·
Information Security vs. Cyber Security vs. Privacy
The differences and overlaps of these three practices.
Founders and boards mix these three up constantly. Then the wrong team owns the risk, or nobody does.
They overlap. They are not the same. Knowing which is which is how you assign accountability without dumping everything on IT.
Here is how I draw it:
Information security
Protect information from unauthorised access, use, disclosure, disruption, modification, or destruction - electronic, paper, and verbal.
Social engineering that tricks staff into handing over a customer list. An insider altering records. A mis-sent email with contracts attached. That is infosec, even when no malware was involved.
Privacy
Privacy is the right of individuals to control how their personal information is collected, used, and shared. In practice it is the infosec problem for a regulated subset of data: PII, and whatever your local law calls it.
I treat privacy as a subset of information security when defining roles. It keeps ownership clear: business owns the personal data decisions; tech enables the controls.
A PII breach or misuse of customer data for a purpose nobody consented to - that is privacy work with legal teeth.
Cyber security
Cyber security protects systems, networks, and the data on them from digital attack and failure.
Ransomware. Unpatched servers. A DoS that takes the service offline. That is cyber. It is related to infosec, but it is not the whole of infosec.
Who owns what
Your technology team can secure servers, networks, and apps. It rarely has the authority or organisational knowledge to redesign how Sales shares files, how Legal stores contracts, or whether Marketing should put customer emails into a new SaaS tool.
Joe Bloggs' access to a business system is an information-owner decision. Tech can grant the access once someone with authority says so. Tech cannot invent that decision.
Think of a car:
- Owner - information owner, not "whoever has admin rights"
- Rules - policies and law, same as road rules
- Right to use - systems must meet legal and policy requirements, like a warrant of fitness
- Day to day - grant access, use data properly; you can outsource the work, not the accountability
- Training - anyone who touches the information needs to know the rules; you can hire a trainer, you still own the outcome
- Mechanic - technology patches, hardens, and accredits systems against cyber policy
- Accreditation - the information owner keeps the system inside policy; the CISO (or equivalent) is usually who signs that off
Tech helps. It cannot carry the business's information risks alone.
This week
- List your top risks. Tag each as infosec, privacy, cyber - or more than one.
- Name an accountable owner for each. Check they know they own it.
- Ask those owners for a plan and evidence of progress - not a hope.
Related
- Data vs. Information vs. Knowledge vs. Wisdom for why cybersecurity protects data but infosec protects information
- Confidentiality, Integrity, and Availability for the triad that underpins all three disciplines