Drawing the Line Between Security Incidents and IT Incidents

The post is from a newly merged company with an early-stage governance structure and a recently formed Information Security team. The organization currently views direct attacks as security incidents but struggles to classify other issues that may impact confidentiality, integrity, or availability (CIA). Key questions include how to distinguish between security incidents, operational incidents, and development issues, as well as whether all availability failures or bugs should be treated as security concerns. The author seeks practical guidance on classification methods, such as root cause, impact, intent, or policy violations.