In my 25+ years as a cybersecurity professional, I’ve seen firsthand the misunderstanding between security and privacy. One phrase that has always bothered me is: “You can’t have privacy without security, but you can have security without privacy.” Let’s take a step back and look at why this doesn’t quite make sense and why these two concepts should not be lumped together. According to ISACA’s State of Privacy 2025 report, 12% of organizationshave experienced a privacy breach in the last year, and despite the growing threats, 43% of organizations report their privacy budget is underfunded. This underlines the significant gap in attention and investment when it comes to privacy, with many still treating privacy as an afterthought instead of the separate, specialized function it needs to be.
Understanding the Core Differences
Security is about protecting systems, data, and networks from unauthorized access. It’s the foundation—the firewalls, encryption, access control, and protocols that keep data safe from cyberattacks and breaches. Security measures safeguard sensitive information, ensuring that only the right people can access it and that it’s safe from threats.
Privacy, on the other hand, focuses on the ethics and regulations of how data is collected, used, and shared. It’s about consent—ensuring individuals know how their data will be handled, when they can access it, and, crucially, when they can request that it be deleted. Privacy ensures compliance with laws like GDPR and CCPA, and it handles the governance side of data protection.
While both are essential, they serve different purposes.
The Problem with Treating Them as the Same
Too often, people treat privacy and security as interchangeable, but this is where the confusion begins. Cybersecurity professionals are trained to build robust systems that prevent unauthorized access and secure data. However, privacy is not just a technical concern—it’s deeply intertwined with legal and ethical considerations. Privacy laws are complex, and maintaining compliance requires specialized expertise that goes beyond what a typical security team offers.
In my experience, having worked alongside hundreds of professionals who tried to do both, privacy requires a different set of skills—the kind typically found in privacy officers, compliance teams, and legal professionals. While a cybersecurity professional can secure a system, it’s the privacy expert who ensures the data is being used in accordance with the rights of individuals and legal frameworks.
Why Cybersecurity Isn’t Enough
The truth is, you can’t expect a security professional to take on the full scope of privacy management. A Chief Information Security Officer (CISO) might manage risks related to security, but they aren’t usually equipped to handle the intricate details of data governance or privacy law. While the CISO works to ensure that data stays secure, they don’t always have the expertise to navigate the complex legal landscape of data subject rights, consent management, or regulatory compliance—elements central to privacy.
Even if a company offers both security and privacy services, they are still distinct areas of expertise that deserve their own attention. Privacy and security must complement each other, but they shouldn’t be treated as interchangeable responsibilities. Just as you wouldn’t expect a privacy officer to manage a firewall, you shouldn’t expect your security team to ensure compliance with data protection laws.
The Power of Collaboration
While security and privacy can and should work together, it’s crucial to foster a collaborative approach. A CISO should be partnering with a Chief Privacy Officer (CPO) or Data Protection Officer (DPO) to ensure both sides are covered. Cybersecurity experts are best equipped to protect against threats and breaches, while privacy experts ensure that data is being handled ethically, legally, and with respect for individuals’ rights.
Together, these professionals create a holistic strategy that both secures the data and ensures its proper use. But these roles should not be expected to cross over. It’s not about one replacing the other, but about collaborating effectively to create a comprehensive approach to data protection.
The Board’s Role in Prioritizing Privacy and Security
It’s clear that both privacy and security need to be prioritized at the highest levels of an organization. According to ISACA’s State of Privacy 2025 report, 43% of organizations report that their privacy budget is underfunded—a situation that boards of directors must address. If boards aren’t giving privacy the same level of attention and funding as security, it’s no wonder that data protection is falling short in many organizations.
Boards of directors must recognize that while security protects against breaches, privacy is about ensuring compliance with data protection laws and the ethical use of personal data. A failure to properly prioritize both leads to significant risks—not only legally and financially but also in terms of reputation. More than 12% of organizationsreported experiencing a privacy breach in the last year, and with data subject rights becoming more of a focus in global regulations, boards must treat privacy as a critical part of their governance strategy.
Sidenote: Is Privacy Even Possible Anymore?
With over billions of personal records exposed globally in 2023—our data is practically up for grabs. If your information isn’t already floating around the dark web, it’s only a matter of time.
Sources: Infosecurity Magazine, MarketWatch
What do you think? Is privacy still possible in a world of constant data breaches? 🔒💻
A Little Reality Check
Here’s the truth no one wants to admit: you can have top-notch security without privacy—but try to have privacy without security, and it’s like putting a lock on an open window. Sure, it looks secure, but it’s still wide open for anyone to sneak through.
So why are we still pretending that security and privacy are two sides of the same coin? Security teams are great at keeping the bad guys out, but asking them to manage privacy is like asking a plumber to fix your car. It doesn’t work.Privacy needs specialists—not just someone who can run a firewall and call it a day.
It’s time to stop pretending these roles overlap so well and start recognizing that a privacy officer and a CISO should be in separate lanes, even if they occasionally swap stories at the water cooler. But, hey, maybe I’m wrong. What do you think? Is it time to call it like it is, or do we keep forcing the square peg into the round hole?
Let the debate begin.
