Differences Between Major Security Functions

In the fledgling security field, confusion seems to be the sentiment of the hour. What else can one think when well-established terms such as cybersecurity and IT security are often exchanged for each other and not many seem to know the difference between infrastructure security, data security, and GRC.

The overall effect is not far from that of some other bizarre combinations such as all polygons are triangles but not all triangles are polygons. We know it should be the other way round, but how that can be seems to be a bit unclear at first glance.

Nonetheless, however confusing it may be, it is important for security engineers to get the terminology right. It must be the least of the requirements for someone who aspires to help organizations solve the big picture security puzzle, shouldn’t it? (After all, apples and oranges may seem to be one and the same for the layman, but a fruit seller, one is bound to think, can hardly afford to overlook the difference)

So, what is the confusion all about? Let's dissect.

Starting from the basics

Just as a triangle is a polygon since a plane figure with at least three straight sides and angles, in the same way data and application security are part of the bigger cyber security umbrella, and so is IT security.

But not all polygons are going to be triangles, so while IT security and everything it entails can come under cyber security, cyber security itself can also constitute the functions of ProdSec, InfraSec, DataSec, GRC, and more. For all of these separate functions, there is required a very specific set of focus, skills, and tools that security engineers must stay mindful of.

Especially for people who have a specific goal in mind when it comes to working with security, who want to align themselves entirely with the skills of their prospective jobs, and are not in the field simply because they needed a job and couldn’t think of anything better than security, the difference between these functions is critical to know. It is what will ultimately help their anticipated trajectory in the industry come along and truly give them the satisfaction of employing their full potential at work.

Let’s get right down to it then and delineate the distinctions, starting from product security and infrastructure security first.

Product security

Until very recently, product security plans were not as widespread, as most of the world's enterprises sold items that were not digitalized in any significant sense. Now technology companies are no longer confined to the technology industry. From online content and media companies, service aggregators, and utility manufacturers to producers of healthcare devices, everyone is being digitally changed by the addition of software stacks and network capabilities.

Product security is all about securing these product offerings. It takes a lot of work to make sure a product is safe. Comprising of AppSec (which combines considerations of both inside-out controls and customers and employee privacy), security automation, security architecture, and review, product security concerns itself with security at every stage of the development process – from conceptualization to deployment, execution, and administration, among other things. This is frequently realized via a Secure Development Lifecycle product engineering specification that lays a special emphasis on designing security into products intrinsically and responding to vulnerabilities in those products in real- and before time.

Secure design, secure SDLC, implementation of security controls, VAPT, and automation are core responsibilities in managing product security. When done correctly, product security can not only lead to a more secure product but also help accelerate growth with reduced costs and saved resources. For instance, fixing software flaws in the maintenance phase might be 100 times more expensive than doing it in the design phase, and a product security team that recognizes that is essential to a product-based organization.

After product, the second most vital security function in a product organization is the infrastructure that sustains it and those who like to get into the heart of the structural intricacies would love this option.

Infrastructure security

Due to its vast size and complexity, infrastructure is not only the choicest option for attackers and the weakest link for vulnerabilities but is also a challenge that security teams find difficult to tackle.

The increase in infrastructure surface in the recent years (with the IoT and M2M integration) only makes it more exposed to both organized crime and natural disasters, and the only way to truly minimize threats and safeguard the organization’s infrastructure environment is through meticulous infrastructure security.

In a nutshell, infrastructure security is a high-level approach to securing the whole technology perimeter the continuous operation of which is necessary for ensuring the security of the entire organization. In an enterprise context, it is the process of preventing unauthorized access, modification, deletion, and theft of resources and data by putting preventative measures in the core networking infrastructure.

Most commonly, infrastructure security includes the securing of a variety of technology assets including networking systems, cloud resources (AWS/google etc), policy security, SICP/CI/CD pipelines, CDNs, Github, Kubernetes, VPNs and more.

Although the elements of infrastructure have many commonalities among organizations, they also vary to some extent depending on the organizations’ needs. In product-based, high-stakes organizations, where the emphasis is on embedding security at the heart of business growth, the focus of infrastructure security lies on building infrastructure as a code (IAAS), inducting policy at the code level and securing every piece of infrastructure through detection engineering, and encryption and authentication development.

Only by implementing effective infrastructure protection measures can you effectively reduce risks and ensure the safety of the organizations’ infrastructure, as well as their data. But data security in itself is a distinct field that presents particular opportunities for those who like to play the riskier games.

Data Security

For a variety of reasons, data security is vital to all kinds of businesses.

First, there is the legal and moral obligation on organizations to protect their customer and user data from being accessed by the wrong people. Second, there is the negative impact a data breach can have on a brand. A high-profile data breach or attack can have a lasting effect on any organization’s reputation if it doesn’t pay sufficient attention to data security. Damage assessment and restoration, as well as determining where exactly the lapse happened and what needs to be improved, can necessitate a significant amount of resources, time, and money.

Controls, rules, and processes must be put in place to safeguard data from a variety of threats, such as unauthorized access, accidental losses, and damage or destruction.

Data security’s responsibility is, therefore, to protect both structured and non-structured data inside out. Identification of and securing PII and business-critical data, as well as employee information all, falls under the purview of data security. Further, it includes access control and management in databases and platforms, authentication, backups & recovery, data erasure, data masking, data resiliency, and encryption.

Governance, Risk, Compliance (GRC)

Working with all of the different security functions together, GRC is what oversees business continuity by offering compensating controls. Risk awareness, security-business alignment, identifying and mitigating hazards in a company's extended enterprise, and compliance with rules and regulations in different parts of the world all comes under GRC. A GRC plan is what makes sure that an organization’s risk and compliance is not scattered across a number of different silos.

It is, therefore, essential is helping improve decision-making and performance. It provides an integrated view of how well an organization manages its risks. However, it does not have much to do with security engineering as the focus is more on detangling knots and aligning processes.

IT Security

IT security focuses on the systems that store and transmit digital information and IT security professionals are mainly responsible for creating plans to protect digital assets and monitoring computer systems and networks for threats. Its solutions include patching of endpoints (EDR and XDR), network and N/W security, securing routers, VPNs, DMZs, hosted servers, placing firewalls.

Often, IT security is managed separately from mainstream security operations in product-based companies as it is more concerned with operational continuity and has little to do with security engineering.

It is important for security engineers to know these differences because at product-specific organizations, the leaders are concerned mainly with the broader questions – questions like “Can someone hack my code?”, “Is my consumers’ data secure?”, “Is the PII information safe?”. Basically, their concern is the overall health of their entire product company. The details and the intricacies of the matter are left up to security engineers to figure out. When the time comes, they are the ones who must find the root of the problem and offer solutions and that’s impossible to do if one cannot even differentiate between the different security fields.