April 3, 2009 by John Sherwood
In the late 1960’s and early 1970’s computers were being steadily introduced into mainstream business processing. The activity was known then as ‘data processing’.
To begin with, computers only manipulated numbers and were used either to solve difficult-to-compute mathematical problems or to carry out highly repetitive numerical computations in a fraction of the time taken by humans. The first truly business applications were purely focused on financial accounting (remember that the concept of ‘word processing’ was only invented in the mid-1970’s).
Because financial accounts required auditing, a new breed of financial auditor was born, known as the ‘computer auditor’. These people were still financial auditors, but had computer expertise and so could verify the computer-based accounts. The knowledge and skill of computer auditors gradually expanded more and more into the technology as it became clear that verifying the accounts meant verifying the proper working of the computer.
It was soon realised that there were some security issues to be addressed, and so the term ‘computer security’ was coined. Computer auditors were the first practitioners of this new discipline. Later, as the adoption of automated data processing (ADP) by business moved on, concern was refocused away from the machines and onto the data itself, and so the term ‘data security’ became fashionable.
In the late 1970’s computer networks were being developed and rolled out into business applications, and the term ‘information technology’ was invented to embrace both computing and ‘data communications’. This term was becoming popular around 1980. In the UK, the very first university courses in IT were launched in 1983, following a UK government awareness campaign in the previous year, branded as ‘IT 82’.
Later still, in the mid-1980’s, and as the maturity of business computing advanced further and further, the focus on security of raw data again seemed to many to be too technical, and so, following the ‘IT’ terminology, we adopted the more business focused term ‘information security’, including the security of information not necessarily processed by computers. The discipline was characterised by protecting three attributes of information: confidentiality, integrity and availability (CIA). For those who wanted to emphasise the technology aspects, the term ‘information systems security’ was used.
‘Information security’ was the term used consistently throughout the 1990’s, but it took on a broader meaning when the SABSA team developed the concept of Business Attributes Profiling in 2000.
Now, in the last few years, ‘information security’ has been increasingly replaced and/or augmented by the term ‘information assurance’. This is still a new term, and professionals are still asking one another: What does it really mean? Is it different from information security, and if so, how?