Encryption in 2012: Now a strategic business issue

Encryption is now viewed as a strategic business issue, a far cry from when it was a niche technology and solely the concern of the IT department.
Written by Richard Moulds,, Contributor
Commentary - In an increasingly digital world, information security and data privacy have become critically important to the enterprise. According to the 2011 Global Encryption Trends Study from Ponemon, encryption use to protect sensitive data is becoming widespread and strongly correlates to the overall strength of organization’s security posture. So much so that encryption is now viewed as a strategic business issue, a far cry from when it was a niche technology and solely the concern of the IT department.

Formal encryption strategies grow in prevalence
Historically many organizations deployed encryption in isolated cases to counter specific threats – perhaps to protect company laptops, maybe data in storage systems and almost certainly internet connections. In 2005, only 15 percent of organizations surveyed had an overarching encryption strategy and many of those were motivated by specific regulatory demands and merely complying with legal requirements.

In today’s business environment, the study found for the first time that the number of organizations that have a formal encryption strategy as part of a wider data protection policy now outnumber those that do not. The survey also shows that the motivation for leveraging encryption is shifting with the protection of brand or reputation emerging as the primary driver. Also, budgets are increasing as deployment priorities span all of the various silos within an organization, including their web and application infrastructure, storage environments, databases, file systems, networks and mobile devices.

Who is responsible for encryption?
When the first encryption trends survey was taken seven years ago, the head of IT or security would overwhelmingly be the person responsible for building an encryption strategy. Today, although IT leaders are still the most influential, we have seen a huge rise in business leaders taking on responsibility for defining encryption strategy. In fact, the influence gap has more than halved and if the trend continues we could see business leaders in the driving seat within a few years.

The role of key management in encryption
Whenever a company uses encryption, it has to use encryption keys. Just like the keys in your pocket, encryption keys are secrets – electronic secrets that are used to make data meaningless to everyone without the correct code. As we all know, the strongest safe in the world offers little security if a thief knows the combination to the lock. The same is true in the digital world. Weak protection of keys or poor key management practices means a company’s encryption keys, and therefore the data that they protect, can be easily compromised.

In this vein, it is no surprise that respondents to the Ponemon study consider key management to be the most important issue when deploying encryption technology, in particular the use of automated and centralized key management. Interestingly, half of respondents believe that investments in key management also have the potential to reduce the operational costs of their organizations.

Adoption and use to continue to expand
The report highlights some fascinating variations across the seven countries included in the survey, but taken as a whole there seems to be no question that encryption will be an increasingly important component of business security planning. But for some, it is still a relatively new technology, one that can only deliver its true potential if deployed correctly. Fortunately, there are tried and true best practices available and mature technologies that can deliver the levels of assurance that are necessary to survive in cyberspace. With data breaches now basically a weekly story, 2012 may truly be the year of encryption.

Visit here for a copy of the 2012 Global Encryption Trends Study.

Richard Moulds is Vice President Strategy at Thales e-Security

Editorial standards