There’s a common belief in InfoSec circles that Security and Privacy are related, but that they’re different enough to constantly mention the distinction.
I don’t think the difference should matter much to defenders much at all, and in fact if you look close enough the distinction nearly vanishes. They are simply different aspects of the unified goal of protecting information.
Security and Privacy are both about preventing unwanted outcomes related to data.
To see what I mean, let’s look at some definitions.
Information Security is the procedures or measures used to protect electronic data from unauthorized access or use.
SOURCE: GOOGLE AGGREGATION
So, based on Google seeing and knowing about dozens of definitions for InfoSec, it summarizes it as protecting data from unauthorized use. I’d agree that’s a decent summary.
Then if we look at the overall Privacy definition we get something similar.
Privacy, also called information privacy, is the aspect of information technology (IT) that deals with the ability an organization or individual has to determine what data in a computer system can be shared with third parties.
SOURCE: GOOGLE AGGREGATION
So, it’s the ability for someone to control how their data is shared—and presumably whether and how it’s collected in the first place as well. I also agree with that.
There’s also another red herring here around Privacy vs. Data Privacy. The original concept of Privacy is about hiding and not being made public, where Data Privacy is about participating in a digital society in a way that you feel comfortable with.
In my analysis, the only real difference here is context.
As a society and as consumers we care about controlling who has our information, and we try to make sure those trusted vendors do the right thing with it. That’s privacy in a consumer or public context.
But as a security professional—or as a security organization within a company—you are already getting exposed to peoples’ data. The focus at that point is on doing your absolute best to make sure nobody collects or uses it in a way that’s not desirable.
And in that context there is little difference at all between Privacy and Security. In both cases you’re trying to avoid bad things happening to the data you’re protecting.
Let’s look at some scenarios to see what I mean.
|A mobile app shares your sensitive data with a third party||You don’t give them your data|
|Your router gets hacked and it collects passwords and gives them to an attacker||You update your router or buy another brand|
|Your home security system has a cloud vulnerability that lets anyone see through your home cameras||You update your router or buy another brand|
|Your workout app shares your location with unscrupulous third-parties||You complain on Twitter and they change their policy|
And now some scenarios that security people might face.
Security professional risks
|Someone puts your customers’ data in a public-facing database with no password||You make a policy saying people can’t do that anymore|
|An admin gets phished and an attacker installs malware that extracts customer data from an internal database||You update your phishing and endpoint defenses|
|Someone compromises a public-facing web application and steals customer data using SQLi||You install a WAF and start doing secure coding|
|China launches an APT campaign against you and steals a million documents full of your customers’ intellectual property||You install more detection and response mechanisms|
Think about how these scenarios are the same and how they’re different. In my mind, they’re all basically the same—i.e., both the consumer and the professional are trying to protect unauthorized people from having access to data they care about protecting.
That’s Privacy, and it’s also Security.
As it turns out, the etymology of the word Security is quite informative. It comes from Latin, and “Se” means without, and “Cura” means worry, or concern. So providing Security for your people means they’re free to play and work and enjoy life without constantly looking over their shoulder.
The word Security breaks down as “se” and “cura”, which is Latin for “without worry”.
Without Worry is the most succinct description of the goal of security I’ve ever heard, and it applies equally to both Privacy and InfoSec. It also allows us to reduce the discussion to first principles.
- There are people and organizations.
- They have data they care about.
- They want to control how that data is collected, used, and protected.
- As security professionals it’s our job to carry that out.
We’ve just described “Data Security”. We’ve just described “InfoSec”. And we’ve also just described protecting peoples’ Privacy.
All these concepts reduce to avoiding negative outcomes with regard to data we’re trying to protect, so let’s stop drawing thick and sharp lines between them when there’s no reason to do so.
- Thanks to my friend Peter Albert for turning me onto the Latin etymology of Security. It’s been enjoyable to track other security terms and see their original meanings, and has also prompted me to keep learning more Latin in general.
- If someone knows of a reason for a clear demarcation here that I’m missing, please let me know. I’m open to being wrong about this.