What is information security?
Grounded in decades-old principles, information security continually evolves to protect increasingly hybrid, multi-cloud environments against an ever-changing threat landscape.
IT Infrastructure Security Illustration
What is information security?

Information security, or 'InfoSec', is the protection of an organization's important information - digital files and data, paper document, physical media, even human speech - against unauthorized access, disclosure, use or alteration. Digital information security, also called data security, receives the most attention from information security professionals today, and is the focus of this article.

Why is information security important?

Data powers much of the world economy. Cybercriminals recognize the value of this data, and cyberattacks that aim to steal sensitive information - or in the case of ransomware, hold data hostage - have become more common, damaging and costly. According to IBM’s “Cost of a Data Breach Report 2021”, the average total cost of a data breach reached a new high of USD 4.24 million in 2020-2021.

A data breach costs its victim in multiple ways. The unexpected downtime leads to lost business. A company often loses customers and suffers significant and sometimes irreparable damage to its reputation when customers' sensitive information is exposed. Stolen intellectual property can hurt a company's profitability and erode its competitive edge.

A data breach victim may also face regulatory fines or legal penalties. Government regulations, such as the General Data Protection Regulation (GDPR), and industry regulations, such as the Health Insurance Portability and Accounting Act (HIPAA), oblige companies to protect their customers' sensitive information; failure to do so can result in hefty fines. Equifax agreed to pay at least USD 575 million in fines to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 states as a result of its 2017 data breach; in October 2021, British Airways was fined USD 26 million for GDPR violations related to a 2018 data breach.

Not surprisingly, companies are investing more than ever in information security technology and talent. Gartner estimates that spending on information security and risk management technologies and services totaled USD 150.4 billion in 2021, a 12.4 percent increase from 2020. Chief information security officers (CISOs), who oversee information security efforts, have become a fixture of corporate C-suites. And demand is rising for information security analysts holding advanced information security certifications, such as the Certified Information Systems Security Professional (CISSP) certification from (ISC)². The Bureau of Labor Statistics projects employment for these analysts with these certifications will grow 33 percent by 2030.

Principles of information security

Information security practice is grounded in decades-old, ever-evolving principles that set standards for information system security and risk mitigation.

The CIA triad

Introduced in 1977, the CIA triad is intended to guide organizations' choice of technologies, policies and practices for protecting their information systems - the hardware, software, and people involved in producing, storing, using and exchanging data within the company's information technology (IT) infrastructure. The elements of the triad:
Confidentiality: Ensure parties cannot access data they're not authorized to access. Confidentiality defines a continuum, from privileged insiders with access to much of the company's data, to outsiders authorized to view only information the public is authorized or permitted to view.
Integrity: Ensure all information contained within company databases is complete and accurate, and has not been tampered with. Integrity applies to everything from preventing adversaries from intentionally altering data, to preventing well-intentioned users from intentionally or unintentionally altering data in unauthorized ways.
Availability: Ensure that users can access the information they're authorized to access, when they need it. Availability dictates that information security measures and policies should never interfere with authorized data access.
The ongoing process of achieving and maintaining confidentiality, integrity, and availability of data within an information system is known as “information assurance.”

Information security programs

Information security professionals apply the principles of information security to information systems by creating information security programs. These are collections of information security policies, protections, and plans intended to enact information assurance.

Risk assessment

The creation of an information security program typically begins with a cyber risk assessment. By auditing every aspect of a company’s information system, information security professionals can understand the exact risk they face, and choose the most appropriate security measures and technologies to mitigate the risks. A cyber risk assessment usually involves:

Identifying vulnerabilities. A vulnerability is any weakness in the information technology (IT) infrastructure that adversaries can exploit to gain unauthorized access to data. For example, hackers can take advantage of bugs in computer programs to introduce malware or malicious code into an otherwise legitimate app or service.

Human users can also constitute vulnerabilities in an information system. For example, cybercriminals may manipulate users into sharing sensitive information through social engineering attacks like phishing.

Information security professionals often employ penetration testing, a simulated attack on their own information system, to uncover these vulnerabilities.

Identifying threats. A threat is anything that can compromise the confidentiality, integrity, or availability of an information system.

A cyberthreat is a threat that exploits a digital vulnerability. For example, a denial of service (DoS) attack is a cyberthreat in which cybercriminals overwhelm part of a company's information system with traffic, causing it to crash.

Threats can also be physical. Natural disasters, physical or armed assaults, and even systemic hardware failures are considered threats to a company's information system.

Related solutions
Data Security Services

IBM Data Security Services help organizations with data security strategy, data discovery, data loss prevention, data security governance, and database security monitoring.

Explore data security services
Application Security Services

IBM Application Security Services transform DevOps into DevSecOps by delivering application security training, application threat modeling services, and more.

Explore application security services
Data Security Solutions

Get started with IBM data security solutions

Explore data security solutions
Information security resources Data security in a multi-cloud world
Register for the EMA ebook explaining the state of data security in a multi-cloud world
Information security and IBM

As organizations manage more data in a multi-cloud environment, information security has grown more complex. Working with IBM, information security professionals can access the right tools and expertise to manage sensitive data and mitigate risks.

IBM Security Guardium® solutions
IBM Security Guardium® solutions include IBM Security Guardium® Data Protection IBM Security Guardium® Insights IBM Security Guardium® Data Encryption