The punchline up front: all three disciplines have clear commonalities, and yet they are fundamentally different. Information security aims to protect all of a company's information – no matter whether it's on a hard drive, on paper, or in the heads of its employees. Appropriate organizational and technical measures are used to ensure confidentiality, availability and integrity. IT security, also known as cybersecurity, takes a somewhat more specific approach. It is designed to protect computer systems and networks and covers both hardware and software, as well as all types of processed data. Thus, IT security can largely be understood as a subarea of information security. One of the main tasks of IT security is to defend against cyber-attacks on the company's IT infrastructure. In times of cyber warfare and cyber-crime, it therefore plays a special role in a company's security architecture.

Similar concepts, but different protection goals

So how does data protection fit into this picture? – While information security and IT security take into account all types of information that require protection, data protection is focussing specifically on protecting personal data. It is based on the fundamental right to informational self-determination, aims to prevent misuse and protect the privacy of the persons concerned – regardless of the form in which this data or information is collected and processed. The legal basis for this is extremely complex and, in contrast to information security and IT security, leaves little room for manoeuvre in the design of corresponding protection concepts. While technical and organizational protection measures often correspond to those of IT and information security, the protection goals are also fundamentally different. Conflicts cannot always be ruled out.

Competence centres with well-functioning interfaces

It is thus obvious that data protection, IT security and information security often overlap. This makes it difficult to draw a strict distinction – and yet: despite all the overlaps, some aspects argue for considering these three disciplines separately. For example, they are each based on their own legal and regulatory foundations. In addition, they require specific expertise and know-how in order to achieve their respective protection goals. From a business perspective, it may therefore be more effective to create specialized competence centres for each discipline and to focus on well-functioning interfaces, collaboration and exchange, rather than combining them in a triad.

E-learning for information security, IT security and data protection

Regardless of whether the individual areas are considered together or separately: Employees need to be familiar with all three areas at some level to avoid personal harm and corporate damage. With the flexibility of e-learning courses, all three topics, their goals, methods, and the associated dangers of non-compliance can be made tangible. Awareness of all three topics remains essential in the organizational environment.