Cyber, cyber, cyber… everywhere we turn today, cybersecurity is at the forefront of enterprise data and technology management.

This is, of course, a good thing; for far too many years – decades, in fact – functionality has trumped security, to the point where today’s massive focus on cybersecurity has become a constant echo of post-development and (to a lesser degree) post-implementation activity. As we continue to build the cybersecurity wave, we as a nation have unfortunately lost focus of what is commonly pointed to (incorrectly, as we’ll point out shortly) as the “opposite” of information security: information privacy.

As we see with the more than 40 current cybersecurity bills floating around both chambers of Congress, the concept of security is paramount in the mind of federal legislators. But while legislators are gung-ho for security, interestingly, we completely lack national-level data privacy legislation. On the contrary, at the state level we currently have over 40 states with individual privacy mandates regarding the personal information of their citizens.

In the absence of a federal-level legislation protecting citizens’ personal data, coupled with continuous examples of real-world data breaches, abuse of private information, and grass-roots citizen organizations clamoring for recognition of digital privacy, our individual states have simply had no choice but to do this. One of the negative impacts of this scattershot approach is that private sector companies must now target multiple, varied and possibly conflicting state privacy laws, rather than simply implementing data privacy according to a single, unified standard.

Other nations don’t have this problem: Canada has PIPEDA, the European Union member states have the Data Privacy Directive, and dozens of other nations from Bulgaria, to Japan, to Vietnam have established basic privacy laws at the national level.

Often, the argument is made – almost invariably by those who are promoting security at all costs – that privacy erodes security. Of course, the reality is that security and privacy are not opposite ends of a spectrum. As security industry luminary Bruce Schneier pointed out a few years ago, “you don’t have to accept less of one to get more of the other.”

The fact is, good security enables privacy: look at examples such as authentication, encryption and access control. These security concepts are designed to keep bad people out of your systems and data, while enabling people who need access to the data to get it; and are all fundamental building blocks of good security.

So, if those are “good” security concepts, what are the “bad” ones? Those are the security concepts and controls that are diametrically opposed to privacy: ideas such as warrantless carrier wiretapping, ISP disclosure-on-demand, and massive data mining (such as “abnormal pattern” discovery). While those controls can be useful in specific scenarios – for example, an organization applying these controls to their own assets to protect them – the fact is that when these “bad” security concepts are applied broadly to the public, with no explicit contract between the organization and the person’s privacy being circumvented, they serve only to erode trust; the prime example of this is when such “bad” security is mandated through legislation (particularly at the national, federal level).

So what can we do to close the gap between security and privacy? First and foremost, we need to establish a comprehensive federal privacy law that takes into consideration the best aspects of the various state laws. This perhaps needs to be augmented with a more formal definition of what “personal data” is – while individual state laws have been a good start, they’re all over the map in terms of defining what data qualifies under their privacy statutes.

Finally, we need to ensure that future cybersecurity legislation respects the privacy legal rights mandated in federal legislation to ensure that “good” security is applied, and “bad” security is filtered out.

The federal government has a need for security, and citizens have a need for privacy. These two concepts are not antithetical to each other, and the reality is that – if properly implemented – there’s absolutely no reason we can’t have both.

John Linkous is vice president, chief security and compliance officer eIQnetworks, Inc.