See our IT vs. IS Infographic

Organizations face an increasing number of cyber threats that can disrupt operations, compromise or exfiltrate sensitive data, damage their reputation, and exact crippling financial hardship. Effectively managing cybersecurity risks is crucial to protect valuable assets and maintain business continuity.

For many business owners and C-level executives, the realm of cybersecurity can seem overwhelming. They understand its importance but may not be clear on the specific steps needed to ensure their business is cyber-safe. Often, these key decision-makers rely on their IT teams to provide assurances of cybersecurity.

However, it's worth noting that while IT is certainly an integral part of a secure business environment, IT expertise does not automatically equate to expertise in cybersecurity. In this blog, we'll explore this distinction further and provide practical guidance for executives seeking to enhance their organization's cybersecurity posture.

However, when it comes to cybersecurity, the question is: who is the expert? We’ll explore the answer to that question and provide practical guidance.

Information Technology (IT) Providers: Most companies have a person, a team of people, or an outside firm that handles everything related to Information Technology systems.

Information Technology is the use of computers to create, process, store, retrieve and exchange all kinds of data and information. An information technology system is generally an information system, a communications system, or, more specifically speaking, a computer system — including all hardware, software, and peripheral equipment — operated by a limited group of IT users. (Wikipedia)

The person(s) responsible for IT ensure that the servers and computers work when your employees need them. Employees get paid to be productive, and in order to do that, the IT systems need to operate at peak efficiency. IT professionals are good at making sure that’s the case.

Information Security (IS) Providers: Most companies do not have a person, a team of people, or an outside firm that handles everything related to Information Security.

Information Security - sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management and typically involves preventing or reducing the probability of unauthorized/inappropriate access to data, or the unlawful use, disclosure, disruption, deletion, corruption, modification, inspection, recording, or devaluation of information. It also involves actions intended to reduce the adverse impacts of such incidents. (Wikipedia)

A serious problem for many businesses or organizations is relying on the information technology person/team/firm to handle information security.

This is despite the fact that most IT professionals have no formal information security training.

So, how can you tell if a person is qualified in cybersecurity risk management?

The answer – certifications.

Certifications: Cybersecurity Professionals carry certifications to show that they have been specifically trained in cybersecurity. Here are 3 of the most widely recognized information security certifications:



The most prestigious designation in use today is CISSP which stands for: Cybersecurity Information Systems Security Professional. CISSP is a security certification that was developed by the Information Systems Security Certification Consortium (ISC).

The CISSP designation is a globally recognized, vendor-neutral standard attesting to an IT security professional's technical skills and hands-on experience implementing and managing a   security program.

CISSP certification is highly sought after by IT professionals. Hiring organizations often look for candidates who have passed the CISSP exam because candidates with the CISSP credential must be sufficiently knowledgeable about cybersecurity to be able to pass the certification exam and have hands-on experience and, potentially, formal CISSP training.

Becoming CISSP-certified requires more than passing the Certified Information Systems Security Professional certification exam. Candidates are required to have a minimum of five years of full-time, hands-on experience in at least two of the eight CISSP domains (below):

1. Security and Risk Management 

2. Security Architecture and Engineering 

3. Communication and Network Security 

4. Identity and Access Management 

5. Security Assessment and Testing 

6. Security Operations 

7. Software Development Security

To earn the CISSP credential, the candidate must pass the certification exam, as well as complete the CISSP exam agreement, subscribe to the ISC code of ethics, answer background qualification questions, and receive an endorsement from an active ISC-certified professional.

To maintain the CISSP certification, candidates are required to earn at least 120 Continuing Professional Education (CPE) credits every three years and pay an annual maintenance fee.

There are only 94,320 CISSPs in the U.S. So, if you can find a cybersecurity company that has a CISSP on board, it’s safe to trust their recommendations. (CISSP NOW)

Read the story of One Step's CISSP and what it takes to earn the high-level certification. 


Certified Information Systems Auditor is a certification and a globally recognized standard for appraising an IT auditor's knowledge, expertise, and skill in assessing vulnerabilities and instituting IT controls in an enterprise environment.

This certification is issued by ISACA (Information Systems Audit and Control Association) to people in charge of ensuring an organization's IT and business systems are monitored, managed, and protected. It is presented after the completion of a comprehensive testing and application process. It is designed for IT auditors, audit managers, consultants, and security professionals.

Attaining CISA certification is considered beneficial because it is accepted by employers worldwide and is often requested for IT audit and security information management (SIM) positions.

The primary duties of a CISA include:

  • Implementing an audit strategy for information systems (IS) that is based on risk management.
  • Planning audits that can be used to determine whether or not IT assets are protected, managed, and valuable.
  • Executing the audits in compliance with the organization's set standards and objectives.
  • Sharing audit results and providing recommendations to management based on the results.
  • Performing re-examinations of the audits to ensure the recommended actions have been performed by management.

A CISA's responsibilities often extend beyond auditing control. They are expected to work with management to confirm organizational processes, plans for implementation and operation of the deployed systems, and promote the organization's objectives and strategies.

This includes evaluating:

  • Risk management practices.
  • IT portfolio and resource management.
  • Strategies for business-IT alignment.
  • Business continuity and disaster recovery strategies.
  • IT policies, standards, processes, and procedures within the organization.
  • The value of the IT control framework.
  • The management and monitoring of IT personnel, the IT organizational structure, and controls (TechTarget)


Certified Information Security Manager (CISM) is an advanced certification that indicates that an individual possesses the knowledge and experience required to develop and manage an enterprise information security (infosec) program.

CISM is offered by ISACA (see above) — a non-profit, independent association that advocates for professionals involved in infosec, assurance, risk management, and governance.

To maintain CISM certification, individuals must sustain an adequate level of knowledge and proficiency in the field of information systems security management, complete 20 continuing professional education (CPE) hours annually and follow ISACA's Code of Professional Ethics. (TechTarget)

Make sure that the person designing and implementing your cybersecurity risk management strategy is a professionally trained Cybersecurity Expert. Many IT professionals feel they have the knowledge to secure IT systems and data properly and will tell the C-Suite, “We’re fine” when it comes to cybersecurity.

The sad reality, as many businesses have found out after a catastrophic cyber attack, is that they were not, in fact, “fine.”

Cybersecurity professionals have been trained in current Cybersecurity Risk Management Best Practices (see related blog) and the most effective ways to use state-of-the-art tools to mitigate cyber risk.

More importantly, they possess the skills and knowledge to develop a strategy to effectively deploy these tools relative to your organization or business's specific intricacies and current needs.



Information Technology Professionals use (IT) tools and services to streamline and optimize the use of computers and other electronic equipment that are used to receive, store, retrieve, transmit, and manipulate data. Their goal is to maximize efficiency and uptime for all users.

Information Security Professionals use (IS) tools and services to prevent unauthorized access, use, disclosure, disruption, modification, or destruction of sensitive data. More specifically, IS experts focus on four primary objectives:

1. Protecting the organization’s ability to function.

2. Enabling the safe operation of applications used by the organization’s IT systems.

3. Protecting the data the organization collects and uses.

4. Safeguarding the technology the organization uses.

IT and IS are two completely different disciplines. They are interconnected, but unless an IT technician has had specific (and extensive) IS training, they are not qualified to provide information security services.

Discover how to strike the delicate balance between expensive IT and security tools and the talent that uses them.

Topic: Cybersecurity Risk Management: Frameworks, Threat Landscape, and Best Practices