Information security and privacy

In elementary school you probably learned about the paradox of squares and rectangles: all squares are rectangles but not all rectangles are squares. The same can be said about information security and privacy. While your privacy is maintained by good information security practices, information security is about much more than just privacy protection.

By definition information security, often shortened to "infosec" among industry professionals, is "the practice, policies and principles to protect digital data and other kinds of information."¹

Privacy, broadly speaking, is defined as "the quality or state of being apart from observation" or "freedom from unauthorized intrusion."² Data privacy, which is typically the form of privacy being referred to in the context of information technology (IT), is an area of data protection that concerns the appropriate managing of sensitive information including confidential personal information, business data, financial information and more.³

How do information security and privacy work together and how do each of these topics come into play in IT and cybersecurity? For the most part, and for this blog, these two concepts will center on data security and data protection. Let's dig in.

What's the difference between information security and privacy?

Practically every time you download a mobile app or make an account on a website you're asked to agree to a privacy policy. These privacy policies might include permissions for the company to sell some of your personal information, which would diminish your privacy protection, but they likely also promise to keep your information stored securely within their own servers. To understand how these two concepts relate to each other, consider this: the more your privacy is compromised (i.e., the further your consumer data and other sensitive data is spread among different apps and the more it is shared to third-party companies), the more at-risk you are for a lack of information security that could lead to issues like credit card theft, a stolen identity and exposure of other sensitive data and other security breaches.

Data privacy very often is put in place by governance and takes the shape of laws, policies and guidelines. For example, the United Kingdom's Data Protection Act 2018 requires organizations, including the government, to abide by certain rules to ensure data privacy. The Act mandates that citizen's information is:⁴

• Used fairly, lawfully and transparently
• Used for specified, explicit purposes
• Used in a way that is adequate, relevant and limited to only what is necessary
• Accurate and, where necessary, kept up to date
• Kept for no longer than is necessary
• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage

As you can glean from the UK act, information security and privacy are used in concert for data protection. To get a better idea of the relationship between the two, review the security measures categorized into each concept.

Examples of data security:

• Encrypting information
• Using passwords and two-factor authentication
• Firewalls
• Monitoring security threats

Examples of data privacy:

• Policies and guidelines regarding the handling of data
• Only collecting necessary data
• Ensuring data is only accessible to approved parties
• Using screen shields so that others around you can't see the information on your screen

Information security and privacy in cybersecurity

No matter what field you work in, cybersecurity will be a top concern to protect organizational data. Of course, in some industries like health and finance, there are pretty enormous consequences to security incidents but there's also been increased attention on how retail businesses, software and social media companies handle data privacy and protection. Consider the Cambridge Analytica scandal where millions of Facebook users had their personal data shared without consent to aide in political campaigns of conservative candidates in the 2016 election.⁵ While that is more of an example of poor data privacy than information security, it's illustrative of the dangers of poor data handling.

If you study cybersecurity you'll want to learn both the principles of data privacy and how to responsibly handle the data your organization collects but you'll also learn the security side including: how to secure systems, protect customer records and intellectual property from data breaches and how to put in place technical safeguards that fortify your organization's ability to thwart attacks. Having a solid understanding of how both sides of the security equation works make you a stronger security expert and improve the policies and techniques of your organization.

Consider the various jobs in cybersecurity. Engineers are needed to plan and implement the security infrastructure or a business. An organization also might need researchers or analysts to stay on top of the latest trends in cyber attacks and malware. Additionally a business might have someone responsible for educating non-technical employees on privacy and security measures. But you could also become an expert in testing a business's security measures as a penetration tester who performs simulated cyberattacks on a company's computer networks looking for vulnerabilities and advising on how to prevent real security breaches. When it comes to cybersecurity, privacy and security are both critical components.

Master the skills to protect your organization from information security and privacy threats

Build an arsenal of the most useful information technology skills in Marquette's online Master of Science in Computer and Information Science (CIS). Marquette's online CIS offers an Information Assurance and Cyber Defense (IACD) specialization that's earned the university the designation as an Academic Center of Excellence by the National Security Agency (NSA) and the Department of Homeland Security (DHS). This special designation, which recognizes universities with in-depth cybersecurity curriculum and leadership, provides Marquette students the opportunity to apply for more than $30,000 in scholarship funds from the Department of Defense. Additionally, Marquette's CIS program offers a career-changer pathway for those entering the profession from another field and features a wide array of courses to choose from allowing students to tailor their degree to their career goals and interests. If you're ready to take your career to the next level, schedule a call with an Admissions Advisor to learn more about the program.