Why Information Security and Privacy aren't the same

Commonly, when people think of Information Security, they automatically think about Privacy, but if both has the same meaning, we should be able refer to both with the same term, don't we?

So let’s understand the difference between these two significant words.

TL;DR The main concept to understand is that Privacy is the goal and Information Security is the way to achieve it.

In the past, #Privacy used to be referred to a place or a physical area where you could be alone in it without anyone being able to see or hear you. Over the last decade, this narrow concept of privacy has changed. Nowadays – it is being referred to an intangible concept that represents the way your private information is handled (stored, processed, shared, etc.). We are witnessing a rapid evolution in laws and regulations which give effect to this new concept of privacy and what it means to protect it.


Consequently, in the past 5 years, most countries drafted and published new privacy legislation, while recognizing that the existing legal framework is inadequate. well known example of such new legislation is the #GDPR (General Data Protection Regulation) enacted by the EU commission as of at the beginning of May 2018 and more recently, the #CCPA (California Consumer Privacy Act) which is expected to be in full effect by July 2020.


The technology evolution in recent years have turned us from consumers of products and services, to become the product itself! This means that in many cases of internet-based services and products (such as google, linkedin, etc) without our continued usage and sharing of our personal information, the service would be worthless.

Therefore, it is important that we bear in mind that as we share more personal information, our right for privacy is at greater RISK.


The fundamentals of risk assessment and management includes risk calculation and mitigation (I’ll have a full post about risk later on). The method of privacy risk assessment is to calculate the risk of your personal information being misused, leaked or used in a way or for a purpose that you are not agreeable to (potential damage) and evaluate the probability of the damage to occur. According to the risk assessment result you should create a plan to mitigate this risk.

Here is where Information Security enters the picture. In order to mitigate a privacy risk, we use security controls.

For example, in order to mitigate a data leakage risk, we can use encryption or access controls.

Information Security is a methodology used and practiced to maintain the following principles: Confidentiality, Integrity and Availability (CIA) through business processes in your organization; one of them is privacy.

To be impactful, an Information Security professional should have a deep understanding of the technology on the one hand and the business on the other. In this way the information security professional can lead and offer guidance to the other departments in the organization how to properly secure their information business assets.