Study: Encryption and key management increasingly viewed as strategic issues

IT security firm Thales has announced the publication of its latest Global Encryption Trends Study. The report, based on independent research by the Ponemon Institute and sponsored by Thales, reveals that encryption continues to be viewed as a strategic issue and that organizations are increasing their investment in encryption across the enterprise in response to compliance regulations and cyber-attacks.

More than 4,000 business and IT managers were surveyed in the US, UK, Germany, France, Australia, Japan and Brazil, examining global encryption trends and regional differences in encryption usage. The report is now in its eighth year since its launch in 2005.

The results of the study show there has been a steady increase in the deployment of encryption solutions used by organizations over the past eight years. The percentage of overall IT security spending dedicated to encryption has also increased, almost doubling from 10% to 18%, demonstrating that organizations are prioritizing encryption over other security technologies.

 Some of the bigger encryption trends over the past eight years include:

  • Increase in the use of encryption as an enterprise rather than a point solution.
  • More influence at the business unit level in choosing and deploying encryption technologies.
  • Decrease in the importance of compliance as a main driver to encryption adoption.
  • Increase in spending on encryption and key management as a percentage of the IT budget.

Encryption  is a Strategic Issue

Encryption continues to be viewed as a strategic issue with business leaders rather than IT or security professionals gaining greater influence over their organization’s encryption strategy. For the first time business managers in the United States became the more influential group in setting the encryption strategy, demonstrating that encryption is no longer seen as just an IT issue but one that affects an entire organization.

“Encryption usage has emerged as a clear indicator of a strong security posture with organizations that deploy encryption being more aware of threats to sensitive and confidential information and making a greater investment in IT security. Regardless of an organization’s situation, it is clear that encryption and key management are becoming more widely deployed,” said Dr Larry Ponemon, chairman and founder of The Ponemon Institute.  

Perceptions about the most significant threats to the exposure of sensitive or confidential data are employee mistakes, forced disclosures triggered by e-discovery requests and system or process malfunctions. Combined, these concerns over inadvertent exposure outweigh concerns over actual malicious attacks by more than two to one.

Top Data Protection Priorities

The top data protection priorities focus on identity and access management, data discovery, protecting data in use within business applications and protecting data in outsourced or cloud environments. The importance of protecting data in cloud environments rose significantly from last year’s survey ranking fourth in priority – up from 12th.

When it comes to buying criteria, performance is always the top concern. The next largest issue is key management with 38% of respondents saying they have a formal key management strategy. To support that strategy, the new Key Management Interoperability Protocol (KMIP) standard that allows organizations to deploy centralized key management systems that span multiple use cases and equipment vendors, has already established a relatively high level of awareness among IT and IT security practitioners. KMIP is perceived to be of increasing importance and is expected to contribute to encryption and key management strategies specifically around the cloud, storage and application-centric deployments.

Hardware security modules (HSMs) are increasingly considered a critical component of a key management strategy. These devices are used to protect critical data processing activities and can be used to strongly enforce security polices and access controls.

“Encryption is taking center stage as a strategic IT security issue, in order to mitigate the risk of data breaches and cyber-attacks and to protect an organization’s brand, reputation and credibility. However, key management remains a challenge that can rapidly escalate as the use of encryption and other uses of cryptography expand. The report highlights how organizations are responding and shows a 25% increase in spending on key management solutions as a proportion of encryption budgets,” added Richard Moulds, vice president strategy at Thales e-Security.

Summary of Research Findings

The research findings are important because they demonstrate the relationship between encryption and a strong security posture. The research shows that organizations with a strong security posture are more likely to invest in encryption and key management to meet their security missions. Characteristics that the survey indicates as favorable orientations to encryption solutions include:

  • More organizations are adopting an enterprise encryption plan or strategy rather than relying on ad hoc requirements or informal policies.Over the past eight years of conducting this research, organizations in Germany, US and Japan have become more mature in executing their encryption strategies. Australian, French and Brazilian organizations remain less mature.
  • Business unit leaders are gaining influence over their company’s use of encryption solutions. IT leaders are still most influential in determining the use of encryption. However, non-IT business managers are becoming more influential. For the first time, US non-IT managers have become most important for determining their company’s encryption strategies. This could indicate that business unit leaders are taking a greater role in determining the technologies their organizations need to ensure data security and privacy.



  • Employee mistakes, e-discovery and other accidental disclosures are considered the main threats to sensitive and confidential data. In fact, concerns over accidental leakage outweigh fears of direct attack by insiders or hackers by more than a ratio of two to one.


  • Main drivers for using encryption are protecting brand or reputation and reducing the impact of data breaches. However, in the UK and France the main reason for encryption is to comply with privacy or data security regulations and requirements.


  • Identity and access management followed by the discovery of data at risk are the top two data protection priorities. New additions to this year’s study are application level protection of data and the need for data protection in the cloud computing environment. Least important in our list of potential priorities is the protection of data transmitted over internal and external networks.


  • The use of encryption as an enterprise security solution is growing. The encryption of backup files, internal networks, external communications, cloud services and databases are most likely to be extensively deployed. In contrast, email encryption and encryption of data on smart phones and tablets are the least likely to see enterprise-wide deployment. Nearly half of the organizations surveyed report they are deploying between four and six different types of encryption.


  • Financial service companies are most likely to use encryption technologies throughout the enterprise. In contrast, manufacturing and retail organizations are less likely to have extensive encryption usage.


  • Most important features of encryption technology solutions are system performance and latency, automated management of keys and automated enforcement of policies. The least important features are support for longer encryption keys and support for formal preserving encryption.


  • Formal key management strategies are becoming more common. These strategies tend to focus on increasing business efficiency and reducing operational cost. Germany and Japan have the highest percentage of companies that have key management strategies independent of the various uses of cryptography within the organization.


  • Key management standards and hardware security modules (HSM) are projected to become more important.Key management interoperable protocol (KMIP) and HSMs provide mechanisms for unifying and automating key management activities and reducing the risk of key management processes being subverted as a way to gain illicit access to encrypted data.