Why Information Security? Why not another name?

Information security, cybersecurity, data privacy, risk management or any other security-related name. But why these names and what is the difference between them? Could it be another name?

In this article, we wanted to search for the answer to this question.

In fact, everything starts with wishing and with the aim of achieving what we want. What do we want? Protection. So what to protect? Is it information, hardware, reputation, money, or human, what?

In information security definitions, standards and guidelines, it is always said that the most valuable asset of institutions is information. That is why it is said that information should be protected. In a sense, the definition of information security comes from here. The purpose is to ensure the security of information. If we ask how we can achieve this, the methods and requirements are quite diverse. We must ensure the security of the hardware that contains the information, the applications, the people, the procedures and the assets that produce and use the information so that we can ensure the security of the information. This is actually the starting point.

So what is security? In almost all sources, security is defined as a combination of confidentiality, integrity, and availability (CIA). In other words, this means ensuring the confidentiality of the information, ensuring the integrity of the information and ensuring the availability of the information.

Well, isn't ensuring the effectiveness of information within the scope of ensuring security? Or to ensure compliance with the regulations? In fact, although we do not define it, when we look at the processes operated, we see that works are carried out to provide many factors other than CIA concepts. This means that information security is not limited to the CIA. However, this scoping study stems from the need for a concept, a definition, and a naming. If you do not draw and define a sufficient and correct border, it is not possible to tell people the truth of the matter. Going down to the essence and philosophy of the subject is not something that is done very often. We will not discuss the philosophy of security here, but to understand the essence, philosophy is also necessary, to tell the truth.

Ensuring security actually means "Protecting". In other words, it might be a more accurate concept to say "information protection" rather than information security. In fact, it is detailed in this definition in many sources.

Why do we protect information? To ensure its confidentiality, to ensure its integrity, to ensure its accessibility and to provide other information criteria. The work done is to protect the information, achieve the desired target(s) and provide the criteria of information at the expected level.

So, wouldn't it be more accurate to define information protection instead of information security? If we say information protection, doesn't it cover all the definitions of cyber security, data privacy…etc? Wouldn't it also be a more inclusive definition? At the same time, wouldn't all kinds of information criteria that will be affected as a result of the failure to protect the information by expanding the CIA concepts also fall under this concept? Even though it is not named, this is the purpose of the work done, isn't it?

We know that accessibility, which is among the classical information security components, is actually considered as a whole within the scope of business continuity. Business continuity is essentially the availability of information, and other factors are the protection of the business as a whole. The main purpose is to protect the business. In order to protect the business, it is the whole of activities to protect people, protect the information, protect applications and all the assets used by the business.

Then why should information security and business continuity be handled separately? Or is it available? Is it right to consider them separately?

So information security is not limited to the CIA, and business continuity cannot be considered separately from information security or information security from business continuity. And in a sense, business continuity is the targeted result, and information security is actually the whole of the activities carried out to meet these and other results.

Although it doesn't sound good, saying "Business Protection" and "Business Continuity" might be a more accurate way of expressing it. And Business Protection targets many results, especially Business Continuity. At the same time, for example, the question of whether the chicken hatched or the egg came from the chicken, business continuity includes job protection, or it can be said that job protection provides business continuity. This may be a long discussion, but the answer will actually depend on the need for naming and an adequate understanding of the meaning and scope of that name. In other words, while business continuity in Company A will cover job protection, job protection in Company B includes business continuity. This is not an issue that needs much attention. The main thing is with which name the organization better grasps and manages the essence of the business together with all its stakeholders.

At this point, the following question may come to mind; Business protection or risk management? Business protection or business continuity, which we have tried to explain so far, actually manages the risks. But all the risks? Generally no? Risk management becomes broader and more inclusive and can take a more strategic view. Here again, the names and classifications are related to how well the institution comprehends and manages the activities it deals with under these definitions.

Let's not go too far, but when the cause-and-effect relationship is considered, information protection (instead of information security), business protection (instead of business continuity), and enterprise protection (instead of risk management) can be more descriptive and express the relationship between them more clearly.

It may be beneficial for institutions such as ISO, NIST, ISACA, which issue standards, to review their future studies with this perspective.

“The only constant in life is change”-Heraclitus