Yesterday I had a conversation with a friend and the topic led to the label “data security” versus “information security” and which one I prefer. For me, it’s not really a preference as it is a scope of work or definition of what it is I’m responsibile for protecting. I couched my answer in this way.
Here are five numbers: 63, 71, 88, 92, 98. Take these digits and place them in order of best to worst. Many would assume the highest number is the best. What if I put in the context of golf scores? Oops. Does it change the order? The numbers are merely data, the context turns those numbers into information.
From a security point of view, the same philosophy applies. Is there an obligation to protect a series of 9 digits or an obligation to protect social security numbers? Does PCI apply to credit card numbers or any series of 16 digits? Unless data is placed into context how are we to know exactly what regulations apply, assign value, or interpret threat. We can’t protect PII if we don’t know what it is.
So, for me, the answer is simple. Data security is protecting a series of numbers and letters which doesn’t add much value to an organization. Information security protects data that has been put into meaningful context. I know which arena I play in. How about you?
Connect with me