One question that I am frequently asked is “what is the difference between privacy and security?” It sounds simple enough, but the response often gets complicated. Maybe an analogy will help.
Privacy, security, and windows
Consider a window in your home. It provides various functions for you. It allows you to look outside. It lets sunlight into your home. A window keeps weather outside. You can open a window to let in fresh air. In an emergency, you can use a window as an exit.
A window is also vulnerable. Just as you can use it as an egress, others can use it as an entrance. To protect against unwanted visitors, you can put bars or a grate in front of the window. This still allows you to keep all of the desired functionality the window provides. This is security.
Just as you can look out a window, others can look in. Preventing unwanted eyes from looking in can be addressed by putting a drape, a curtain, or a shade inside of the window. This is privacy. Obscuring the view inside of your home also provides a little security as intruders may not be able to tell when you are home or see the things you own.
Privacy, security, and business information
It is not much different in a business environment with regard to information. Security provides protection for all types information, in any form, so that the information’s confidentiality, integrity, and availability are maintained. Privacy assures that personal information (and sometimes corporate confidential information) are collected, processed (used), protected, and destroyed legally and fairly.
Just as the drapes on a window may be considered a security safeguard that also protects privacy, an information security program provides the controls to protect personal information. Security controls limit access to personal information and protect against its unauthorized use and acquisition. It is impossible to implement a successful privacy program without the support of a security program.
Just as the bars on a window help prevent intruders from entering into your home while allowing people to look inside, a security program can implement controls without regard from privacy. For example, a security program could require credentials to access a network without restricting access to personal information. You would have security, but no privacy as anyone with valid credentials can see all of the personal information your organization possesses.