When organisations think about protecting data, the first solution that comes to mind is encryption.
But CISSP asks a more precise question:
Is encryption always the right choice?
Because not all data protection techniques serve the same purpose.
Why This Matters
Many candidates—and even professionals—treat all data protection methods as interchangeable.
They are not.
Choosing the wrong technique can lead to:
✔ Ineffective protection
✔ Increased complexity
✔ Unnecessary exposure
CISSP is not about using the strongest control. It is about using the most appropriate control.
A Simple Analogy: Protecting a Credit Card Number
Imagine you need to protect a credit card number.
You have three options:
✔ Lock it in a vault → Encryption
✔ Hide part of it → Masking
✔ Replace it entirely → Tokenization
Same data. Three different approaches. Three different outcomes.
Encryption – Protecting Confidentiality
Encryption converts data into an unreadable format using algorithms and keys.
It is used for:
✔ Data at rest (databases, disks)
✔ Data in transit (TLS, VPN)
Key characteristics:
✔ Reversible (with the correct key)
✔ Strong confidentiality protection
✔ Requires proper key management
CISSP principle: Use encryption when data must be securely stored or transmitted and later recovered.
Data Masking – Hiding Data
Masking hides part of the data while keeping its format.
Examples:
✔ Credit card → **** **** **** 1234
✔ Email → j***@mail.com
Used for:
✔ Displaying data to users
✔ Reducing exposure in applications
Key characteristics:
✔ Not reversible
✔ Does not protect original stored data
✔ Focused on visibility control
Tokenization – Replacing Data
Tokenization replaces sensitive data with a token.
Example:
✔ Real card number → Random token
The actual data is stored securely elsewhere.
Key characteristics:
✔ No mathematical relationship to original data
✔ Reduces exposure significantly
✔ Common in payment systems
CISSP principle: Tokenization removes sensitive data from operational environments.
Key Differences That Matter
✔ Encryption → Protects data
✔ Masking → Hides data
✔ Tokenization → Replaces data
Use cases:
✔ Storage & transmission → Encryption
✔ Display & usability → Masking
✔ Exposure reduction → Tokenization
Choosing the Right Technique
The decision depends on purpose:
✔ Need to recover data later → Encryption
✔ Need to hide data from users → Masking
✔ Need to eliminate sensitive data exposure → Tokenization
CISSP mindset: Purpose determines the technique.
How This Appears in the CISSP Exam
CISSP will test scenarios such as:
✔ Protecting data in transit → Encryption
✔ Showing partial data → Masking
✔ Reducing sensitive data footprint → Tokenization
Your approach:
✔ Identify the requirement
✔ Identify the context
✔ Choose the appropriate technique
Avoid selecting the strongest option blindly.
Key Takeaway
✔ Choose the protection technique based on purpose, not strength.
Listen to the Podcast
This article is part of the CISSP Blogpost and Podcast Series.
The podcast explains this topic using real-world analogies and exam-focused thinking in a structured format.
Search on Spotify: PK’s Chronicles
What’s Next?
✔ Data Handling & Security Policies – From Classification to Enforcement
This is where theory turns into real-world governance.
Final Thought
✔ Security is not just about protecting data — it is about protecting it correctly.
✔ Because in cybersecurity, the wrong protection is still a vulnerability.
Think purpose. Think protection. Think like a CISSP.
