Can C-level Accountability Put Encryption on the Map?
Mon, 05/14/2018 – 08:56
With security increasingly front-page news in the wake of NotPeyta and WannaCry, as well as Krack vulnerability, the tide is turning.
CEOs now want to know about security and risk management, aware not only that these attacks can disrupt business efficiency and operations but also result in negative PR, customer dissatisfaction and – dare we say it – prompt hasty dismissals. And with the General Data Protection Regulation (GDPR) just months away, multi-million dollar fines aren’t out of the question either.
So, could this increased C-suite focus on security be good for encryption?
In many ways, encryption today is at cross-roads. End-to-end encryption is so widespread it is become commonplace at all major organisations, GDPR places greater emphasis on the importance of encryption and quantum key distribution (QKD) promising a safer, more secure future.
Yet simultaneously, government officials from the FBI to the White House are seeking ways of ‘backdooring’ encryption, offering ways to intercept encrypted conversations. In January, FBI Director Christopher Wray described the inability of law enforcement authorities to access data from electronic devices as an “urgent public safety issue“.
Politics aside though and encryption is rising to a top-table issue and for numerous reasons. The increased collaboration between IT and line-of-business in IT buying cycles (including the CFO, who is increasingly involved) has certainly helped, as has greater awareness around security general. But perhaps GDPR is the jewel in the crown.
With fines up to 4% (or €20m) of global turnover and an on obligation to inform data subjects of breaches, encryption has a big role to play.
GDPR requires businesses to implement technical and organizational measures to provide the appropriate protection to the personal data they hold on EU citizens. When determining such security measures, businesses must take into account the nature, scope, context and purposes of their use of personal data.
What’s new under GDPR, when compared to the dated 1995 EU Directive, is that it now clearly states that such measures include the pseudonymisation and encryption of personal data.
Furthermore and critically, data subjects do not need to be notified of a data breach if the business in question (assuming they are a data controller) has “implemented appropriate technical and organizational protection measures”, assuming of course these tools “render the data unintelligible to any person who is not authorized to access it”. In other words, they’ve used encryption and so will not have to notify data subjects of the breach.
Subsequently, encryption appears to have become a topic for conversation at boardroom level. Over the years, a company’s encryption strategy (should they have for) has rested with IT, but that is changing.
According to Thales Security 2017 Global Encryption Trends Report, the balance of power has changed. The overall influence business unit leaders have over an encryption strategy has risen from 10 percent in 2005 to 30 percent today. Over the same period, the influence of the IT team has dropped from 53 to 29 percent.
So, how do you get the board to buy-in on encryption?
Experts believe that the fate of security and encryption rests in striking meaningful connections with boardroom execs. If security professionals can show they are trustworthy, reliable and business-orientated, they are more likely to be listened to.
“Communication is essential. If the board is not listening to you, then rolling out your strategy or transformation programme is just a tick-in-the-box,” said consulting CISO Jimmy Bashir in an interview last year.
“You need buy in at the top. Depending on the issue, communicating properly to a level they can understand is essential. They are fed up with scare stories… You don’t need large sums of money to get the basic rights and ensure the business is engaged.”
Now is the time to get your business on-side with encryption.
Information security is becoming a business priority that is important for every C-level executive, from the CEO to the CFO and CIO and beyond. And this could be good news for encryption.
Security is not a natural topic of conversation for most boardrooms; after all, these boardrooms are largely made up of seasoned business executives who are experienced, skilled and interested in discussing business matters like generating revenue streams, improving bottom lines and driving organisation growth and scalability. On the flipside, they have little interest or experience in dealing with complex, technical things especially ones they do not understand and have little control over.
This is the problem facing information security practitioners and it has been a longstanding battle for CISOs struggling with limited budgets, little airtime with the C-Suite and dated reporting lines. Indeed, the majority still report into the CIO and thus gets a fraction of the IT budget and no ‘seat at the big table’.
*** This is a Security Bloggers Network syndicated blog from Venafi Blog authored by Scott Carter. Read the original post at: https://www.venafi.com/blog/can-c-level-accountability-put-encryption-map