2009 Enc and Key Mgmt Industry Benchmark Report 201009

8/3/2019 2009 Enc and Key Mgmt Industry Benchmark Report 201009

1/33

2009 Encryption and Key Management

Industry Benchmark Report

Ariskmanagementbenchmarkfordataprotection

Author:KimberlyGetgen,Principal,TrustCatalyst

October20,2009


2/33

Page2 2009EncryptionandKeyManagementIndustryBenchmarkReport

2009TrustCatalyst Telephone: +1.415.867.8842

www.trustcatalyst.com Contact: [email protected]

Foreword:RiskManagementforDataProtectionDeardatasecurityprofessional,

Wheredoes

your

organizations

risk

management

strategy

stand

when

it

comes

to

data

protection?Despiteagrowingemphasisonencryptionandrelatedissues,feworganizations

havehadtheharddataneededtobenchmarktheirriskmanagementeffortsagainstindustry

standards.Untilnow.

Asaleaderinencryptionandkeymanagement,Thaleswantedtoprovidetheindustrywitha

muchneededbenchmark.WeengagedTrustCatalyst,aresearchfirm,toconductasurveyof

industryprofessionalsandreportthefindings.Ifoundtheresulting2009EncryptionandKeyManagementIndustryBenchmarkReportfascinating.Ithinkyouwill,too.Butmoreimportantly,itsatoolyourorganizationcanusetolearnwhereitstandsinrelationtoindustry

standards

and

emerging

trends.

Afterreadingthereport,Iwasstruckbytwothingsinparticular:Organizationshavemadegreat

stridesinprotectingsensitivedataandthereismoretodo,especiallywithregardtomanaging

encryptionkeysandprotectingbackuptapes.

Thenextgreathurdleinencryptionisprotectingallsensitivedatanotjustsomeofit.Manyof

therespondentstothesurveyareprogressinginthatdirection,whileothersareadvancing

moreslowly.Eitherway,weallhavetheopportunitytolearnfromtheircollectiveexperiences.

Iwanttothankallofyouwhoparticipatedinthesurveyforsharingyourtimeandinsights.I

alsowant

to

thank

the

Thales

customers

and

partners

who

have

helped

to

make

us

an

industry

leader.AtThales,wearepleasedtobeabletosponsorthisreport,andwehopethatallofyou

willfindittobeavaluablebenchmarkingtool.

Bestregards,

BrytaSchulz

VicePresident,ProductMarketing

ThalesInformation

Systems

Security


3/33




TableofContentsForeword:RiskManagementforDataProtection........................................................................................ 2

ExecutiveSummary....................................................................................................................................... 4

KeyFindings.............................................................................................................................................. 4

SectionI:DataEncryptionTrendsandObstacles......................................................................................... 7

EncryptionTrends..................................................................................................................................... 7

ObstaclestoEncryption............................................................................................................................ 9

Cost..................................................................................................................................................... 10

DataAvailability.................................................................................................................................. 10

KeyManagementTrends.................................................................................................................... 12

SectionII:RegulationsandComplianceDrivers......................................................................................... 15

EncryptionBudget

Allocated

for

Compliance

.........................................................................................

15

ComparingtheTopFiveRegulationsintheUSandEMEA................................................................. 16

HowSurveyRespondentsExpectRegulationstoChange...................................................................... 17

TheNewConnectionBetweenKeyManagementandCompliance....................................................... 18

Conclusion............................................................................................................................................... 19

SectionIII:CloudComputing....................................................................................................................... 21

Conclusion............................................................................................................................................... 23

AppendixA:ResearchMethodology.......................................................................................................... 28


4/33




ExecutiveSummaryDataprotectionisanexerciseinriskmanagement.Adequatelyprotectingdataandmanaging

compliancemustbebalancedwithoperatingefficiencyandprofitablegrowth.Gettingthiscombination

rightismoreimportantthanever.ThesecondannualEncryptionandKeyManagementIndustryBenchmarkReportinvestigateshowITsecuritymanagersareaddressingthesechallengesandprovidesrecommendationstohelpyoureassessyourstrategyinlightofthenewdataprotectionimperative.

Sincepublicationofthe2008EncryptionandKeyManagementIndustryBenchmarkReport,demandstoprotectdatahaveonlygrown.Newdatabreachnotificationlawsandthecodificationofindustry

specificstandardshavemadetheprotectionofdataanevenhigherpriority.

IntheUS,HITECH(HealthInformationTechnologyforEconomicandClinicalHealthAct)rulesintroduce

databreachnotificationrequirementsnationallyforhealthcaredata.USstaterulesinMassachusetts

(MA201CMR17)andCalifornia(CASB1386)aremandatingtheuseofencryptiontoprotectdata.

NevadasNVSB227wentevenfurtherbymandatingcompliancefortheindustrydevelopedPayment

CardIndustry

Data

Security

Standard

(PCI

DSS)

for

those

accepting

credit

cards.

In

Germany,

the

Federal

DataPrivacyActmandatesdatabreachnotificationforthefirsttime.AndintheUK,aggressiveactionby

theInformationCommissionerOffice(ICO)andFinancialServicesAuthority(FSA)hasmadedatabreach

notificationdefactolaw.

Overthenext12months,regulationrequiringtheprotectionofdataandmandatorybreachnotification

willonlycontinuetogrow.Atthesame,manyorganizationswillcontinuetoexperiencedamaging,

costly,andverypublicdatabreaches.Asthissurveyshows,encryptionisoneofthemosteffective

meanstoprotectdata.Usingencryptionwithautomatedkeymanagementgoesalongwaytoward

helpingorganizationsachievetheircomplianceandIToperationsobjectives.

KeyFindingsTrustCatalystconductedthesecondannualdataprotectionsurveytoevaluateevolvingtrendsin

encryptionandkeymanagement.Thisreport,sponsoredbyThales,providesnewanalysisandunique

datatohelporganizationslearnfromthedataprotectionandriskmanagementdecisionsoftheirpeers.

Thereportidentifiesthesekeyfindings:

Unnecessaryrisk.TheAchillesheelofmanyorganizationsremainsthesameaslastyear:unencrypteddatabasesandbackuptapes.Lessthan50percentoforganizationsareencrypting

backup

tapes

and

databases,

creating

a

critical

vulnerability

in

data

protection

programs.

Nearly

20

percentofparticipantswhoarenotencryptingbackuptapessaidtheirorganizationwouldwaituntil

abreachoccurredbeforebeginningtoencrypttapes.

Costofencryptionremainsatopconcern.Participantssaidcostremainsthesinglemostimportantfactorpreventingtheencryptionofdatathatshouldbeencrypted.Overhalfcitedeitherthecostof


5/33




theencryptionsolution(26percent)orthecostofmanagingtheencryptionsolution(25percent)as

theprimaryobstaclestoadoptingencryptionwhereitisneededmost.

Operationalconcernsdelayencryptionprojects.Costisnttheonlybarriertoencryptionadoption.Thedecisiontoencryptrequiresorganizationstoweighotheroperationalefficienciesagainstthe

needfor

data

protection.

When

asked

what

was

preventing

them

from

encrypting

databases,

25

percentofparticipantscitedperformanceasthekeyinhibitor.Forbackuptapes,thecomplexityof

managingkeyswastheprimaryobstacle,citedby24percentofrespondents.Here,many

participantstoldusavailabilityismoreimportantthanconfidentiality.

Lostkeysdisruptbusiness.8percentoforganizationshaveexperiencedproblemswithlostencryptionkeys,creatingsecurityconcerns(50percent),causingdatatobepermanentlydestroyed

(39percent),ordisruptingthebusiness(39percent),while19percentofrespondentssaidthey

directlylostbusiness.

Keymanagementandcompliance.Planninganorganizationskeymanagementstrategyisnoeasyfeat.Athirdofsurveyrespondents(34percent)havebeenplanningtheirkeymanagementstrategy

foroverayear.Forthefirsttime,theseparticipantsrankedprovingcompliancerequirementshave

beenmetasthemostchallengingaspectofkeymanagement.

Newencryptionmandatesconsideredhelpfultodataprotectionstrategies.Regulationsmandatingencryptionwereseenashelpfulinmovingdataprotectionstrategiesforwardforanoverwhelming

71percentofsurveyparticipants,whileonly7percentdisagreed,sayingtheseregulationsharmed

orobstructedtheirorganizationsdataprotectionefforts.Encryptionmandatesappeartobethe

ammunitionmanyorganizationsneedtohelpselltheirdataprotectionstrategiesinternally.In

addition,66

percent

of

respondents

expect

to

see

more

industry

regulations

outlining

data

protectionguidelines,and55percentexpecttoseemorenationalbreachnotificationlaws.

Patientandcreditcarddataprotectiondrivesencryptionspending.PCIDSS,HIPAA,andtheEUDataPrivacyDirectivearethetopthreedataprotectionregulationsrequiringallocationofnew

encryptionbudgetoverthenext24months.54percentofrespondentsindicatedtheywere

allocatingbudgetforPCIDSS,29percentforHIPAAand22percentfortheEUDataPrivacyDirective.

DataprotectionrulessuchasHIPAAandPCIaredrivingtheuseofencryptionacrossindustriesas

theneedtoprotectspecifictypesofdatagrows.

Cloud

not

ready

for

prime

time.

52

percent

of

participants

cite

data

security

concerns

as

being

the

numberonebarrierpreventingtheirorganizationfromadoptingcloudcomputing.43percentof

surveyparticipantssaidtheyarenotcurrentlyplanningonmovingtothecloud,whileanother47

percentsaidtheywouldwaituntildataisencryptedbeforemoving.59percentsaidtheywould

wanttomanagetheirownencryptionkeysifencrypteddatawasmovedtothecloud.


6/33




AboutThisPaper

Thispaperisorganizedintothefollowingfoursections:

SectionI:DataEncryptionTrendsandObstacles

Section

II:

Regulations

and

Compliance

Drivers

SectionIII:CloudComputing SectionIV:ImportanceofKeyManagementinNewDataProtectionImperativeResearchmethodologyandinformationaboutthesurveyrespondentsareoutlinedinAppendixA.


7/33




SectionI:DataEncryptionTrendsandObstaclesNewcomplianceregulationsarepushingtheneedtoencryptmoredatathaneverbefore.Inthisyears

survey,wewantedtounderstandnotonlywhatwasbeingencrypted,butalsowhatwaspreventing

organizationsfromadoptingmoreencryptionwhereitsneededthemost.Inthissection,wesummarize

thesetrendsbyexploring:

Encryptiontrends Obstaclestoencryption KeymanagementtrendsEncryptionTrendsTable1comparesthe13applicationssurveyedin2008toshowthechangeinencryptiontrendsfrom

2008to2009.Theapplicationsarerankedfrommosttoleastwidelydeployedaccordingtothisyears

surveyresults.

Table1:

Applications

encrypting

data

comparing

2008

and

2009

results

Encryptionapplication Rankin2009

survey

Rankin2008

survey

Change

WebserverSSL 1 1 0

Fileencryptionserver 2 5 +3

Fileencryptiondesktop 3 2 1

FTPencryption 4 4 0

Emailclient(e.g.S/MIMEorOpenPGP) 5 3 2

Emailgateway(e.g.TLS) 6 7 +1

Fulldiskencryption 7 6 1

Databaseencryption 8 8 0

Mobiledevice

encryption

9

11

+2

Tapebackupencryption 10 9 1

USBdeviceencryption 11 10 1

XMLencryption 12 12 0

Storagefabric/Switchencryption 13 13 0

ThemostsignificantincreasesinthisyearsresearchwereFileencryptionservermovingupfrom

fifthtosecondplaceandMobiledeviceencryptionrisingfromeleventhtoninth.Emailencryptionat

theclientsawthemostsignificantfall,fromthirdplacein2008tofifthin2009.Therewasnota

significantincreaseinencryptionadoptionfordatabasesorbackuptapesin2009.Wecontinueto

cautionorganizationsnotencryptingtheseapplicationsthattheyremainatseriousriskofdatabreach

particularlywithregardtopatientandcreditcarddata.

Thisyearsresearchsawtheadditionoffournewapplications:1)Networklinkencryption,2)Payment

processing,3)Diskarray,and4)Cloudcomputing.Figure1andTable2comparetheresultsofall

respondentstothoseofthefinancialservicesindustry,whichhasadoptedencryptionfaster.


8/33




Figure1:Encryptionadoptioncomparedtofinancialservicesindustry2009results

Table2:Encryptionapplicationsused2009resultsEncryptionapplication Allrespondents FinancialservicesindustryWebserverSSL 77% 86%

Fileencryptionserver 57% 65%

Fileencryption

desktop

56% 62%

FTPencryption 54% 65%

Networklinkencryption 53% 70%

Emailclient(e.g.S/MIMEorOpenPGP) 52% 60%

Emailgateway(e.g.TLS) 51% 68%

Paymentprocessing 50% 79%

Fulldiskencryption 49% 56%

Databaseencryption 43% 53%

Mobiledeviceencryption 42% 63%

Tapebackupencryption 41% 58%

USBdeviceencryption 41% 45%

Diskarray 25% 44%

XMLEncryption 31% 33%

Storagefabric/Switchencryption 20% 30%

Cloudcomputing 17% 19%


9/33




Herewecanseethatthefivemostwidelydeployedencryptionapplicationsoverallare:

1. Webservers(77percent)2. Fileencryptiononservers(57percent)3. Desktopfileencryption(56percent)4. FTPencryption(54percent)5. Networklinkencryption(53percent)Thefinancialservicesindustrydiffersslightly,withemailencryptionatthegatewayandpayment

processingamongthefivemostfrequentlyusedencryptionapplicationsinthisyearsresearch:

1. Webservers(87percent)2. Paymentprocessing(79percent)3. Networklinkencryption(70percent)4. Emailencryptionatthegateway(68percent)5. Tie:Fileencryptionattheserver(65percent)andFTPencryption(65percent)Thefinancialservicesindustrydoeshaveahigherpercentageofdatabaseandbackuptapeencryption

deployedthanthegeneralsurveypopulation.53percentoffinancialservicesparticipantsencrypt

databasescomparedwith43percentoverall.58percentoffinancialservicesparticipantsencrypt

backuptapescomparedwith41percentoverall.Sincethefinancialservicesindustryhasbeenthefocal

pointofmoredataprotectionregulations,thistrendmaypointtowardfutureoverallgrowthin

databaseandbackuptapeencryptionastheseregulationsbegintoimpactmoreindustries.

Wemustcontinuetocautionorganizationsnotencryptingdatabasesandbackuptapesthattheyareat

riskfortworeasons:

1. Recentresearchhasshownthatexposingasfewas10,000customerrecordscancostover$1millionindamages1andthattheaverageorganizationpays$6millionperbreach.2

2. Tapesanddatabasesaretransportable.Tapesareoftensentoutsidetheprotectedperimeteroftheorganization,makingdatavulnerable.Thisisalsotruefordatabaseswhendatabaseinformationis

transferred,backeduptodisk,orstoredontape.Thismeanseverytimeabackupofthedatabaseis

madetotapeandsentoutsideoftheorganizationunencrypted,thelikelihoodofadatabreach

increases.

ObstaclestoEncryptionInthisyearsresearch,wewantedtouncovermoreoftheobstaclestoencryption.Cost,availability,and

keymanagementconcernstoppedthelist.Inthissection,welookateachfactorseparately.

1Gartner,PayforMobileDataEncryptionUpfront,orPayMoreLater,November5,2008.2PonemonInstitute,FourthAnnualUSCostofDataBreachStudy,January2009.
http://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdfhttp://www.ponemon.org/local/upload/fckjail/generalcontent/18/file/2008-2009%20Cost%20of%20Data%20Breach%20Report%20Final.pdf


10/33




Cost

Costisstilltheprimaryissueformostorganizationsthatwanttoencryptmoredatawhereitisneeded

most.Table3showsrespondentsanswerstothequestion,Ifthereisdatainyourorganizationthat

shouldbeencryptedbutisnot,whatisthebiggestobstaclepreventingencryption?Slightlymorethan

halfofrespondentsindicatedthecostofeitherdeployingormanagingthesolutionastheirbiggest

obstacle.Another

22

percent

of

participants

cited

data

recovery

costs

or

key

management

challenges

as

theirmostsignificantbarrier.

Table3:Ifthereisdatainyourorganizationthatshouldbeencryptedbutisnot,whatisthebiggest

obstaclepreventingencryption?

Response Allrespondents

Costofencryptionsolution 26%

Costofmanagingencryptionsolution 25%

Other 14%

Managementdoesntseeconnectionbetweenencryptionandprotectingcustomers

thinksitsanunnecessaryexpense

13%

Costofdatarecoveryandkeymanagement 12%

Datarecoveryconcernsresultingfromunresolvedkeymanagementchallenges 10%

DataAvailability

Thisyearsresearchfoundthatdatabaseandbackuptapeencryptionarestilllesswidelyadoptedthan

encryptionformanyotherapplications.Oneparticipantsuccinctlysummarizedthereasoningbehind

thisreluctance:Availabilityismoreimportantthanconfidentiality.Otherscitedignorance,

underestimationofrisks,budget,andneglectasreasonswhyparticipantshavenotencrypted

sensitivedata.

Databaseencryption

Whenitcomestoprotectingsensitivedataindatabases,mostthinkencryptingwillcreateperformance

issuesforbusinesscriticalapplications.Evenrespondentsfromthefinancialservicesindustry,witha

higherrateofdatabaseencryptionadoption,tendtoagree.Whenapplicationsprocessfewer

transactionsbecauseofdatabaseencryption,organizationslosebusiness.Oneparticipanttoldusthat

bothperformanceandcostblockedtheiradoptionofdatabaseencryption:Poordatabaseschema

designsusesensitivedataasdatabasekeysandthusdrasticallyimpactsperformance.Thisfixisa

schemaredesignthatmostorganizationsarenotwillingtofund.


11/33




Table4showsparticipantsideasaboutthemainfactorsthathavepreventedorganizationsfrom

deployingdatabaseencryption.

Table4:Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingtoencryptsensitive

datainthedatabase?

Response

Allrespondents

Financialservices

industry

Createsperformanceimpactsthatmayallowfewercustomertransactions 21% 25%

Dontseethebenefitofencryptingthedatabasewhenhackersattackthefront

endoftheapplicationsandcangetaccesstodatawhetherencryptedornot

18% 19%

Keymanagementissuesaretoocomplex 17% 18%

Requiresadisruptiontotheapplicationenvironmentwhichmaycauselost

business

15% 13%

Waitingtobenativelyembeddedinthedatabasesolution 13% 14%

Requiresmigratingdatathatwillcauseadisruptiontothebusiness 9% 13%

Other

7%

6%

Thesecondmostpopularresponsecamefromparticipantswhodontseethebenefitofencrypting

databasesiftheycanstillbeattacked.Hostbasedattacks,SQLinjection,andinsiderthreatsmaynotbe

thwartedbytheuseofdataencryption.Itsalwaysimportantthatadefenseindepthapproachto

mitigatingrisksisused.

However,oneoftheselayersshouldbeencryptingdatabases.Forexample,iforganizationsbackup

theirdatabasestotapes,theycouldbeatseriousriskiftheyshipthosetapesunencrypted.Using

databaseencryptionbeforebackingupthedatacanhelpprotectsensitiveinformationandpreventa

databreach

if

atape

is

lost

or

stolen.

Finally,17percentofparticipantssaidkeymanagementwastoocomplextoapplyencryptionatthe

database.Aswewillseelaterinthissection,manyparticipantssaidtheywouldhavelessthananhour

torecoverencrypteddatafromthedatabase,creatingdataavailabilityconcerns.Thismakeseffective

keymanagementthatmuchmoreimportant.

Backuptapeencryption

Inregardtobackuptapeencryption,weaskedsurveyrespondentsasimilarquestion:Inyouropinion,

whatisthemainreasonsomanyorganizationsarewaitingtoencryptbackuptapes?AsshowninTable

5,the

most

popular

response

was

key

management

issues

too

complex

at

24

percent.

For

example,

oneparticipanttoldusthatorganizationsWanttoensureaccesstobackuptapes[]ifencryptedand

keyislostorunavailablethenthebackuptapeisworthless.Otherstoldusitwastheworryaboutdata

recoverabilityafterlongperiodsofstoragethatdiscouragedencryption.


12/33




Cominginsecondplacewith19percentwastheresponsemostorganizationswouldwaituntilaftera

databreach

event

before

they

would

be

willing

to

tackle

tape

backup

encryption.

This

was

concerning

becauseourassessmentofthecurrentregulatoryenvironmentconcludesthatorganizationsdonot

havetheluxuryofwaitingtoencrypttapesasthelikelihoodofbreachesandcoststothebusinessare

onlyincreasing.Inouropinion,organizationsthatshiptapesmustencrypttapes.

KeyManagementTrends

Asweveseenwithbackuptapesanddatabases,keymanagementconcernscontinuetoplague

organizationsattemptingtoencryptsensitivedata.Oncethisdataisencrypted,itmustberecoverable

atsomepointinthefuture,withlittleroomforerror.Firstandforemost,datamustbeavailable.

Concernsarounddataavailabilityhavemadeplanninganorganizationskeymanagementstrategyno

easyfeat.

A

third

of

survey

respondents

(34

percent)

have

been

planning

their

key

management

strategyforoverayear(upfrom26percentin2008).Table6belowshowshowmuchtime

organizationshavespentplanningforkeymanagementcomparedtothefinancialservicesindustry.

Unsurprisingly,morefinancialservicesparticipants(47percent)havespentoverayearplanningtheir

keymanagementstrategy.

Table6:Howmuchtimehasyourorganizationspentpreparingorplanningforkeymanagementissues?

Lengthoftime Allrespondents Financialservices

Over1year 34% 47%

612months 15% 19%

15months 23% 16%

1week

9%

6%

None 19% 12%

Dataavailabilityconcernsareoftendrivenbytheamountoftimeonehastorecoverencrypteddata.

Thelesstimetorecoverdata,thegreatertheavailabilityconcerns.Table7belowshowsacceptable

recoverytimeframesfordifferentapplications.

Table5: Inyouropinion,whatisthemainreasonsomanyorganizationsarewaitingto

encryptbackuptapes?

Choices All

Respondents

Keymanagement

issues

too

complex

24%

Mostorganizationswillwaituntilafteradatabreachnotificationevent 19%

Waitingtobenativelyembeddedinmybackuptapesolution 17%

Decisiontopostponeencryptingtapesismadebythestoragedeptwithout

involvementfromthesecuritydept

11%

Encryptingtapescostmorethandatabreachsoitsnotcosteffectivetoencrypt 10%

Toodifficulttomakekeyaccessibletothedisasterrecoverysite 10%

Other 9%


13/33




Table7:Whatisanacceptableamountoftimetorecoverdata?

Datalocation Lessthan1

hour

Lessthan1day 2days1week 1monthormore

Laptops 22% 50% 26% 1%

Mobiledevices 29% 42% 29% 2%

Fileservers

41%

43.%

16%

1%

Databases 49% 37% 13% 1%Email 30% 42% 27% 1%

Backuptapes 17% 43% 36% 4%

Cloudcomputing 31% 33% 27% 9%

Storagefabric 30% 36% 10% 7%

Paymentprocessing 54% 29% 13% 4%

Networklinkencryption 54% 30% 12% 4%

Formostapplications,encrypteddataneedstoberecoveredinlessthanaday,butforbusinesscritical

applicationslike

databases,

network

link

encryption,

and

payment

processing

applications,

data

often

mustberecoveredinlessthananhour.

Withsuchhighdemandsondatarecoverabilitytimeframes,wewantedtoknowhowencryptionkeys

werebeingstoredtoseeiftherewasaconnectionbetweenkeymanagementanddataavailability

requirements.Table8belowshowstheresultsfromallsurveyparticipantsandallapplications.

Table8:Whereareencryptionkeysstored?

Application HSM Database Software

ordisk

USB

device

Dont

know

WebserverSSL 23% 13% 29% 9% 26%File

encryption

server

32% 14% 21% 5% 29%

Fileencryptiondesktop 23% 13% 29% 9% 26%

FTPencryption 14% 11% 26% 4% 46%

Networklinkencryption 26% 6% 20% 3% 45%

Emailclient(e.g.S/MIMEorOpenPGP) 14% 12% 31% 5% 37%Emailgateway(e.g.TLS) 13% 12% 30% 4% 42%

Paymentprocessing 36% 7% 13% 3% 41%

Fulldiskencryption 24% 12% 30% 5% 30%

Databaseencryption 24% 21% 15% 2% 37%

Mobiledeviceencryption 17% 10% 23% 5% 45%

Tape

backup

encryption

26%

9%

15%

2%

49%

USBdeviceencryption 14% 8% 16% 19% 42%

Diskarray 17% 6% 12% 2% 63%

Storagefabric/Switchencryption 19% 5% 9% 2% 64%

Asitwaslastyear,themostpopularresponseformostapplicationswasdontknowevenforthe

applicationsthatneededtoberecoveredinlessthananhour.However,forrespondentswhoknew


14/33




wherekeyswerestored,themajorityofapplicationsthatneededtoberecoveredinanhourweremost

likelytobeinahardwaresecuritymodule(HSM).Thefourapplicationsforwhichrespondentspreferred

tohavetheirkeysstoredinanHSMratherthansoftwareordiskwerePaymentprocessing,Network

linkencryption,Databaseencryption,andTapebackupencryption(allhighlightedinboldinthe

abovetable).HerewecanseetheimportanceofusingHSMstoautomatekeymanagementand

overcomedata

availability

concerns.

Without

HSMs

or

the

use

of

automated

key

management

tools,

we

believedataavailabilityconcernswillcontinuetostandinthewayofdataprotection.

Conclusion

Costisnttheonlybarriertoencryptionadoption.Thedecisiontoencryptrequiresorganizationsto

weighoperationalfactorslikeavailabilityandperformanceagainsttheneedfordataprotection.Here,

organizationsareunwillingtosacrificeoperationalefficienciesfordataencryption.Manyorganizations

arecaughtinaholdingpatternwhiletheytrytodeterminehowtobestmeetdatarecoverability

requirementsorfindbudgettomeetperformanceandavailabilitydemands.Sadly,manywillsuffera

databreach

before

they

can

encrypt

sensitive

data.

Nearly

20

percent

of

those

surveyed

believe

it

will

takeadatabreachtogettheapprovaltostartencryptingbackuptapes.Giventhenewregulatory

climate,manyorganizationswillneedtoaskthemselveswhatwillbeworsepayingforautomated

encryptionkeymanagementtoovercomedataavailabilityfears,orlosingcustomersinabreachwhen

theyexposesensitivecreditcardorpatientdata.Consideringthehighercostsandrisksofabreach,we

believepostponingtheseencryptiondecisions(particularlyforbackuptapes)isnolongerasustainable

riskmanagementstrategy.


15/33




SectionII:RegulationsandComplianceDriversThisyearsresearchshowsthattheprotectionhealthcareandcreditcarddataaredrivingfuture

compliancespending.Thissectiontakesalookatregulationsimpactonorganizationssurveyedby

exploring:

Encryptionbudgetallocatedforcompliance Howsurveyrespondentsexpectregulationstochange TheconnectionbetweenkeymanagementandcomplianceEncryptionBudgetAllocatedforComplianceWeprovidedparticipantswithalistof25dataprotectionregulationsandaskedwhichoneswould

requiretheallocationofnewbudgetinthenext24months.Table9belowshowstheresponses,with

PCIDSSleadingthecharge,followedbyUSHIPAAandtheEUDataPrivacyDirective.

Table9:Regulationsrequiringallocationofnewencryptionbudgetovernext24months

Regulation

Allrespondents

PCIDSS 54%

USHIPAA 29%

EUDataPrivacyDirective 22%

USGrammLeachBliley 18%

USMultipleStateDataBreachNotificationLaws 16%

USCaliforniaDataBreachNotification(CASB1386) 15%

USMassachusettsDataProtectionAct(MA201CMR17) 14%

UKDataPrivacyAct 13%USFederalTradeCommissionRedFlagRules 12%

Canada

Personal

Information

Protection

and

Electronic

Documents

Act

10%

USNevada(SenateBillNo.227) 9%CanadaPrivacyBreachGuideline 9%

GermanyS93ActonProcessingofPersonalData 8%

UKPrivacyCommissionerBreachNotificationGuidelines 7%

SouthAfricaProtectionofPersonalInformationAct 7%

ItalyDataProtectionCode 4%SpainPersonalDataProtectionandTelecommunicationsAct 4%

JapanPersonalInformationAct 4%

HongKongPersonalDataPrivacyOrdinance 4%

AustraliaPrivacyCommissionerBreachNotificationGuidelines 3%

France

Postal

and

Electronic

Communications

Code 3%

AustraliaCommonwealthPrivacyAct 3%

SouthKoreaActontheProtectionofPersonalInformation 2%

NewZealandPrivacyCommissionerBreachNotificationGuidelines 2%

NewZealandPrivacyBreachGuidelines 2%

ItwasasurprisetoseeindustrydrivenregulationssuchasPCIDSSandHIPAAtoppingthelist,giventhat

themajorityofsurveyrespondentswerenotfromfinancialservices,healthcare,andretail.Webelieve


16/33




thisindicatesthatencryptionbudgetallocationsaredrivenlessbytheindustryyouareinthanbythe

typeofdatayouneedtoprotect.Asmoreindustriesstore,manage,andprocesscustomer,patient,

employee,andbusinesspartnerinformation,theywillberequiredtoprotecttheirdataaccordingly.

ComparingtheTopFiveRegulationsintheUSandEMEAFigure

3and

Table

10

below

track

the

top

five

regulations

in

the

US

and

EMEA

and

compare

them

to

the

worldwideresponse.HereyoucanseethatwhilePCIDSSreceivedthehighestresponseinEMEA,HIPAA

receivedthehighestresponseintheUS.

Figure2:Percentageofrespondentscitingnewencryptionspendingdrivenbymajorregulations


17/33




Table10:PercentageofrespondentscitingnewencryptionspendingdrivenbymajorregulationsRegulation Allrespondents US EMEAPCIDSS 53% 48% 52%USHIPAA 27% 53% 8%EUDataPrivacyDirective 21% 13% 43%

US

Gramm

Leach

Bliley

15%

32%

5%

USStateDataBreachNotificationLaws 15% 32% 5%

USMassachusettsDataProtectionAct 12% 26% 3%

UKDataPrivacyAct 11% 9% 20%

Germany S93ActonProcessingPersonalData 5% 5% 15%

UK PrivacyCommissionerBreachNotificationGuidelines 5% 9% 9%

HowSurveyRespondentsExpectRegulationstoChangeWewantedtoknowhowparticipantsexpectedregulationstochangeovertimeandiftheythought

regulationsmandatingtheuseofencryptionwerehelpfulorharmfultotheirdataprotectionstrategies.

InFigure4andTable11,weaskedparticipantshowtheyexpectregulationstochangeinthenext24

months.Twothirds(66percent)indicatedtheybelievedtherewouldbenewindustryregulations,and

55percentsaidtheyexpectnewnationallaws.Only11percentbelievedtherewouldbenonewlaws

introduced.

Figure4:Howdoyouexpectregulationstochangeinthenext24months?


18/33




Table11:Howdoyouexpectregulationstochangeinthenext24months?

Response Allrespondents

Therewillbenewindustryregulations 66%

Therewillbenewnationallaws 55%

Therewillbenewlocallaws(stateandregional) 43%

Therewill

be

no

new

laws

introduced

11%

Wealsowantedtoknowhowparticipantsvieweddatabreachregulationsthatrequiredtheuseof

encryption.WeaskedthemiftheseregulationswereseenasHelpfultomovingforwardyour

organizationsdataprotectioneffortsorHarmfulandgetsinthewayofyourorganizationsdata

protectionefforts.Theoverwhelmingmajorityofrespondents(70percent)foundthemhelpful.

Surprisingly,anevenhigherpercentage(79percent)ofrespondentsfromorganizationsthathave

experiencedadatabreachfoundthemhelpful,withonly2percentfindingthemharmful.

Table12belowcomparestheresponsesofparticipantswhoseorganizationshadexperiencedadata

breachto

those

who

had

not.

Table12:Databreachregulationsthatspellouttheneedforprotectingdatausingencryptingdataare

Response Breachedorganizations Nonbreached

organizations

Helpfultomovingforwardyourorganizationsdata

protectionefforts

79% 70%

Undecided 19% 23%

Harmfulandgetsinthewayofyourorganizationsdata

protectionefforts

2% 7%

TheNewConnectionBetweenKeyManagementandComplianceOverthelasttwoyearsofconductingthisresearch,weveaskedparticipantstoranktheaspectsofkey

managementtheyvefoundthemostchallenging.Theresultsofthisyearsstudyhighlightaninteresting

newfinding:Organizationsthathavespentthemosttimeplanningkeymanagementrankedtheirmost

challengingaspectdifferentlyfromtheirpeers.Thosethathavebeenusingencryptionandhavespent

themosttimepreparingforkeymanagementarenowmorefocusedondemonstratingcompliance

comparedtoorganizationsthatarejustbeginningtoadoptencryption.

Table13belowcomparesthesethreegroupsandrankstheirchoicesfrommostdifficulttoleastdifficult

for:

Allresponses2008 Allresponses2009 2009responsesbythosewhohadspentoneyearormoreplanningkeymanagementstrategy


19/33




Table13:Relativedifficultyofdifferentaspectsofkeymanagement(1=mostdifficult)

2008 2009 2009 2009Planning

Difference

Aspect

of

key

management All

Respondents

All

Respondents

1+Yearof

KeyMgmt.

Planning

2009 (All)to

2009(1+Yearof

Planning)

Preparingfortheunfortunatepublicityand

impactofdatabreach

1 2 3 1

Rotatingkeys,decryptingandreencryptingdata 2 1 2 1

Keepingtrackofkeys(havingtherightkeyatthe

righttime)

3 3 7 4

Meetingcompliancerequirements 4 6 4 +2

Longtermkeyarchival 5 5 5 0

Provingcompliancerequirementshavebeen

met

6 4 1 +3

Makingkeysaccessibletothedisasterrecovery

site

7 6 6 0

Backingupandrecoveringkeys 8 7 8 1

Revoking/terminatingkeys(sodatacantbe

accessed)

9 8 9 1

Respondentsfoundthefollowingamongthemorechallengingaspectsofkeymanagement:

Rotating,decryptingandreencryptingdata PreparingfortheunfortunatepublicityandimpactofdatabreachesButthereweredifferenceswhenitcametowhatwasthemostchallenging.Provingcompliance

requirementshavebeenmetwasrankedthemostdifficultbythegroupthathadbeenplanningkey

managementlonger.Bycontrast,theparticipantsin2008rankedMeetingcompliancerequirements

morechallengingthanprovingtheyhadbeenmet.Wethinkthisisasignificantfinding:Asorganizations

becomemorematureintheirencryptionandkeymanagementstrategies,theyfindprovingcompliance

moredifficultthanthemechanicsofkeymanagement.

TherewerealsointerestingdifferencesregardingthedifficultyofKeepingtrackofkeys(havingthe

rightkeyattherighttime).Thosewhohadnotbeenplanninglongerthanayearrankeditthirdin

difficulty,while

those

who

had

been

planning

the

longest

found

it

to

be

one

of

the

least

challenging

aspectsofkeymanagement.Thissuggeststhateffectivekeymanagementcanreducethetimeand

operationscostsspentonkeymanagementtasks.

ConclusionParticipantsinthesurveyarefeelingtheimpactofdatabreachregulationsintwocriticalareas:the

typesofdatatheywillneedtoprotectandtheirkeymanagementstrategies.Whilethemajorityof


20/33




participantsworldwidearebudgetingforPCIDSS,HIPAAisthemostimportantencryptionbudgetdriver

intheUS.WebelievethisisaresultoftheHITECHruleintroducingbreachnotificationforsensitive

healthcaredata.

Second,thosewhohavebeenplanningtheirkeymanagementstrategiesthelongestseeaconnection

betweenkey

management

and

their

compliance

strategies.

They

now

consider

the

most

challenging

aspectofkeymanagementtobeprovingthatcompliancerequirementshavebeenmet.These

organizationshavemorematuredataprotectionmodelsandarelivinginacomplianceworldwherethe

mostimportantaspectofdataprotectionistheirreportingcapability.Theyarespendingmoretime

makingsuretheircomplianceeffortsaredemonstrableandlesstimedecidinghowandwhattoencrypt.

Organizationsthatarelessexperiencedwithkeymanagementarelikelydealingwithnewerencryption

deploymentsandoperationalissues.Theyhaventachievedtheoperationalefficienciesenjoyedby

organizationsthathavebeenplanningtheirkeymanagementstrategiesthelongest.


21/33




SectionIII:CloudComputingThesecuritydebatearoundcloudcomputinghasarisensinceour2008survey.Thisyear,wewere

interestedinunderstandingthreethings:

Barrierstocloudcomputingadoption Roleofencryptionanddataprotectioninanorganizationsdecisiontomovetothecloud ExpectationsforkeymanagementwithcloudcomputingFigure5andTable14belowshowstheresponsetothequestion,Whatisthebiggestbarrierforyour

organizationwhenadoptingcloudcomputing?52percentofsurveyparticipantsciteddatasecurity

concernsasthebiggestbarrier,while18percentsaidtherearenobarriers.

Table14:Whatisthebiggestbarrierforyourorganizationwhenadoptingcloudcomputing?Response AllrespondentsDatasecurityconcerns 52%There

are

no

barriers

18%

Other 14%

Compliance 8%

Keymanagementconcerns 8%

Figure3:Biggestbarriertocloudcomputing


22/33




Organizationsarereluctanttomovetothecloud,withorwithoutdatasecurityinplace.Whenasked,

Wouldyourorganizationmovetothecloudwithoutdataencryption?,47percentsaidtheywould

waitforencryption,butalmostasmany(43percent)saidtheywerenotplanningonmovingtothe

cloudatall.

Table15

and

Figure

6show

the

findings

for

all

participants.

Table15:Wouldyourorganizationmovetothecloudwithoutdataencryption?Response AllrespondentsNo,wewouldwaituntildataisencrypted 47%No,wearenotplanningonmovingtothecloud 43%

Yes,encryptionisnotabarrierforustoadoptcloudcomputing 7%

Yes,wehavealreadymovedunencrypteddatatothecloud 5%

Figure4:Wouldyourorganizationmovetothecloudwithoutdataencryption?

Finally,wewantedtoknowifencryptionkeymanagementbasedinthecloudwouldbeacceptableto

surveyparticipants,oriftheywouldprefertomanagetheencryptionkeysthemselves.An

overwhelming58.8percentsaidtheywouldwanttomanagetheirownkeyscomparedto15.1percent

whowouldntmindiftheirserviceproviderhandledkeymanagementontheirbehalf.


23/33




Table16andFigure7showthesefindings.

Table16:Isencryptionkeymanagementbasedinthecloudacceptable?

Response AllRespondents

No,Iwouldwanttomanageourencryptionkeys 59%

Yes,Itrustmysolutionprovidertomanageencryptionkeysandrecovermy

datainatimethatisacceptabletoourbusiness

15%

Dontknow 26%

Figure5:Isencryptionkeymanagementbasedinthecloudacceptable?

ConclusionOurresearchshowssurveyrespondentsareveryskepticalaboutcloudcomputing.Whilethereisnt

enoughdataheretopredictanysubstantialtrendsforcloudcomputing,onethingisclear:Organizations

shouldbesuretoanalyzewhetherornotamovetothecloudmakessensewithariskmanagement

frameworkthatincorporatesdataprotectionandcompliancerequirements.Ifyourorganizationis

adoptingcloudcomputing,thendataprotection,dataavailability,andkeymanagementexpectations

shouldbewelldefinedinservicelevelagreements.Organizationsshouldalsooutlinewhentheyexpect

tobenotifiedifbreachesoccur.Fromcustomersperspective,abreachatacloudserviceproviderwill

beinterpretednodifferentlythanifyoucausedthebreach,sobesureyouandyourcustomersare

protectedbeforeusingcloudservices.

No(59%)

Yes(15%)

Don'tknow(26%)


24/33




Ontheotherhand,ifyouareacloudcomputingserviceprovider,yourhandlingofthedataprotection

andcomplianceissuescoveredinthisreportcouldbetranslatedintocompetitiveadvantagesinselling

yourservices.


25/33




SectionIV:ImportanceofKeyManagementinNewDataProtectionImperativeWithnewdataprotectionregulationsspecifyingencryptionforsafeharbororevenmandatingitsuse,

webelieveitsbecomemuchriskierouttherefororganizationsthatarewaitingtoencryptcritical

informationlikehealthcareandcreditcarddatainunprotectedbackuptapesanddatabases.Withless

thanhalf

of

participants

encrypting

backup

tapes

and

nearly

20

percent

of

respondents

saying

it

would

takethepainofadatabreachtogettheirorganizationtoencrypt,webelievetoomanyorganizations

areneedlesslyatrisk.

Attheheartofthenewdataprotectionimperativeliesacriticalriskmanagementdecision.

Organizationscaneither:1)Waittoencryptsensitivedataandlivewithamuchhigherriskofdata

breachthaneverbefore,or2)Encryptdatabutriskbusinesscontinuityissuessuchasdataavailability

withouteffectivekeymanagement.Thechartbelowsummarizesthisriskmanagementdecision,taking

intoaccountafewofthefactorswefindmostimportant:

Concern:Likelihoodofadatabreachversuslikelihoodoflosingakeyoncedataisencrypted Typeofnotification:Whathappensifyourconcerncomestrueandyouhavetotellothers Whoisnotified:Exactlywhoisonthedistributionlistandalertedwhenthingsgowrong Coststobusiness:3Immediateandlongertermconsequences Howtoavoid:Actiontheorganizationmusttaketoavoidtheproblem

3PleasecontactTrustCatalystfortheTrustCatalystDataBreachPrepKit acostworksheetthatcanhelpyou

determinecostsofdatabreacheventsforyourorganization.


26/33




Operationalefficiencieslikeavailabilityandperformancecauseorganizationstopostpone

implementationoftheirdataprotectionstrategiesforfearthatencryptionwillslowthebusinessdown

(e.g.,databases)orthatlostencryptionkeyswillcauselostbusinesswhendataisnotavailable(e.g.,

backuptapes).Butwebelieveorganizationsnolongerhavetheluxuryofpostponingencryptionof

criticaldatabecauseofkeymanagementconcerns.Asthechartaboveshows,therearemorecostsand

negativeimpacts

to

the

business

associated

with

data

breaches

that

involve

public

disclosure,

and

most

couldbeavoidedbyencryptingdata.

Injustthelastyear,wevelearnedalotmoreaboutthecostsoflossofcustomertrustafterabreach.A

recentsurveyofdatabreachvictims4showedthesignificantimpactofabreachonthebusiness:

55percenttrustedtheorganizationless,whichgreatlyimpactedfuturebusiness. 30percentvowednevertopurchasegoodsfromtheorganizationagain. 29percentterminatedfuturerelationshipswiththeorganization. 69percentofthecostsofdatabreachcamefromlostbusiness.Ourresearchshows,respondentsweremorelikelytohaveexperiencedadatabreachthantohavelost

anencryptionkey,asTable17shows.

Table17:Incidentrateforlostkeysanddatabreachesamongrespondents

Event Incidentrate%

Lostkey 8%

Databreach(inthelast24months) 12%

AsTable18belowshows,forthoseorganizationsthathavelostencryptionkeys,theeventcreated

security

concerns

(50

percent),

resulted

in

permanent

data

loss

(39

percent),

and

caused

business

disruptions(39percent)andlostbusiness(19percent).Whilewedontwanttodiminishthebusiness

impactsofbadkeymanagement,webelievetheycannolongerserveasanexcuseforpostponing

encryptionparticularlyofhealthcareandcreditcarddata.

Table18:Whatwastheimpactoflosingencryptionkeystoyourbusiness?

Response Respondentswho

havelostkey

Createdasecurityconcern 50%

Lostdatathatwasneverrecovered 39%

Createdabusinessdisruption 39%

Lostdata

but

we

were

able

to

recover

it

31%

Causedlostbusiness 19%

Other 4%

4JavelinStrategyandResearch,ConsumerSurveyonDataBreachNotification,2008.


27/33




Conclusion

Weareconcernedfortworeasons.First,withoutautomatedkeymanagement,theencryption

necessarytoprotectsensitivedatawhereitismostatriskwillnothappen.Webelievethelackofakey

managementstrategyisnolongeranacceptablereasonforpostponingtheprotectionofcriticaldata

likehealthcare,patient,andcreditcarddata.Theonlywayorganizationswillbeabletocomplywith

regulationsandsafelyprotectpatientandconsumerdatawillbetoautomateencryptionkey

management.TechnologieslikeHSMs(hardwaresecuritymodules)havelongbeenavailabletohelp

organizationsautomatekeymanagementandavoiddataavailabilityissues.However,many

organizationsseethesetechnologiesastoocostlytoimplement.Takingintoconsiderationthevalue

organizationsplaceonavailability,theoperationalefficienciesgoodkeymanagementbrings,andthe

abilitytoencryptmore,webelievethesetechnologiesarewellworththecost.

Second,thecostsofbreachnotificationsareworsethanweoriginallythought.Postponingyourdecision

toencryptwillcostalotmorethanmanyorganizationsinitiallyestimatedintheirassessmentoftheir

risks.Onlywithautomatedmanagementofkeyswillavailabilityandcontinuityissuesstopobstructing

encryptionprojects.Webelieveautomatingkeymanagementisnolongeranoptionespeciallywhenit

comestoprotectingcreditcardandpatientdata.


28/33




AppendixA:ResearchMethodologyInAugust2009,TrustCatalystconductedanonlinesurveytoexaminethecurrentandplanneduseof

encryptionandkeymanagementstrategieswithintodaysglobalenterprise.Prospectivesurvey

respondentswere

selected

from

adatabase

of

global

information

security

professionals

collected

by

Thales,aleaderintheprovisionofinformationandcommunicationsystemssecuritysolutionswhose

customersincludesomeofthemostsecurityconsciousorganizationsintheworld.Over30,000emails

weresenttoinformationsecurityprofessionalswhowereaskedtocompletetheonlinesurvey.Asan

incentivetocompletethesurvey,weofferedtheresultsofthesurveycontainedwithinthisresearch

report.Wereceived655completeandpartialresponses.

Respondentsweregiventhefollowinginstructionsbeforestartingthesurvey:

Thepurposeofthesurveyistogathermuchneededinformationaboutglobalmarketrequirementsinencryptionandkeymanagementtrendsatalevelofdepthandexperiencemissinginothersurveyscompletedtodate.Likelastyear,the2009researchreportwillbeaninvaluablebenchmarkshowinghowhundredsofotherorganizationscomparetoyoursintheuseofencryptionandrespondingtokeymanagementchallenges.Yourparticipationiscompletelyconfidentialandallresponseswillbecompiledatanaggregatelevelsoyourparticipationiscompletelyanonymous.Followingarethedemographicsandorganizationalcharacteristicsofthe655respondents.Table19

showsparticipantsfunctionalresponsibilities.Table20providestheirselfreportedorganizationalroles.

Table19:

Functional

responsibilities

of

respondents

Percent

of

respondents

Compliance 5%

Databaseadministration 1%

Informationsecurity 30%

Networksecurity 6%

Operations 6%

PKIdeployment 8%

Product/applicationdevelopment 14%

Riskmanagement 4%

Storageadministration/design 0.6%

Systemadministration

/design

5%

Websiteadministration 0.3%

Other 21%


29/33




Figure8:Functionalresponsibilitiesofrespondents

Table20:Organizationalrolesofrespondents Percentofrespondents

Administrator 6%

Architect 15%

Staff 8%

Manager 24%Director 8%

Vicepresident 3%

Chiefinformationofficer 2%

Chiefsecurityofficer 1%

Chiefinformationsecurityofficer 2%

Chiefcomplianceofficer 1%

CEO

3%

Other 27%


30/33




Figure9:Organizationalrolesofrespondents

Table21showsthepercentagedistributionofsurveyrespondentsbyindustryclassification.Thetwo

biggestindustrysegmentsweretechnologyandsoftware(28.5percent)andfinancialservices(25.7

percent).

Table21:Industryclassificationofrespondents Percentofrespondents

Automotive 0.3%

Defense 3%

Education 3%

Energy 1%

FinancialServices 26%Foodservices 0.3%

Government 8%

Healthcare 4%

Hospitality 0%

InternetandISP 1%

LocalGovernment 1%

Manufacturing 3%

Media 0.5%


31/33




Pharmaceuticals 0.2%

ProfessionalServices 6%

Research 0.8%

Retail 2%

TechnologyandSoftware 29%Telco,

Wireless

and

Cable

3%

Transportation 0.9%

Other 8%

Figure10andTable22showthegeographicalbreakdownofsurveyrespondents,withthemajorityof

respondentscomingfromeitherEMEA(Europe,theMiddleEast,andAfrica)ortheUnitedStates.

Figure10:Locationofrespondents

Table22:Locationofrespondents PercentofrespondentsAsiaPacific 5%

Canada 6%

EMEA 45%LatinAmerica 5%

UnitedStates 40%


32/33




Finally,respondentscompanysizeisdepictedinthefigurebelow,with48percenthavingfewerthan

1,000employees,30percenthaving1,00125,000employeesand22percenthavingmorethan25,000

employees.

Figure11Numberofemployeesinrespondentorganization

1,000orless(48%)

1,001 25,000(30%)

25,001ormore(22%)


33/33


AboutThales

Thalesisoneoftheworldleadersintheprovisionofinformationandcommunicationsystemssecurity

solutionsforgovernment,defense,criticalinfrastructureoperators,enterprises,andthefinance

industry.Thalessuniquepositioninthemarketisduetoitsendtoendsecurityofferingspanningthe

entirevalue

chain

in

the

security

domain.

The

comprehensive

offering

includes

architecture

design,

securityandencryptionproductdevelopment,evaluationandcertificationpreparation,andthroughlife

managementservices.

ThaleshasfortyyearsofunrivalledtrackrecordinprotectinginformationrangingfromSensitiveBut

UnclassifieduptoTopSecret,aswellasacomprehensiveportfolioofsecurityproductsandservices,

whichincludesnetworksecurityproducts,applicationsecurityproducts,andsecuredtelephony

products.

AboutTrustCatalyst

TrustCatalysthelpsglobalorganizationsmakecriticaldecisionsabouthowtoprotecttheirmost

valuableresourcetheircustomerstrust.Weunderstandthattheadoptionofasuccessfuldata

protectionorsecurityprogramisaboutsellingastrategytoalargeraudience.Wespeakthelanguage

businessexecutivesunderstandandquantifytheneedforsecuritybyhelpingestablishthecostsoflost

customertrust,includingdisruptionofbusiness.Ascybercriminalsincreasinglytargetorganizationswith

sensitivecustomerdata,wehelpbusinessesunderstandthethreats,thecostsofthosethreats,andhow

tomaintaintrustedrelationshipswithcustomers.Youcanlearnmoreanddownloadourresearchat

www.trustcatalyst.com.
http://www.trustcatalyst.com/http://www.trustcatalyst.com/

2009 Enc and Key Mgmt Industry Benchmark Report 201009

Documents

Transcript of 2009 Enc and Key Mgmt Industry Benchmark Report 201009