The latest insights from your peers on the latest in Enterprise IT, straight to your inbox.
The difference is in how we establish the security policy
This article is by Featured Blogger Daniel Miessler from his blog Daniel Miessler. Republished with the author’s permission.
Short answer: it’s a trick question. Privacy is part of security.
But just because one is part of the other doesn’t mean they are the same. There’s a nuance there that’s important.
- Information Security is about controlling access to information.
- Privacy is about making sure users’ expectations about use of their personal data are reflected in the real world.
These are extremely similar, but not identical.
The main difference is that with security the policy for protection and use is a given, and with privacy it’s a conversation with the user.
Both are about avoiding misuse of data. The difference is in one component—the policy, i.e., the expectation of how information is supposed to be used.
With Privacy, this is an important point because that needs to be captured from the user at various points in the lifecycle of a product or service.
With the larger Information Security field, this expectation of protection and use component is given to us as an explicit policy at the beginning. These people can do this with this data, these people cannot. Etc.
That’s really the difference.
So don’t listen to anyone who says they’re either completely different or completely the same. It’s more nuanced than that.
Both are about protecting information from violating policy—which is information security. Privacy just involves gathering that policy from the user as part of the process.