Light Dark
February 4, 2021 By George Platsis 4 min read
Data Protection
Security Services

There is a saying in sociopolitical circles: “politics is downstream from culture.” Using that same line of thinking, poses a question: Is information security downstream from data privacy?

In order to tell the difference between security and privacy and how they feed in to each other to achieve both, we’ll look at the leading regulation: the National Institute of Standards and Technology (NIST) Privacy Framework. 

Information Security Versus Data Privacy 

Why do you secure something? You secure something because you want to keep it private. After all, it’s not exactly like we are in the habit of sharing client data, personally identifiable information, intellectual property or the nuclear codes. All of that should be private. In turn, the rightful owner of the data must secure it. And, that is what makes for an interesting discussion about the difference between cybersecurity and privacy.

Cybersecurity and information security measures are often designed around keeping information safe and available, as a whole. On the other hand, privacy measures tend to be more focused on the processing of personal data and privacy rights.

We may be in the middle of a shift. Laws and frameworks centered around privacy are gaining even greater traction. You could make the argument that much of the shift is a result of protecting the privacy of customer data. For example, a 2019 Pew Research study revealed Americans have data privacy concerns specifically related to the collection and use of their data. Some of the key findings include:

  • Concern about how much data apps collected.
  • Concern that people collecting that data are not holding it as securely as it once was.
  • People feel their online actions are being tracked.
  • Few people know what is being done with the data being collected on them.
  • Most people accept, but do not read, privacy policies.
  • Most people see more risks than benefits from personal data collection.

National Efforts to Increase Privacy

With this shift in public opinion comes an increased focus on privacy and cybersecurity law and protecting personal data. Some examples just over the last couple of years include:

  • The European Union’s General Data Protection Regulation (GDPR) from 2018.
  • The California Consumer Privacy Act (CCPA), which came into full effect in January 2020.
  • More state governments looking at data privacy legislation, in places like New York, Maine, Massachusetts, Nevada, Texas, Washington and even talk of legislation at the federal level.

The federal government is even talking and taking action in regards to American consumer data, notably that mobile app data should be protected and housed within the U.S. due to potential national security concerns. Multiple countries are looking at specific data localization standards in order to protect the data of their citizens and businesses.

It’s almost like we are entering into a type of Catch-22 situation, whereas we create and integrate more secure measures, such as biometrics and next generation authentication, we create a potential privacy nightmare at the same time.

Perhaps the way we avoid that nightmare is to look at what good privacy looks like and then secure that. And a great place to start for how to make a robust privacy program is the NIST Privacy Framework, which was released in early 2020.

Why is the NIST Privacy Framework a Good Example? 

The folks over at NIST may have hit another home run after the wildly successful and industry best practice NIST Cybersecurity Framework (NIST CSF). Designed to improve privacy through enterprise risk management, the NIST Privacy Framework works much like the NIST CSF, where the core is made up of functions, categories and subcategories. In fact, there are even some categories and subcategories that are the same as those in the NIST CSF. 

Using both these frameworks in tandem makes for a pretty awesome program for both information security and data privacy.

The core functions of the NIST Privacy Framework are:

  • Identify: Develop the organizational understanding to manage privacy risk for people arising from data processing.
  • Govern: Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s where privacy risk informs risk management priorities.
  • Control: Develop and implement plans to enable groups or people to manage data with sufficient detail to manage privacy risks.
  • Communicate: Develop and implement plans to enable groups and people to have a thorough knowledge and engage in a dialogue about how data are processed and related privacy risks.
  • Protect: Develop and implement data processing safeguards.

If you know the NIST CSF at all, you will feel right at home going through the NIST Privacy Framework, even more so if you use the recently updated (September 2020) NIST Special Publication 800-53rev5, Security and Privacy Controls for Information Systems and Organizations.

Perhaps one of the most helpful tools of the NIST Privacy Framework is the roadmap, which identifies priority areas that describe key challenges and some initial activities.

Why Privacy May Be an Easier Sell than Security

What if we begin to apply that ‘privacy mindset’ to the business as a whole, not just personal data? That could have a profound impact. After all, in many countries, corporations do have some sort of individual rights. In the U.S., for example, the Supreme Court extended some, not all, protections guaranteed to individuals in the Bill of Rights to corporations.

One of the greatest challenges security experts always face is getting people to ‘buy in’ to protection. Putting security downstream from privacy may be one way to get the buy in you need, exactly because privacy can be pictured more easily. There’s something more emotive and personal about privacy than the more generic ‘security’ concept. The NIST Privacy Framework addresses issues from that perspective, too. Just a small sample of examples that illustrate that personal nature includes:

  • Categories of people (e.g. customers, employees or prospective employees, consumers),
  • Context (e.g. demographics and privacy interests or perceptions, data sensitivity and/or types, visibility of data processing to users and third parties),
  • Stakeholder privacy preferences,
  • Techniques to limit identification, such as de-identification privacy techniques and tokenization

Next to understanding business operations and having the ability to speak knowledgeably on that issue to the decision makers, getting stakeholders to buy in to security through a strong privacy program based on something like the NIST Privacy Framework may be the most important tool in your persuasion arsenal. If ‘security first’ isn’t working for you, try ‘privacy first’ and let security follow.

 |  |  | 
George Platsis
Senior Director, Educator and Author

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature