Skip to Content

Information vs. Data: The Key to Effective Secure Information Management

Sep 30, 2024
Kasper van Wersch

Introduction

In today’s complex business landscape, data is everywhere, including customer records, transaction logs, sensor readings, and social media metrics. Yet, a critical misunderstanding can lead to poor security practices and misplaced accountability: treating data and information as the same. To achieve secure information management, it’s crucial to understand that these terms have very different meanings. They also require different management needs and responsibilities. Understanding the difference is crucial for aligning security with business objectives and ensuring clear ownership.

Understanding the Difference: Data vs. Information

Let’s start with the basics:

  • Data: Data is raw, unprocessed, and context-free. It could be numbers, words, or symbols collected from various sources. On its own, data does not have meaning. For example, a string of numbers like “100919” or an unstructured list of names is data. It is raw input, waiting to be interpreted.
  • Information: Information is data that has been processed, organized, contextualized, and given meaning. When data is turned into information, it becomes valuable and actionable. For example, “100919” becomes valuable information when interpreted as a “date of joining” for a new employee in the company (10th September 2019). Information thus has context, relevance, and purpose within a given framework.

The distinction? Data becomes information only when you place it into context and interpret it. Information is data in action: meaningful and ready to support decisions. Interpretation requires an action—something only living organisms can do because interpretation needs senses. Without sensory input or context, data stays raw and meaningless.

Secure Information Management
Figure 1 visualizes data processed into information.

Why this Distinction Matters in Information Security

It’s tempting to group data and information into the same category when discussing information security, but this can lead to unintended consequences:

1. Improper Assignment of Accountability

The roles and responsibilities for managing data are not the same as those for managing information. If you don’t distinguish between the two, you may wrongly assign accountability to data owners who only handle the technical aspects (such as storage and transfer) without considering the context, meaning, and business impact that transforms data into information. This leads to gaps in the secure handling of information and in decision-making processes.

2. Security Risks from Lack of Context

Treating data and information as the same can result in applying overly broad or context-inappropriate security controls. Data without context may seem benign, but once processed into information, its value and sensitivity can drastically change.

3. Alignment with Business Objectives

Information security is about protecting the assets that support business operations. Since information is what drives business processes, information security must align with business objectives, supporting how information is used, shared, and protected within the organization. Data alone does not offer this level of alignment. By managing data and information separately, security efforts can be more targeted, ensuring that the measures taken reflect the business value and context of the information.

Example

Recently, I worked with a team to respond to a request for proposal (RFP). A company wanted a managed data warehouse environment, which we could deliver.

A section of the RFP focused on security and privacy, specifically asking how our solution would incorporate data minimization and legitimate interest in line with EU privacy laws.

I asked the team whether we played any role in the customer’s business function or, to put it bluntly, if we were simply providing a “container” for data storage. It turned out to be the latter, meaning we had no responsibility for data minimization or determining legitimate interest. We don’t know why they need the data for their business function, and delivering the solution won’t change that.

By taking a step back from the data and viewing it as information, we explained to the customer that we had no role in data minimization or determining legitimate interest. Clarifying these distinctions not only helped us win the deal but also positioned us as a trusted business partner—willing to take the time to explain, provide thoughtful pushback, and highlight their responsibilities. Our explanation also helped them assign internal accountability, with those accountable feeling confident about managing it correctly. They are the ones who determine what information they need to effectively fulfill the company’s business functions.

This example demonstrates how difficult it is for companies to make informed decisions when they view information processing as solely a technical (IT) responsibility. Only by relating the technology to the business process it supports can you understand the context that transforms data into meaningful information. To do this effectively, you must involve people from outside the technical domain—those who understand the business functions and can provide the necessary context to properly process information.

Information Management vs. Data Management

The difference between information and data requires a different management approach for each.

  • Data Management handles the technical aspects of data. It covers storage, transfer, processing, and archiving at a technical level, usually by IT teams. The focus is on data quality, efficiency, and availability—without necessarily understanding its purpose or value.
  • Information Management focuses on transforming data into meaningful information that supports business decisions. It requires understanding how context shapes the use of data. It also includes setting security controls and determining information flow throughout the organization. This means setting policies, governance, and assigning information owners1 who can make informed decisions about access, usage, security, and compliance.

These owners understand the context, purpose, and lifecycle of information assets. They decide on access, usage, and security measures. By contrast, data custodians handle the technical side of storage and management but do not determine how to use or interpret the data.

Avoiding the Pitfalls of Confusing Data and Information

  1. Accurate Responsibility and Accountability – Clear separation ensures that information owners understand their responsibilities for contextualizing, interpreting, and protecting information assets. This ensures that decisions about security and access are made by those who understand the business value and implications of that information.
  2. Context-Aware Security Measures – Security policies and controls should be based on the value and sensitivity of information, not just raw data. Once the context is understood, security measures can be appropriately applied, avoiding the risks of over- or under-protecting assets.
  3. Enhancing Business Alignment – By focusing on information, security practices align with the actual needs of the business, supporting its goals and objectives. When information owners make decisions based on the meaning and use of data within the context of business processes, security naturally becomes part of quality management and helps enhance business performance.

Conclusion: The Way Forward—A Human-Centric Approach to Secure Information Management

In a world where the amount of data is growing exponentially, the ability to distinguish between data and information becomes more critical than ever. By treating them separately, you not only avoid confusion and misallocated responsibilities but also enable a more precise, contextual, and effective security posture that aligns with your organization’s goals.

Information management is not just about handling raw data; it’s about ensuring that the right information is available to the right people at the right time and is protected according to its context and business value. Only by understanding how data becomes information and properly assigning ownership and responsibility can organizations achieve secure, meaningful, and business-aligned information management.

So, next time you hear someone using “data” and “information” interchangeably, remind them that in the world of secure information management, context is king—and context transforms data into valuable information.

My mission

As a proponent of human-centric secure information management, I believe in embedding security practices directly into business processes and focusing on how people use and interpret information. By aligning security with business goals and applying the right context, we can enhance both security and quality. Follow me on LinkedIn for more insights on managing and securing information in a business-aligned way!

  1. In researching this topic, I’ve noticed that many sources use ‘data’ and ‘information’ interchangeably, which overlooks a critical distinction. That’s why I believe appointing Information Owners is a key task in information management—to ensure that information is properly contextualized, governed, and aligned with business objectives. ↩︎

About the author

Kasper van Wersch

Senior Security Advisor | Netherlands
With great enthusiasm I have been working in IT for 25 years now. I started in sales and over the years my interest shifted to consultancy. The emphasis of my work has always been (and still is) Information and Cyber Security.

Related posts

Introducing The Information Security Process

27 Aug 2024

Security in the Land of Mobile Apps

20 May 2024

Resilience in the Line of Chaos

12 Mar 2024

IT Risk? There's No Such Thing!

22 Dec 2023

People Centric Information Security – Part III

29 Sep 2023
Load more

Leave a Reply

Your email address will not be published. Required fields are marked *

Slide to submit