The Relationship Between Privacy vs Security vs Risk Management

by Caitlin Gruenberg

30 years ago, privacy, security, and risk management were rarely used in the same sentence. 20 years ago, as technology began to grow exponentially, industry experts began to publicize the relationship between them. Now, the terms once deemed distant cousins are now interconnected and foundational elements in information and operational assurance. 

Let’s take a deeper look at what each term entails and how they impact each other. 

What is security? 

The National Institute of Standards and Technology (NIST) defines security as, “freedom from those conditions that can cause loss of assets with unacceptable consequences.” Simply put, security is the controls an organization has in place to protect information from unauthorized access. 

What is privacy? 

Privacy is personal. Privacy is defined by the European Data Protection Supervisor as the “ability of an individual to be left alone, out of public view, and in control of information about oneself.” Regardless of how privacy is defined, the greatest impact on an individual occurs when privacy is interpreted by governments and organizations collecting data. 

Theoretically, individuals should have the right to be the gatekeepers of their personal information. However, this isn’t always the case. As a result, new or amended privacy laws are popping up like daisies all over the world highlighting where personal information is collected, processed, and stored. Having said that, the question becomes, how is this information protected? The answer? Security. 

Related: CCPA and GDPR Compliance for IT Systems 

How are security and privacy related? 

Privacy laws require companies to keep personal information safe through security. If organizations collect, process, and store personal data, then privacy and security go hand-in-hand. Let’s walk through some scenarios: 

First, online shopping. When a consumer shops online and they enter personal information, they assume it will be protected. At minimum, a consumer enters their first and last name, phone number, home and shipping address, email address and credit card information at the time of purchase. By law, organizations must protect the consumer’s personal information from being maliciously or accidentally exposed once they have access to the data. 

An organization puts itself at serious risk by not protecting consumer privacy. Not only are there harsh fines for companies who neglect security, but the loss of consumer confidence can easily tank sales and put a company out of business. 

The second scenario, a doctor’s office visit. In addition to the names, addresses, credit card information, etc. of patients, a doctor’s office will also have their social security number and all their personal health information on file. The health care industry has some of the most strict privacy and security regulations in the industry for this reason – and the fines to match. 

In these two examples, it’s not a privacy vs. security discussion, it’s clear why the relationship between privacy and security within organizations needs to be a strong one. And while privacy and security focus on protecting the crown jewels, risk management proactively looks at the strengths and weaknesses of a security program and identifies where vulnerabilities may exist. 

Related: The Latest Data Privacy and Security Regulations You Need to Know About 

What is risk management? 

Risk management is the process of identifying, assessing, and controlling risks arising from operational factors, then making decisions that balance risk costs with mission benefits. And how does risk management blend with privacy and security? 

Simply put, security provides the tools and mechanisms; privacy defines the rules and guidelines regarding personal data; and risk management offers the overarching strategy and framework that informs and integrates security and privacy efforts. 

How are risk management and security related? 

Risk management informs security by identifying which assets need protection, the threats against those assets, and the vulnerabilities that could be exploited. Once risks are identified and evaluated, security controls can be chosen to treat those risks. 

How are risk management and privacy related? 

Risk management in a privacy context involves assessing potential breaches of personal data, understanding the implications of data misuse, and ensuring compliance with privacy regulations. This ensures that the organization respects the rights of individuals while reducing potential liabilities and maintaining its reputation. 

All three, security, privacy, and risk management, are crucial for organizations in the digital age to maintain trust, ensure operational continuity, and comply with evolving regulations. 

Privacy vs Security vs Risk Management – How are we Doing? 

I would love to paint a picture that organizations are reacting to the closer-than-ever relationship between privacy, security, and risk management with grace, however, that’s not the case. 

For years, security has been made a priority within organizations, while privacy has been the “red-headed stepchild” without a dedicated space. In Europe and in other parts of the world, it’s the expectation for organizations to have dedicated privacy resources. However, in the United States, legal, compliance, information security, and governance, are just a few places where organizations have placed privacy. Often, resources are split into those departments to tackle any privacy issues at an ad hoc level. In this approach, privacy is not given the respect it deserves and will cause complications eventually. 

A frequent question asked as privacy fever strikes the United States is, “Where does an organization start if they haven’t made privacy a priority?” The short answer is to first implement privacy by design:    

• Incorporate privacy considerations at the beginning of any project, product, or service design. 
• Default settings should be oriented towards privacy, requiring users to opt into data sharing, not out. 

Second, it is critical to understand that implementing good privacy requires administrative work as well as logical work. By devoting time and resources to privacy, an organization can begin to strengthen security and privacy relationships. As for strengthening the relationship between all three, consider the following measures: 

Establish a governance structure. Your CISO, CPO, and Risk Management Officer should collaborate regularly, sharing insights and information. 

Third-party risk assessments should consider compliance gaps and privacy risks, in addition to gaps in security controls that leave your organization vulnerable. 

Implement unified training and awareness programs for your staff. The best defense we have is when employees understand their role in maintaining security and privacy and think twice before clicking on a malicious link. 

Implement data-centric security. Use techniques like data masking, encryption, and tokenization to secure sensitive data and implement strict access controls based on roles and the principle of least privilege. 

Prepare for incident response and management. Have a unified incident response plan that addresses both security breaches and privacy data breaches, and regularly test this plan with simulations or drills. 

Invest in technology and tools that cover risk management, security, and privacy, such as a GRC (governance, risk management, and compliance) platform and third-party risk Exchange. An organization that treats privacy, security, and risk management as interconnected components of a larger system will be better positioned to address challenges and mitigate threats. Curious how ProcessUnity and CyberGRX work together to provide the most complete third-party risk management platform in the market today? Book a demo now. 

Keeping a Step Ahead 

Lastly, and perhaps most importantly, stay updated. Regulations and risks evolve constantly—continuously monitoring your third parties and getting alerts when a breach or compliance violation occurs will help you stay ahead of your regulatory and risk landscapes. 

Just like the Three Musketeers, fostering a culture of security, privacy, and risk awareness creates a resilient and trust-driven environment. Integrating privacy, security, and risk management ensures that each area reinforces one another, leading to a stronger, more comprehensive approach to safeguarding your data and systems overall. 

To learn more about CyberGRX and ProcessUnity and how these tools support your privacy, security and risk management objectives, we invite you to schedule time with our team.

This article was originally published in July, 2019 and was updated in September, 2023.