Three terms. Three budgets. Very different conversations around the boardroom table, except most of the time, everyone thinks they're talking about the same thing.

Your VP of IT talks about cybersecurity. Your auditor talks about information security. Your vendor talks about IT security. You nod along, figuring it's probably the same thing with different labels.

It's not the same thing. And the confusion has a real cost, especially when it's time to build a security program, hire the right people, or meet regulatory requirements like Quebec's Law 25.

Let's clear this up once and for all.

Three Concepts, Three Scopes

Picture three concentric circles, like Russian nesting dolls. The largest contains the other two. The smallest sits inside everything.

Information security is the largest doll. It's the protection of all your organization's information, whether digital, printed, verbal, or scribbled on a sticky note. We're talking policies, governance, data classification, employee training, logical and physical access management. It's the broadest of the three disciplines. In the trade, it's called InfoSec.

Information security doesn't start with technology. It starts with a question: what information has value for us, and who should have access to it?

Cybersecurity is the middle doll. It's the protection of systems, networks, and data in digital space, or "cyberspace." Ransomware attacks, phishing, intrusion detection, incident response. It's the term the media uses most, the one the public knows best. But it's only a subset of information security: it covers the digital world, not the physical world or overall governance.

IT security is the smallest doll. It's the protection of the technology infrastructure itself: servers, workstations, firewalls, networks, operating systems, patches. It's the most technical of the three. When your IT team talks about "patching a server" or "configuring the firewall," that's IT security.

Here's a summary:

Discipline	Scope	Real-world examples
Information security	All information: digital, physical, verbal	Data classification policies, employee training, physical access controls, governance
Cybersecurity	Digital space: systems, networks, data	Intrusion detection, ransomware response, threat monitoring, phishing
IT security	IT infrastructure: hardware, software, networks	Security patches, firewall configuration, server hardening

In practice, the boundary between cybersecurity and IT security isn't as clear-cut as the model suggests. The two overlap significantly. IT security includes elements that aren't strictly "cyber" (physical security of a server room, for instance), and cybersecurity covers realities that go beyond traditional IT infrastructure (threat intelligence, industrial systems, the Internet of Things). What truly matters is understanding that information security encompasses both and adds the layer most often missing in SMBs: governance.

Situations You'll Recognize

Let's put this in context with real-world situations. Each falls under a different discipline and requires different expertise.

An employee leaves a confidential file on the shared printer. Nobody knows who picked it up. No policy specifies how to handle sensitive paper documents. This is an information security problem. No technology involved, but a very real risk.

Your controller receives an email that appears to come from the CEO, requesting an urgent wire transfer of $47,000. The email passed every filter. This is a cybersecurity attack, a sophisticated digital scheme that exploits human trust through a technological channel.

A critical server hasn't received its security updates in eight months because "nobody had the time." A vulnerability scan reveals three known flaws, one of which is being actively exploited. This is an IT security issue. Basic technical maintenance that was neglected.

Your organization adopts a data classification policy that defines what's confidential, internal, or public, and who can access it under what circumstances. This is information security in its most strategic form, the framework that dictates everything else.

Your IT team deploys an intrusion detection system that monitors network traffic in real time and triggers an alert when abnormal behavior is detected. This is operational cybersecurity, the ability to see what's happening and react.

You'll notice a pattern. Information security problems are often problems of process and decisions. When adversaries and threats enter the picture, that's cybersecurity. And when the issue comes down to infrastructure and configuration, you're looking at IT security.

All three are necessary. None replaces the others.

Why This Distinction Changes Everything for Your Organization

Confusing these three concepts leads to a classic trap.

The IT-security-only trap. Your IT team does conscientious work: firewall configured, antivirus deployed, patches applied. Your machines are protected. But there's no data classification policy. No phishing training. No incident management process. The day an employee falls for a fraudulent email, nobody knows what to do, who to call, or what to tell clients. You had solid walls, but no evacuation plan.

The cybersecurity-without-governance trap. You invest in a security operations center. You have detection, monitoring, alerts. But there's no governance framework defining roles, responsibilities, and decision-making processes. When the alarm goes off at 2 a.m., who decides to cut network access? Who notifies the board? Who talks to the media? Without governance, cybersecurity is a fire alarm in a building with no fire wardens.

The complete approach. Information security encompasses the other two. It provides the strategic framework (governance, policies, compliance, culture) within which cybersecurity and IT security operate coherently.

That's exactly why our firm is called InfoSec Sécurité de l'information. Not "CyberSec." Not "IT Security Solutions." Because we operate at all three levels, and the strategic level is what makes the difference between an organization that manages its risks and one that discovers them on the day of the incident.

Where Does Law 25 Fit In?

Law 25 (Quebec's personal information protection law, which came into effect in phases between 2022 and 2024) doesn't talk about firewalls. It doesn't talk about cybersecurity either.

It talks about information security.

It requires "security measures appropriate to ensure the protection of personal information." It requires a privacy officer. It requires a privacy impact assessment process. It requires an incident register. If an incident presents a risk of serious harm, it requires notification to the Commission d'accès à l'information and the individuals concerned, with diligence.

All of this is governance. Information security in the broadest sense. If your security program is limited to technical infrastructure, you may be compliant with your internal IT standards, but you're not compliant with Law 25.

Where to Start?

If you're reading this and realizing that your organization mostly does IT security (maybe some cybersecurity) but very little information security in the broader sense, you're not alone.

Three questions to ask your team this week:

First question: "If we discover a data breach tomorrow morning, does everyone know what to do, in what order, and who to contact?" If the answer is vague, you have a governance issue, not a technology one.

Second question: "Do we have an inventory of our sensitive information (not just our systems, but our data) and do we know who has access to it?" If the answer is no, you're protecting machines without knowing what's inside them.

Third question: "Does our security program cover all three levels (governance, cyber defense, and infrastructure) or are we putting all our eggs in one basket?" If 95% of your budget goes to technical controls and 5% to governance, the ratio deserves a closer look.

If you're looking for strategic support to build or strengthen an information security program that covers all three levels, let's talk. Fifteen minutes, no commitment, to see if we can help.

Mario Bouchard, M. Adm., CISSP — President, InfoSec Sécurité de l'information Inc. With over 30 years of experience in cybersecurity, he helps CISOs and IT leaders turn cybersecurity into a delivery accelerator rather than a roadblock. infosecurite.com