The encryption maturity curve
Davey Winder puts forward a strategic business case for encryption.
Encryption in the cloud was only beaten by identity and access management, data discovery and data use within business applications. The chances are that cloud concerns will rise higher across this year, and that will be reflected in the next report. The exposure of the cloud as an enterprise essential to business managers in times of recession, cutting costs and increasing productivity, has led to a wider awareness of the risks of exposing unencrypted data within that cloud environment and a knock-on effect is to increase awareness of encryption within the enterprise outside of the usual IT department environs.
Encryption has almost become the marker of security posture and strength within the enterprise, and certainly in the boardroom. Organisations that deploy encryption are "more aware of threats to sensitive and confidential information" says Dr Larry Ponemon, chairman and founder of The Ponemon Institute who adds that "for the first time this year our study shows that more organisations say they have an encryption strategy than not."
While there is no denying that encryption has somewhat taken centre stage as far as being a strategic ITSec issue these days, it's not the whole story. "Key management remains a challenge that can rapidly escalate as the use of encryption and other uses of cryptography expand," warns Richard Moulds who is vice president of strategy at Ales e-Security. He continues: "The report shows a 25 per cent increase in spending on key management solutions as a proportion of encryption budgets."
Although key management has yet to overtake 'performance' as the key driver when it comes buying criteria, according to the report, it has risen up to second place this year. Some 38 per cent of those asked said they now have a formal key management strategy in place, and there's a high level of awareness surrounding new standards such as Key Management Interoperability Protocol (KMIP) that helps deploy centralised key management systems spanning multiple use cases and equipment vendors.
The encryption maturity curve
One of the reasons that some companies have still not employed encryption could well be the silver bullet myth that suggests that if you encrypt everything your data is somehow immune to harm.
That isn't the case, and those who have had their fingers burned (or heard about them) are wary of spending money on something that doesn't work. To make encryption work, as the savvy enterprise is starting to appreciate, you need to take a strategic approach to data protection and that means understanding not only what data actually needs to be protected but also where it needs protecting.
The non-strategic approach is still rife when it comes to technical implementation, if truth be told, with two thirds of those surveyed in the report using at least five different encryption technologies to secure data on laptops, in the cloud, within databases, across their networks and so on. Which is where the encryption maturity curve comes into play, according to Richard Moulds. "An encryption maturity curve is emerging with a shift of interest from relatively mature static technologies such as laptop and network encryption towards more sophisticated deployments that focus on encrypting data in applications as it is actually used," he says.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.