~Reviewed by Bishakha Jain
There is a typical faith in Information Security people group that Security and Privacy are connected. However, that they’re sufficiently diverse to constantly mention the distinction.
I don’t think the difference should matter much to defenders, and in fact, if you look close enough the distinction nearly vanishes. They are simply different aspects of the unified goal of protecting information. Security and Privacy are both about preventing unwanted outcomes related to data.
As a general public and as customers we think about controlling who has our data, and we try to make sure those trusted vendors do the right thing with it.
But as a security proficient—or as a security associate inside an organisation—you are already getting exposed to peoples’ data. The focus at that point is on doing your absolute best to make sure nobody collects or uses it in a way that’s not desirable.
And in that context, there is little difference at all between Privacy and Security. In both cases, you’re trying to avoid bad things happening to the data you’re protecting.
Image from teachprivacy.com
Let’s look at some scenarios to see what I mean.
Consumer risks:
|
CONCERN |
DEFENSE |
| A mobile app shares your sensitive data with a third party | You don’t give them your data |
| Your router gets hacked and it collects passwords and gives them to an attacker | You update your router or buy another brand |
| Your home security system has a cloud vulnerability that lets anyone see through your home cameras | You update your router or buy another brand |
| Your workout app shares your location with unscrupulous third-parties | You complain on Twitter and they change their policy |
And now some scenarios that security people might face.
Image by Lisa Holloway
Security professional risks:
|
CONCERN |
DEFENSE |
| Someone puts your customers’ data in a public-facing database with no password | You make a policy saying people can’t do that anymore |
| An admin gets phished and an attacker installs malware that extracts customer data from an internal database | You update your phishing and endpoint defences |
| Someone compromises a public-facing web application and steals customer data using SQLi | You install a WAF and start doing secure coding |
| China launches an APT campaign against you and steals a million documents full of your customers’ intellectual property | You install more detection and response mechanisms |
That’s Privacy, and it’s also Security. Consider how these situations are the same and how they’re unique. In my psyche, they’re all fundamentally the same—i.e., both the consumer and the professionals are trying to shield unapproved individuals from approaching information they think about securing.
Things being what they are, the estimation of the word Security is very useful. It comes from Latin, and “Se” means without, and “Cura” means worry or concern. So providing Security for your people means they’re free to play and work and enjoy life without constantly looking over their shoulder.
The word Security breaks down as “se” and “cura”, which is Latin for “without worry”.
All these concepts reduce to avoiding negative outcomes with regard to data we’re trying to protect, so let’s stop drawing thick and sharp lines between them when there’s no reason to do so.
