Skip to content

Information Security vs. Cyber Security vs. Privacy

The differences and overlaps of these three practices.

Founders and boards mix these three up constantly. Then the wrong team owns the risk, or nobody does.

They overlap. They are not the same. Knowing which is which is how you assign accountability without dumping everything on IT.

Here is how I draw it:

Differences between Information Security, Cyber Security, and Privacy
Overlap sketch - scale is for discussion, not importance ranking.

Information security

Protect information from unauthorised access, use, disclosure, disruption, modification, or destruction - electronic, paper, and verbal.

Social engineering that tricks staff into handing over a customer list. An insider altering records. A mis-sent email with contracts attached. That is infosec, even when no malware was involved.

Privacy

Privacy is the right of individuals to control how their personal information is collected, used, and shared. In practice it is the infosec problem for a regulated subset of data: PII, and whatever your local law calls it.

I treat privacy as a subset of information security when defining roles. It keeps ownership clear: business owns the personal data decisions; tech enables the controls.

A PII breach or misuse of customer data for a purpose nobody consented to - that is privacy work with legal teeth.

Cyber security

Cyber security protects systems, networks, and the data on them from digital attack and failure.

Ransomware. Unpatched servers. A DoS that takes the service offline. That is cyber. It is related to infosec, but it is not the whole of infosec.

Who owns what

Your technology team can secure servers, networks, and apps. It rarely has the authority or organisational knowledge to redesign how Sales shares files, how Legal stores contracts, or whether Marketing should put customer emails into a new SaaS tool.

Joe Bloggs' access to a business system is an information-owner decision. Tech can grant the access once someone with authority says so. Tech cannot invent that decision.

Think of a car:

  • Owner - information owner, not "whoever has admin rights"
  • Rules - policies and law, same as road rules
  • Right to use - systems must meet legal and policy requirements, like a warrant of fitness
  • Day to day - grant access, use data properly; you can outsource the work, not the accountability
  • Training - anyone who touches the information needs to know the rules; you can hire a trainer, you still own the outcome
  • Mechanic - technology patches, hardens, and accredits systems against cyber policy
  • Accreditation - the information owner keeps the system inside policy; the CISO (or equivalent) is usually who signs that off

Tech helps. It cannot carry the business's information risks alone.

This week

  1. List your top risks. Tag each as infosec, privacy, cyber - or more than one.
  2. Name an accountable owner for each. Check they know they own it.
  3. Ask those owners for a plan and evidence of progress - not a hope.
Olivier Reuland