I've always found that there's a fair amount of confusion on what the difference between Information Security and IT Security is.
Whilst I don't know THE difference here's a difference.
IT Security is hard to comprehend but easy to implement, Information Security is easy to comprehend but hard to implement.
If you think about an IT task, say advising on the protection of a new web services link that your company will be sending information over from an IT Security and Information Security perspective the difference in comprehension may become clear.
From an IT Security perspective effectively advising on this requires that you understand how web services function, are aware of the standards in the area (which is complex in itself) understand how XML can be encrypted, what options there are for authentication the transfer and so on. Now once you've comprehended that fully, actually implementing the appropriate protection should be relatively straightforward.
From an Information Security perspective all you really need to know is that web services are a means of transferring data from one party to another, and at that point all you may really care about is "is the information over the link appropriately protected and are participants in the link authenticated and authorised"
So where does the hard to implement bit come in?
Consider a typical Information Security task. Many security standards have a concept that Information in a company should be classified at different levels and then handled differently based on those levels. A typical classification scheme might have 3 or 4 different levels of marking and protection.
In terms of comprehending why you need to do it and even what needs to be done (marking requirements etc.) reasonably straightforward. However implementing this kind of scheme is something that very few corporations have done effectively. The difficulties in training staff, and getting buy-in to what is additional work, from senior management are very tricky to do effectively...
