Companies looking to put security auditors in a good mood could do worse than invest in encryption at every level of their business, a Ponemon Institute survey for Thales has suggested.
A detailed questioning of 505 experienced auditing professionals found that 72 percent were favourably influenced either significantly or to some degree when encountering encryption during their work.
When comparing the importance of encryption to other security systems such as tokens, encryption won out by a convincing margin in every case, even if many also felt its management remained a compliance challenge.
Asking them to identify the most serious threats to data security, 38 mentioned applications first, followed by external service providers (33 percent), laptops/desktops (32 percent), and external business partners (31 percent).
Conversely, asking them to name the best uses of encryption, 76 percent mentioned its use with desktop or mobile PCs, followed by encryption over public networks (71 percent), database encryption (63 percent) and storage encryption (56 percent).
This underlines that encryption, and technology in general, is at best a partial solution to any security problem, whether or not compliance reflects this, because the security risks from external partners cannot be easily salved by scrambling data.
In the view of auditors, organisations are often fixated on compliance, despite the fact that many within these businesses remain sceptical about its ultimate good.
“Sixty percent of auditors surveyed agree that the organisations they audit do not believe compliance improves their data security effectiveness,” notes the report in damning fashion.
Overall, however, the report’s findings put encryption at the head of technology efforts to secure data within organisations, a conclusion it should be pointed out, fits with the business message that Thales, a company selling encryption systems to this sector, wants to communicate.
“The use of encryption to protect data is now past the point of debate, everyone is using it and this report corroborates this,” said Ponemon Institute founder and report co-author, Dr Larry Ponemon.
“However, the question to be addressed now is how, when and where to deploy the technology. The research indicates that there are indeed genuine areas of uncertainty when deploying encryption, particularly arising from the numerous business drivers and diverse compliance requirements.”
The survey is unusual in one respect. Rather than asking the users or managers of technology for their views, it questions the people who certify it. These people are shadowy but hugely influential, despite the widespread scepticism about the deeper meaning of compliance.