, are at risk of losing valuable data.

As a first step, businesses and technology leaders must understand the differences between cybersecurity and information security in order to effectively protect their information in the expanding, modern threat landscape.

Cybersecurity, information security…? Aren't they the same thing?

Simply put, cybersecurity is the broad approach an organisation takes to safeguard its data, networks, and devices from electronic or digital threats. These breaches could involve a malicious actor gaining unauthorised access to a network, device or content, or the installation of malware on a device or network. To prevent these threats, cybersecurity controls, including network and WiFi access, hardware and software configurations, and firewalls, should all be put in place. 

Falling partially under the umbrella of cybersecurity is information security (infosec), which focuses specifically on protecting content and data. Information, in this case, can take many forms, from purely digital content such as videos and spreadsheets, to physical formats such as paper files or printed documents.

Information security threats include the theft of physical data, deletion of content, damage to the integrity of content, and unauthorised access to data and content. Infosec controls can be digital, such as encryption and password protection, as well as physical, such as using locks on a filing cabinet.

Because a company’s information can be vulnerable to both digital and physical attacks, it is important that businesses have robust infosec controls in place in addition to their cybersecurity controls. Together, the two work in tandem to protect organisations from differing threats.

Encryption, for example, is an imperative control that will allow businesses to protect their content, as well as the data on their devices and networks. Similarly, password protection and authentication tools, such as multi-factor authentication, allow businesses to restrict access and verify a person’s identity before they can get into a device, piece of content, or access the company’s network.

Education is also a fundamental aspect of both cybersecurity and infosec policies, and training must be used as an opportunity to explain policies and methods to staff members. By training employees to recognise security hazards and providing them with the knowledge of what to do if they think they are under attack will ultimately help protect a company’s network, devices and content.

How to protect your company's information

While the specific tactics of information security and cybersecurity differ, the fundamental principles governing the two are ultimately the same. When developing an infosec or cybersecurity policy throughout a business, organisations should consider the CIA triad - confidentiality, integrity and availability - to help them govern successful regimes: 


The principle of confidentiality ensures that only people who should have access to content, a network or a device can access it. Multiple controls should be put in place to increase confidentiality, such as encryption, password protection and user classification. Organisations can also use educational programming to inform employees and other relevant parties of the importance of ensuring confidentiality.


Integrity refers to the condition of the content or network and focuses on ensuring that information, devices or networks are not altered or compromised. In the case of information security, this could be if someone changes the bank account information on a payment form, thereby affecting the form’s integrity. Similarly, in the case of cybersecurity, if a hacker installs a virus on a computer and that virus travels through the network, infecting other devices, the network’s integrity and relevant devices are affected.


While cybersecurity and information security programmes must protect the confidentiality and integrity of information, devices and networks, it’s also imperative that these programmes don’t impede access. Every employee that requires access to content, networks and devices should have them available. Factors that limit availability include power outages, denial-of-service attacks, and hardware or software failures. In some cases, an employee who forgets their password or leaves their device at home can accidentally limit their own access to the content they require. 

In today’s landscape, the security of a company’s data and network is imperative to business success. By implementing intensive and robust infosec and cybersecurity policies that are strategically designed to protect against attacks of a specific nature, organisations can avoid damaging their reputation, losing their valuable data and ultimately, negatively impacting their profit margins.


Sebastien Marotte is President of Box Europe, the Middle East and Africa (EMEA). Over a 30+ year career, Marotte has held executive roles at some of the world's highest-profile software companies including Google, Hyperion, and Oracle. He led Google Cloud's EMEA Channels as Vice President, having also served as Vice President of Google Cloud EMEA for almost a decade. As an early leader at Google Cloud, Marotte was responsible for much of the foundational growth and development across EMEA, including the launch of G Suite (now Google Workspace).