Study: Encryption and key management increasingly viewed as strategic issues

Steady increase in the deployment of encryption solutions

“Encryption is taking center stage as a strategic IT security issue, in order to mitigate the risk of data breaches and cyber-attacks and to protect an organization’s brand, reputation and credibility. However, key management remains a challenge that can rapidly escalate as the use of encryption and other uses of cryptography expand. The report highlights how organizations are responding and shows a 25% increase in spending on key management solutions as a proportion of encryption budgets,” added Richard Moulds, vice president strategy at Thales e-Security.

Summary of Research Findings

The research findings are important because they demonstrate the relationship between encryption and a strong security posture. The research shows that organizations with a strong security posture are more likely to invest in encryption and key management to meet their security missions. Characteristics that the survey indicates as favorable orientations to encryption solutions include:

  • More organizations are adopting an enterprise encryption plan or strategy rather than relying on ad hoc requirements or informal policies.Over the past eight years of conducting this research, organizations in Germany, US and Japan have become more mature in executing their encryption strategies. Australian, French and Brazilian organizations remain less mature.
  • Business unit leaders are gaining influence over their company’s use of encryption solutions. IT leaders are still most influential in determining the use of encryption. However, non-IT business managers are becoming more influential. For the first time, US non-IT managers have become most important for determining their company’s encryption strategies. This could indicate that business unit leaders are taking a greater role in determining the technologies their organizations need to ensure data security and privacy.



  • Employee mistakes, e-discovery and other accidental disclosures are considered the main threats to sensitive and confidential data. In fact, concerns over accidental leakage outweigh fears of direct attack by insiders or hackers by more than a ratio of two to one.


  • Main drivers for using encryption are protecting brand or reputation and reducing the impact of data breaches. However, in the UK and France the main reason for encryption is to comply with privacy or data security regulations and requirements.


  • Identity and access management followed by the discovery of data at risk are the top two data protection priorities. New additions to this year’s study are application level protection of data and the need for data protection in the cloud computing environment. Least important in our list of potential priorities is the protection of data transmitted over internal and external networks.


  • The use of encryption as an enterprise security solution is growing. The encryption of backup files, internal networks, external communications, cloud services and databases are most likely to be extensively deployed. In contrast, email encryption and encryption of data on smart phones and tablets are the least likely to see enterprise-wide deployment. Nearly half of the organizations surveyed report they are deploying between four and six different types of encryption.


  • Financial service companies are most likely to use encryption technologies throughout the enterprise. In contrast, manufacturing and retail organizations are less likely to have extensive encryption usage.


  • Most important features of encryption technology solutions are system performance and latency, automated management of keys and automated enforcement of policies. The least important features are support for longer encryption keys and support for formal preserving encryption.


  • Formal key management strategies are becoming more common. These strategies tend to focus on increasing business efficiency and reducing operational cost. Germany and Japan have the highest percentage of companies that have key management strategies independent of the various uses of cryptography within the organization.


  • Key management standards and hardware security modules (HSM) are projected to become more important.Key management interoperable protocol (KMIP) and HSMs provide mechanisms for unifying and automating key management activities and reducing the risk of key management processes being subverted as a way to gain illicit access to encrypted data.