The Question isn't "Are IT and Cyber different?" - It's "How are IT and Cyber different?"
It would be natural to assume that the IT department does cybersecurity. Both deal with computers, right?
When I was a corporate lawyer, I used to get bothered by people who would ask me about divorce law under the assumption that it was a lawyer thing so it didn’t matter – I should know it. I didn’t study family law in law school on purpose. And what I do know was learned over a year of advising soldiers on family law day in the legal assistance office.
But I digress for a reason: to underscore that while it makes sense to assume, the reality is that one is a specialty that isn’t automatically done within an IT department’s duties. Both, however, are integral to a business being continuous in its operations.
Information technology (IT) deals with the networks, computers/hardware and software that store and share data (aka information). Cybersecurity deals with protecting that information.
IT professionals will manage and build the computer systems and network. An IT employee will do risk management to prepare for a disaster or disruption to the system by doing a disaster recovery (DR) plan. Part of this plan is to backup data so the latest version possible is accessible. It will also involve implementing steps to maintain or resume IT functions in the event of a disaster or disruption that impacts the business.
A cybersecurity specialist, on the other hand, is looking more closely at preventing unauthorized access to files and systems and defending against those attacks. Their risk management assessment is different. They will make sure software is updated, passwords are properly managed, anti-virus protection is used and set up firewalls. A firewall monitors incoming and outgoing network traffic and allows or blocks it depending on defined security rules. A firewall on steroids is a VPN, which is why – when working remotely – using a VPN is highly advised as it is private and it encrypts data. Cybersecurity professionals help avoid and respond to computer and network breaches.
A good illustration might be to think of these digital systems as physical. You have papers. The IT professional will make sure the papers are organized into manila folders and those manila folders are hung in a file cabinet and build the organizational system so it makes sense and you know where to find things.
The cybersecurity specialist will first want to put all the file cabinets in a room and put a lock on the door. And then maybe, based on the value of the information, put locks on the file cabinets, too. But also, it might just be a key, a cypher lock, or a dial combination lock – again, depending on the value. The more value or the higher level of protection wanted, a different type of security mechanism is evaluated for how effective it is at keeping unwanted people out.
Maybe adding a couple of hungry doberman's outside the door is a good idea. Really good cyber specialists have to imagine that the person wanting access has some skills in unlocking locks, has some bolt cutters, and raw steaks to feed the dogs. They have to be better than the criminals' skills at thwarting their locks.
Don’t assume you have your cybersecurity on lockdown because you have an IT department. Make sure cyber is being taken of.
The thing they have in common: making sure business owners can do their jobs efficiently and effectively with confidence. Both of them are, in this case, part of a business continuity program.