Exploring the complex relationship between privacy and cybersecurity

In an era dominated by data-driven decision-making, digital primacy, and evolving threats, cybersecurity and privacy have both become foundational concerns for most organizations. While these concepts are often discussed together, they are distinct yet interconnected disciplines with unique objectives.

Can one exist without the other? If so, which? Let’s explore their relationship and whether an organization can truly achieve one without the other.

Defining cybersecurity and privacy

Before analyzing their alignment, it is important to establish clear definitions:

• Cybersecurity refers to the practice or discipline of protecting systems, networks, and data from cyber threats, including malware (which includes ransomware), phishing, and insider threats. It encompasses administrative measures like policies and governance programs as well as technical measures like encryption, firewalls, identity and access management (IAM), and security frameworks.
• Privacy is the right of individuals to control how their personal data is collected, used, stored, and shared. It is governed and driven by regulations including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other international data protection laws.

I suggest that cybersecurity is more technical, focusing on preventing unauthorized access and mitigating risks, whereas privacy is more governance, focusing on policies, ethical considerations, and legal compliance.

Privacy is enabled by cybersecurity

One of the clearest relationships between cybersecurity and privacy is cybersecurity as a foundation for privacy. Without strong cybersecurity, privacy protections are meaningless (or just unachievable). Here’s why:

1. Data protection requires security controls – Privacy regulations mandate personal data protection, yet without cybersecurity mechanisms like encryption, access controls (e.g., least privilege and data authorization), and secure storage, privacy policies fail.
2. Breach prevention protects personal information – If an organization does not implement cybersecurity best practices, sensitive personal data can (and will) be exposed through breaches, undermining users’ privacy and violating at least a couple of the seven GDPR principles.
3. Confidentiality is core to both disciplines – The CIA Triad (confidentiality, integrity, availability) is a guiding framework for cybersecurity, and confidentiality supports privacy. If confidentiality is breached, privacy is compromised. 

Cybersecurity acts as the technical enabler of privacy, ensuring data remains protected from unauthorized access and misuse. In fact, one might say it’s security controls that make complying with privacy regulations like the right to be forgotten or a data subject access request (DSAR) possible. Without security safeguards, businesses couldn’t comply (certainly not quickly) with such requests.

Is cybersecurity enabled by privacy?

While cybersecurity clearly supports privacy, does the inverse hold true? Can privacy drive better cybersecurity? The answer, in my opinion, is more nuanced as I believe things can be secure yet not private. Paintings in a museum are secure, yet visible will to the public. A locked window may be secure, but without drapes or blinds it offers no privacy. Is the same true for data or organizations?

Privacy as a driver for security investment

There is a saying among cyber professionals that “compliance doesn’t equal security.” While I agree in principle, I like to remind those who say it that compliance generally gets funded even when security doesn’t. Because privacy is now required and regulated, privacy is funded. Any organization wishing to do business with an EU-based entity needs a privacy program. 

Regulations and consumer expectations have therefore forced organizations to improve security controls. GDPR, for example, mandates "appropriate technical and organizational measures" to protect personal data. This has increased adoption of encryption, data minimization, and secure data storage practices—all of which enhance overall cybersecurity, courtesy of privacy. 

‘Privacy by design’ enhances security

The concept of privacy by design encourages organizations to embed privacy into systems and processes with security best practices like:

• Data minimization – reducing attack surface and blast radius
• Strong access controls – limiting exposure to sensitive data
• User awareness – ensuring employees understand risks and compliance requirements 

Privacy compliance improves cyber hygiene

Privacy regulations often require:

• Regular risk assessments – risk assessments or privacy impact assessments help involve cyber professionals in business decisions
• Incident response (IR) plans – including privacy in IR plans helps organizations to consider additional stakeholders like legal or privacy teams that may need to be involved in planning
• Data encryption and anonymization – privacy can provide a stronger justification for these cyber best practices than it "being the right thing to do"

These measures not only protect privacy but also strengthen security postures by ensuring organizations proactively address risks. However, privacy does not directly enable cybersecurity in the same way that cybersecurity enables privacy. While privacy laws and principles encourage good security practices, they do not replace the need for a strong cybersecurity strategy. 

Are cybersecurity and privacy mutually exclusive?

At first glance, cybersecurity and privacy might seem to be at odds. However, some security practices, such as extensive monitoring, logging, and data retention, can conflict with privacy goals.

Consider the following:

• Intrusion detection vs. user privacy – Security teams use intrusion detection systems (IDS) and/or behavioral analytics to identify threats. These tools require collecting and analyzing user activity, which can conflict with privacy regulations limiting excessive data collection. It’s not uncommon to be asked if this type of control violates privacy by profiling individuals. It should not. These solutions look to identify malicious behavior or known bad signatures, not build profiles of users’ benign behavior.
• Incident response vs. data minimization – Privacy advocates promote data minimization, but cybersecurity professionals may argue that retaining logs and records is necessary for forensic analysis after a security incident. When asking cyber professionals what logs they need and for how long, it is not uncommon to hear "all the logs and for as long as possible." Of course everything cannot be kept and not everything has value, especially the longer it is retained.
• Employee monitoring vs. workforce privacy – Many organizations use endpoint detection and response (EDR) tools to monitor for malicious activity and insider threats. However, excessive surveillance can violate employee privacy rights and lead to legal challenges. The same could be said of CCTV or closed circuit television, yet these have proven useful for not just cybersecurity teams but also health and safety. 

While cybersecurity and privacy are closely aligned, they require careful balancing. Security measures must be designed in a way that protects users without infringing on their rights. Users must also be aware of the security controls and understand why they are implemented, lest they try to evade them. 

Can one exist without the other?

You could, in theory, have cybersecurity without privacy or privacy without cybersecurity but neither would be as effective:

• Cybersecurity without privacy – A company can have a strong security posture—firewalls, encryption, and threat detection—while still mishandling personal data. If data is sold without consent or used for invasive tracking, privacy is compromised despite a robust and secure infrastructure.
• Privacy without cybersecurity – Privacy policies and compliance efforts are meaningless if there are no security measures in place to monitor and enforce them. An organization can have the best privacy policies on paper, but if they lack proper security controls, sensitive data is still at risk.

In reality, neither cybersecurity nor privacy can fully function without the other. Privacy is the purpose, and cybersecurity is the mechanism that ensures it.

Balancing cybersecurity and privacy

To effectively align cybersecurity and privacy, organizations should adopt an integrated strategy:

• Implement privacy-enhancing technologies (PETs) – Use encryption to protect sensitive data while preserving privacy and deploy anonymization and pseudonymization to reduce privacy risks.
• Ensure security teams understand privacy regulations – Security professionals should be well-versed in GDPR, CCPA, and other country-specific laws where their organizations operate. Regular training can help bridge the gap between compliance and security while fostering mutual respect between the disciplines.
• Adopt privacy by design in security strategies – Encouraging cyber and privacy to consider their counterparts requires intentionality and takes time. But practices like building access controls that respect user preferences and minimizing data collection where possible benefit both teams. An example might be discussions on how to balance security and privacy when conducting SSL inspection.
• Balance security monitoring with privacy considerations – Use data anonymization (or at least pseudo anonymization or tokenization) when possible while performing behavioral analytics. Implement transparent policies and awareness campaigns about employee and even customer data monitoring to be proactive about user privacy.
• Make privacy and security shared responsibilities – Collaboration between security, legal (where many privacy teams sit), compliance, and technology teams is essential. Privacy and security should not operate in silos but work together toward shared goals.

Conclusion

Cybersecurity and privacy are deeply related but distinct. Privacy relies on cybersecurity protections, while cybersecurity benefits from privacy-driven regulations that promote better security practices. However, they are not always in perfect harmony—security measures can infringe on privacy, and privacy policies can limit security operations.

Ultimately, achieving a balance between cybersecurity and privacy requires thoughtful policies, strategic investments, and cross-functional collaboration. By integrating privacy principles into security strategies and ensuring security measures support privacy goals, organizations can build a digital ecosystem that protects both their assets and their users’ rights.