The Marriage of Security and Privacy
We’ve spent years treating security and privacy like two different departments that occasionally pass each other in the hallway. Security was the "lock" on the door; privacy was the "rule" about who got to see what was inside. But as we’ve argued before, cybersecurity is strategic, and a strategy that treats these as separate silos is a strategy built to fail.
In today’s regulatory environment, you can’t have one without the other. They don’t just complement each other—they fit like a glove.
A Brief History of the "Wall"
In the early days of IT, security controls were purely technical. It was all about the "CIA Triad"---Confidentiality, Integrity, and Availability. We focused on firewalls and passwords to keep the "bad guys" out. Privacy, meanwhile, was often relegated to the legal team. It was seen as a compliance hurdle—fine print in a footer or a policy tucked away in a drawer.
As data became the lifeblood of the modern enterprise, that wall started to crumble. We realized that you could have the most secure vault in the world, but if your internal processes allowed you to over-collect and mishandle customer data, you’ve still failed. Conversely, you can have the best privacy policy ever written, but if your security is weak and that data leaks, your policy isn't worth the paper it’s printed on.
The NIST Evolution: 800-53 Revision 5
The industry finally caught up to this reality with the release of NIST Special Publication 800-53, Revision 5. For the uninitiated, NIST 800-53 is essentially the gold standard "catalog" of security controls.
In previous versions, privacy was treated as an appendix or a separate set of "Program Management" controls. Revision 5 changed the game by merging security and privacy into a single, unified control set. This wasn’t just a clerical update; it was a strategic shift. By integrating these controls, NIST acknowledged that privacy is now a fundamental component of information security. Whether you are encrypting a drive (Security) or limiting who can access a Social Security number (Privacy), you are performing a single, unified act of data stewardship.
Why does this matter?
Because clinging to separate frameworks creates unnecessary friction, inflates costs, and—most critically—leaves dangerous gaps in your defenses. Attackers don't distinguish between a "security breach" and a "privacy violation"—they exploit whatever weakness gets them the data. When security and privacy operate in silos, those weaknesses multiply.
NIST Revision 5 eliminates that divide. By merging privacy into the core security control catalog—including a new dedicated family for Personally Identifiable Information Processing and Transparency (PT)—it transforms what was once an appendix into a seamless, unified framework. Privacy is no longer an add-on or compliance checkbox; it's embedded as a fundamental aspect of effective data protection.
The result?
Organizations can streamline compliance, reduce duplication, and build more resilient programs that address both threats and regulatory realities in one cohesive strategy. In today's world—where data is the ultimate target, regulations like GDPR, CCPA, and emerging laws demand accountability, and breaches routinely destroy trust—treating security and privacy as separate departments isn't just outdated. It's reckless.
The wall has come down.
The future of cybersecurity belongs to those who embrace the integration, not resist it. It's time to stop passing each other in the hallway and start working as one team—because when security and privacy finally fit like a glove, your organization doesn't just comply; it thrives.
Kevin Robinson, CISSP, DDN.QTE, Associate C|CISO, is Head of Cybersecurity Services for The Commonwealth Group. He has a 20 year career in cybersecurity, risk assessment, intelligence and counterintelligence. His previous employers include Thornburg Investment Management, Los Alamos National Laboratory, L3Harris, and the Central Intelligence Agency.