Why encryption has become a boardroom issue

Thales e-Security survey shows how corporate decision-making on encryption has shifted from the IT department to the boardroom, writes John Grimm

For the past twelve years, the responsibility for an organisation's encryption strategy (if it has one) has, generally, resided with its IT department. According to the 2017 Global Encryption Trends Report, however, the balance of power has changed, and business unit leaders are increasingly having the biggest say in such matters.

The overall influence that business unit leaders have over an encryption strategy has risen from 10 per cent in 2005, when the study first began, to 30 per cent today, while over the same period, the influence of the IT team has dropped significantly, from 53 per cent to 29 per cent.

Interestingly, this does vary according to region. Four countries, including the UK at 37 per cent, claimed their lines of business management had most influence over their organisations' encryption strategies. France, the US, and Mexico made a similar claim, at 41, 34, and 30 per cent respectively. In the remaining seven countries surveyed for the study, IT operations still had the most responsibility.

Moving up the agenda

Given the rising number of data breaches impacting high-profile companies and making headlines on an almost daily basis, it's hardly surprising that business leaders are having more of a say in matters related to data protection and encryption.

Indeed, the devastating impact that such breaches can have on a company's reputation, customer base and, ultimately, its bottom line, are certainly enough to keep its board members awake at night. Ensuring the privacy of both their own and their customers' data is now of paramount importance for businesses that want to avoid becoming tomorrow's headlines.

It's perhaps for this reason that the rise in data breaches has been mirrored by the adoption of encryption strategies across the global organisations surveyed.

Today, just over two in five organisations (41 per cent) have an encryption strategy applied consistently across the enterprise - a huge increase on the 15 per cent reported twelve years ago. Again, this does vary according to region; the UK, at 42 per cent, has one of the highest deployment rates, alongside Germany (65 per cent), the US (50 per cent), and Japan (44 per cent). Conversely, the Middle East (30 per cent), Mexico (31 per cent), and Australia (32 per cent) have the lowest deployment rates for encryption strategies.

Remaining compliant

In addition to the risk of data breaches, the need for compliance is another important reason for encryption becoming a boardroom issue. More than half of respondents (55 per cent) identified compliance with privacy and data security regulations as the main driver to extensive encryption use within their company - not surprising, as compliance has historically been the top driver found in this study.

And with regulatory changes, such as the EU General Data Protection Regulation (GDPR) and eIDAS, soon coming into effect, it's likely that more companies will consider how they can deploy encryption as a crucial element of their data protection strategy. After all, the eye-watering fines they may face for failing to do so are something no business leader wants to face.

The need for encryption technology to protect enterprise intellectual property (51 per cent) and customer personal information (49 per cent), as well as protecting information against specific, identified threats (49 per cent), followed close behind compliance as key drivers. These factors have risen in importance in recent years, indicating increasing diligence by organisations to identify specific types of sensitive information that require stronger protection.

More than anything, these findings reveal that businesses now appear to be adopting robust security strategies, such as encryption, not because they feel they have to, but because they need to.

It's encouraging to see that data protection is making its way up the boardroom agenda and, although the balance of power in terms of driving encryption strategy has shifted, it's important that business leaders and IT teams continue to work in partnership to ensure that encryption is done well, across the whole organisation.

John Grimm is senior director of product marketing at Thales e-Security

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!