2013 global encryption trends study

2013 Global Encryption Trends Study
Encryption continues along its path to mainstream adoption
but key management concerns highlight potential barriers to
deployment.

Sponsored by Thales e-Security
Independently conducted by Ponemon Institute LLC
Publication Date: February 2014

Ponemon Institute© Research Report

2013 Global Encryption Trends Study
Table of Contents

From
Page

To
Page

Part 1. Executive Summary

2

4

Part 2. Key Findings

5

36

Strategy and adoption of encryption

5

7

Trends in encryption adoption

8

10

Encryption and security effectiveness (SES)

11

13

Threats, main drivers and priorities

14

19

Deployment choices and decision criteria

20

22

Encryption features considered most important

23

23

Attitudes about key management

24

27

Importance of the key management interoperability protocol (KMIP)

28

29

Importance of hardware security modules (HSM)

30

32

Budget allocations

33

35

Part 3. Methods & Limitations

37

39

Appendix: Consolidated Findings

40

47

Thales e-Security & Ponemon Institute© Research Report

Page 1

2013 Global Encryption Trends Study1
Ponemon Institute, February 2014

Part 1. Executive Summary
Ponemon Institute is pleased to present the findings of the 2013 Global Encryption Trends Study,
sponsored by Thales e-Security. We surveyed 4,802 individuals across multiple industry sectors
in eight countries - the United States, United Kingdom, Germany, France, Australia, Japan, Brazil
2
and, for the first time, the Russian Federation. The purpose of this research is to examine how
the use of encryption has evolved over the past nine years and the impact of this technology on
the security posture of organizations. The first encryption trends study was conducted in 2005 for
3
a US sample of respondents. Since then we have expanded the scope of the research to include
respondents in all regions of the world. This year, for the first time, the survey included respondents
in the Russian Federation.
In our research we consider the threats
organizations face and how encryption is
being used to reduce these risks. As in
prior years, we asked questions about the
types of encryption technologies deployed,
the most salient threats to sensitive and
confidential information, data protection
priorities, and budgeted expenditures for
encryption and key management activities.
Following is a summary of our most salient
findings. More details are provided for
each key finding listed below in the next
section of this paper. We believe the
findings are important because they
demonstrate the relationship between
encryption and a strong security posture.
As shown in this research, organizations
with a strong security posture are more
likely to invest in encryption and key
management to meet their security missions.

Following are big encryption trends over nine years:


Steady improvement in the security posture
of participating companies.



Increase in the use of encryption as part of an
enterprise strategy rather than a point
solution.



More influence at the business unit level in
choosing and deploying encryption
technologies.



Decrease in the importance of compliance as
a main driver to encryption adoption as focus
shifts to honoring privacy obligations.



Continued awareness of the key
management interoperability protocol (KMIP)
and adoption hardware security modules
(HSM).



Increase in spending on encryption and key
management as a percentage of the IT budget.

Summary of key findings:
More organizations are adopting an enterprise encryption plan or strategy rather than relying
on ad hoc requirements or informal policies. Since the first study, the number of respondents
reporting that their organizations have a comprehensive encryption strategy versus those who say their
organizations do not have such a strategy has increased. Today, organizations that have a
comprehensive strategy outnumber those that do not have such a strategy by more than two to one.
Business unit leaders are gaining influence over their company’s use of encryption
solutions. IT leaders are still most influential in determining the use of encryption. However, nonIT business managers are becoming more influential. This indicates that business unit leaders
are taking a greater role in determining the encryption technologies their organizations need to
ensure data security and privacy.

1

This year’s study was completed in December 2013 for eight country samples.
In the figures, countries are abbreviated as follows: Germany (DE), Japan (JP), United States (US), United
Kingdom (UK), Australia (AU), France (FR), Brazil (BZ) and Russia (RF).
3
The trend analysis shown in this study was performed on combined country samples spanning nine years
(since 2005).
2


Page 2

Encryption usage is an indicator of a strong security posture. Organizations that deploy
encryption extensively throughout the enterprise as opposed to limiting its use to a specific purpose
(i.e., point solutions) appear to be more aware of threats to sensitive and confidential information
and spend more on IT security. In other words, encryption use makes a strong contribution to an
organization’s overall security posture. Furthermore, organizations with a strong security posture
are three times more likely to have an encryption strategy than those with a lower security posture.
Employee mishap is considered the main threat to sensitive and confidential data.
Concerns over accidental data leakage outweigh fears about attacks by malicious insiders or
hackers by almost a factor of two.
The main driver for using encryption is lessening the impact of data breaches. This
represents a shift in priorities. In previous years, the primary driver was protecting brand or
reputation. In Australia and France the main reason for encryption is to comply with privacy or
data security regulations and requirements.
Encryption has a major impact on the perceived need to disclose data breaches. There is a
wide range in attitudes regarding the perceived need to disclose a breach. However, the findings
indicate that respondents in all countries recognize that data encryption minimizes notification
requirements to breach victims.
The discovery of data at risk and the actual deployment of encryption are the top two
challenges. Of least concern are allocating budget, selecting the right encryption solution and
options and measuring effectiveness.
The use of encryption is steadily growing in all categories. The encryption of external public
networks, databases and backup files are most likely to be extensively deployed throughout the
enterprise. Deployment of encryption in cloud environments remains low. Seventy percent of
respondents report they are deploying five or more different types of encryption.
Financial service companies are most likely to use encryption technologies throughout
the enterprise. In contrast, manufacturing and retail organizations are less likely to extensively
deploy encryption. The strongest growth in adoption of encryption is seen in the financial services
and hospitality sectors.
German, US and Russian companies are most likely to use encryption technologies
throughout the enterprise. Australian, French and Japanese companies are the least likely to
extensively use encryption technologies.
Most important features of encryption technology solutions are system performance and
latency, automated management of keys and automated enforcement of policies. The least
important features are support for longer encryption keys and support for formal preserving
encryption. The importance of all aspects of functionality has increased as more organizations
deploy encryption. The issue of whether the encryption solution conforms to security standards
has become more significant.
Key management is painful for most organizations. More than half of all respondents rated
the “pain” associated with key management to be 7 or higher (based on a scale of 1 = minor to 10
= severe). Even though more than 75 percent of respondents report that key management is a
well-defined discipline in their organizations, only 23 percent say that the task of managing keys
has dedicated resources or tools.
Key management standards and hardware security modules (HSM) are increasing in
importance for participating companies. Key management interoperable protocol (KMIP) and
HSMs provide mechanisms for unifying and automating key management activities and reducing
the risk of key management processes being subverted as a way to gain illicit access to
encrypted data.


Page 3

Part 2. Key Findings
Strategy and adoption of encryption
Since conducting this study, there has been a steady increase in organizations with an encryption
strategy applied consistently across the entire enterprise. In turn, there has been a steady decline
in organizations not having an encryption plan or strategy. Figure 1 shows these changes over
the past nine years.
Figure 1. Trends in encryption strategy
40%

38%
33%

35%

32%

33%
28%

28%

25%

26%

FY2009

FY2010

30%

22%

25%
20%
15%
10%

35%

26%

15%

18%

20%

FY2008

15%

19%

FY2007

26%

5%
0%
FY2005

FY2006

FY2011

FY2012

FY2013

Company has an encryption strategy applied consistently across the entire enterprise
Company does not have an encryption strategy.

According to Figure 2, the prevalence of an enterprise encryption strategy varies among the
countries represented in this research. The highest prevalence of an enterprise encryption
strategy is reported in Germany followed by the US and Japan. Respondents in Australia and
Brazil report the lowest adoption of an enterprise encryption strategy.
Figure 2. Differences in enterprise encryption strategies by country
60%

53%

50%
40%
40%

36%

33%

31%

30%

34%
24%

22%

20%
10%
0%
US

UK

DE

FR

AU

JP

BZ

RF

Company has an encryption strategy applied consistently across the entire enterprise
Average


Page 4

Figure 3 shows the most influential functional areas for defining the company’s encryption
strategy. The figure shows that IT operations are deemed most influential in determining the
organization’s enterprise encryption strategy. In this study, “lines of business” are defined as
those with commercial or executive responsibility within the organization.
Figure 3. Most influential for determining the company’s encryption strategy
IT operations

35%

Lines of business or general management

26%

No single function has responsibility

19%
15%

Security
3%

Finance
Compliance

1%
0%

5%

10%

15%

20%

25%

30%

35%

40%

Figure 4 shows that the IT operations function has consistently been most influential in framing
the organization’s encryption strategy over nine years. However, that picture is steadily changing
with business unit leaders gaining influence over their company’s encryption strategy.
We posit that the rising influence of business leaders reflects a general increase in consumer
concerns over data privacy and the importance of demonstrating compliance to privacy and data
protection mandates. It is also probable that the rise of employee owned devices or BYOD and
the general consumerization of IT has had an effect. It is interesting to note that the influence of
the security function on encryption strategy has been relatively constant (flat line) over the past
year years.
Figure 4. Influence of IT operations, lines of business and security
60%

53%

51%

50%

48%

45%

42%

45%
39%

40%

37%

26%

30%
19%

20%
10%
10%

35%

13%

12%

FY2006

22%

15%
11%
13%

14%

13%

14%

14%

15%

FY2008

FY2009

FY2010

FY2011

FY2012

FY2013

13%

FY2005

19%

21%

0%
FY2007

IT Operations

Lines of business


Security

Page 5

Figure 5 shows the distribution of respondents who rate IT operations, LOB and security as most
influential in determining their organization’s encryption strategy. This chart shows IT operations
as most influential followed by business managers in six of eight countries. Japanese, German
and Australian respondents see the influence of IT at a much higher level than business
managers and security. In contrast, the US and UK see business managers as more influential
than IT operations. In addition, respondents in US and Australia rate security as having a higher
level of influence on setting their organization’s encryption strategy than in other countries.
Figure 5. Influence of IT operations, LOB and security by country
9%

JP

17%

54%

12%

DE

27%
19%

13%

AU

44%

38%

13%

FR

34%
34%
16%

RF

25%

14%

UK

33%
33%

15%

BZ

26%
20%

US

20%
0%

10%

33%

20%
Security

31%

27%
30%

Lines of business


40%

50%

60%

IT operations

Page 6

Trends in adoption of encryption
Since we began tracking the enterprise-wide use of encryption in 2005, there has been a steady
4
increase in the encryption solutions used by organizations. Figure 6 summarizes enterprisewide usage consolidated for various encryption technologies over nine years. This continuous
growth in enterprise deployment suggests encryption is important to an organization’s security
posture. Figure 6 also shows the percentage of the overall IT security budget dedicated to
encryption-related activities. As expected, the patterns for deployment and budget show a strong
correlation.
Figure 6. Trend on the extensive use of encryption technologies
35%

30%

30%
25%
20%

20%

22%

23%

25%

23%

19%

16%

15%
16%

14%

10%
10%

FY2006

13%

FY2007

FY2008

14%

15%

FY2010

FY2011

18%

18%

FY2012

FY2013

10%

FY2005

5%

27%

0%
FY2009

Extensive deployment of encryption
Percent of the IT budget earmarked for encryption

4

The combined sample used to analyze trends is explained in Part 3. Methods.


Page 7

Figure 7 shows a positive relationship between encryption strategy and the deployment of
encryption. German organizations have the highest percentage of companies with an enterprise
encryption strategy and they are the most extensive users of encryption technologies. In contrast,
Australia has the lowest percentage of companies with an enterprise strategy for encryption.
Figure 7. Extensive use and prevalence of an enterprise encryption strategy by country
60%

53%

50%
40%

40%
34%

30%

39%

36%

33%

31%
28%

24%

23%22%

32%

24%

34%34%

24%

20%
10%
0%
US

UK

DE

FR

AU

JP

BZ

RF

Extensive deployment of encryption (average of 13 categories)
Encryption strategy applied consistently across the entire enterprise


Page 8

Figure 8 shows the extensive usage of encryption solutions for 10 industry sectors over two
years. With one exception (retailing), results suggest a steady increase in all industry sections
between 2012 and 2013. The most significant increases in encryption usage occur in financial
services and hospitality.
Figure 8. The extensive use and availability of an enterprise strategy by industry
38%

Financial services

43%
37%
39%

Services

33%
35%

Transportation

31%
33%

Technology & software

29%
31%

Health & pharma
21%

Hospitality

26%
24%
25%

Consumer products

23%
24%

Public sector

21%
21%

Retailing

17%
19%

Manufacturing
0%

5%

10%

15%

20%

Extensive use for FY2012


25%

30%

35%

40%

45%

50%

Extensive use for FY2013

Page 9

Encryption and Security Effectiveness (SES)
To estimate the security posture of organizations, we used the Security Effectiveness Score or
5
SES as part of the survey process. The SES range of possible scores is +2 (most favorable) to 2 (least favorable). We define an organization’s security effectiveness as being able to achieve
the right balance between efficiency and effectiveness across a wide variety of security issues
and technologies.
A favorable score indicates that the organization’s investment in people and technologies is both
effective in achieving its security mission and is also efficient. In other words, they are not
squandering resources and are still being effective in achieving their security goals.
Following is a summary of the average SES for each country sample for two years. Germany
achieves the highest score, while Brazil has the lowest score over the past three years.
Figure 9. Average security effectiveness score (SES) in ascending order by country
*2011 and 2012 data is not available for the RF sample

1.19
1.27
1.25

DE
0.77

JP

0.66
0.74
0.8

US
0.45

UK

RF*

0.56
0.61

0.47
0.25
0.25
0.33

AU
-0.02

FR

BZ

0.98
1.02

-0.48

-0.6

0.03
0.12

-0.25
-0.21
-0.4

-0.2

0
SES FY2011

0.2

0.4
SES FY2012

0.6

0.8

1

1.2

1.4

SES FY2013

5

The Security Effectiveness Score was developed by Ponemon Institute in its annual encryption trends
survey to define the security posture of responding organizations. The SES is derived from the rating of 24
security features or practices. This method has been validated from more than 45 independent studies
conducted since June 2005. The SES provides a range of +2 (most favorable) to -2 (least favorable). Hence,
a result greater than zero is viewed as net favorable.


Page 10

Figure 10 reports the SES results compiled from encryption trend studies conducted over nine
years. The trend line shown below is increasing, which suggests the security posture of
participating companies has increased over this time period.
Figure 10. Trend in average Security Effectiveness Score (SES)
0.60

0.54

0.50

0.55

0.40

0.40

0.31
0.26

0.30
0.20
0.10

0.51

0.13

0.12

FY2006

FY2007

0.04

FY2005

FY2008

FY2009

SES

FY2010

FY2011

FY2012

FY2013

Average

Figure 11 summarizes a cross-tab analysis of SES and the percentage of organizations that have
an enterprise-wide encryption strategy and the percentage that have an extensive deployment of
encryption. We divide the overall sample into four quartiles based on SES. We see that
organizations in the highest SES quartile sub-sample are nearly three times more likely to deploy
a holistic encryption strategy than companies in the lowest SES quartile sub-sample (41 percent
versus 16 percent).
This figure also shows organizations in the highest SES quartile sub-sample are more than two
times more likely to be extensive users of encryption technologies than companies in the lowest
SES quartile sub-sample (38 percent versus 15 percent). The pattern of quartile averages in
Figure 11 provides strong evidence that both encryption strategy and the use of encryption make
an important contribution to organizations’ security posture.
Figure 11. Analysis of encryption strategy and use by SES quartile (security posture)
0.50
0.45
0.40
0.35
0.30
0.25
0.20
0.15
0.10
0.05
-

0.45
0.41

0.38
0.33

0.32
0.28

0.26
0.19

First quartile
(SES=1.29)

Second quartile
(SES=.81)

Third quartile
(SES=.23)

Fourth quartile
(SES=.01)

Extensive deployment pf encryption (average of 13 categories)
Encryption strategy applied consistently across the entire enterprise


Page 11

Figure 12 reports a scattergram showing the interrelationship between the respondents’
encryption use profile and SES. The encryption use profile is a ratio variable between +1 and -1
6
compiled from the extensive use of 11 encryption technologies. This diagram clearly shows a
clustering of data points that form a positive (upward sloping) relationship, which suggest that
encryption use and a strong security posture (high SES) are inextricably linked.
Figure 12. Scattergram depicting the relationship between encryption use ratio and
security posture
1
0.8

Encryption use profile

0.6

-2

0.4
0.2
0
-1.5

-1

-0.5

0

0.5

1

1.5

2

-0.2
-0.4
-0.6
-0.8
Low

-1

SES

High

6

Each respondent was assigned a profile score based on their organizations’ extensive use of encryption
technologies. Those respondents who said their organizations extensively deployed all 11 encryption
technologies were rated +1. Those respondents who said they did not extensively deploy any one of the 11
encryption technologies were rated -1. Hence, most respondents earned a rating between these two limits.


Page 12

Threats, main drivers and priorities
Figure 13 shows for the past two years the most significant threats to the exposure of sensitive or
confidential data is employee mistakes, legal and law enforcement requirements and system
process malfunctions. In contrast, the least significant threats to the exposure of sensitive or
confidential data include temporary or contract workers and third-party service providers.
Concerns over inadvertent exposure (employee mistakes and system malfunction) outweigh
concerns over actual attacks by hackers and malicious insiders.
Figure 13. The most salient threats to sensitive or confidential data
26%
27%

Employee mistakes
16%
15%

Legal & law enforcement

15%
15%

System malfunction

14%
13%

Hackers
11%
10%

Malicious insiders

9%
9%

Temporary or contract workers

8%
8%

Third party service providers
1%
1%

Other
0%

5%

10%

Main threats FY2012


15%

20%

25%

30%

Main threats FY2013

Page 13

7

Figure 14 lists in ascending order the top five perceived data threats by country. It shows
marked differences among country samples. Accordingly, respondents in Japan, Australia and
the UK rate employee mistakes at a much higher level than respondents in other country
samples. In contrast, Japanese respondents are least likely to rate system malfunction as a top
security threat.
Figure 14. Top five perceived threats by country
24%
17%
39%
38%

Employee mistakes

21%
20%
33%
26%
13%
22%
17%
21%

Legal & law enforcement

10%
18%
8%
15%
17%
12%
3%
10%

System malfunction

21%
22%
16%
17%
13%
12%
17%
12%

Hackers

15%
13%
13%
13%
11%
9%
9%
9%

Malicious insiders

12%
10%
11%
11%
0%

5%
RF

7

10%
BZ

JP

15%
AU

20%
FR

DE

25%
UK

30%

35%

40%

45%

US

The consolidated average percentage for each threat category is presented in Figure 13.


Page 14

The main driver for using encryption is reducing the impact of data breaches. Six drivers for
deploying encryption are presented in Figure 15. Respondents report lessening the impact of
data breach (46 percent) and protecting the organization’s brand or reputation (44 percent) are
the two top reasons for using encryption technologies. Other top drivers for encryption usage
include honoring the organization’s privacy commitments (42 percent) and complying with privacy
and data security regulations (40 percent).
Figure 15. The main drivers for using encryption technology solutions
More than one choice permitted

To lessen the impact of data breaches

46%

To protect our organization’s brand or reputation

44%

To ensure that our organization’s privacy
commitments are honored

42%

To comply with privacy or data security
regulations and requirements

40%

To reduce the scope of compliance audits

22%

To avoid having to notify customers or
employees after a data breach occurs

6%
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%


Page 15

8

Figure 16 illustrates marked country differences. As shown, US respondents provide their top
rating to lessening the impact of data breaches. Japanese respondents provide their highest
rating to protecting the organization’s brand or reputation. Australian and French respondents
provide their highest rating to compliance with privacy or data protection regulations.
Figure 16. The top five drivers for using encryption
43%
42%
49%
40%
35%
47%
46%


44%
47%
35%
33%


To ensure that our organization’s privacy
commitments are honored
32%

60%

42%
47%
45%

39%
45%
48%
39%
44%
48%
42%

35%

21%

To comply with privacy or data security
regulations and requirements

59%

43%
63%
58%

30%

40%
36%

25%
25%

17%
20%
25%
31%
20%
17%


0%
RF

8

BZ

JP

10%

AU

FR

20%
DE

30%
UK

40%

50%

60%

70%

US

The consolidated average percentage for each driver is presented in Figure 15.


Page 16

Respondents believe data encryption reduces their organization’s obligation to notify
individuals in the event data loss or theft. Figure 17 shows the results of a question asking
respondents “Would your organization be required to notify customers after the data breach
involving the loss or theft of their personal information?”
This question presented two separate conditions: (1) breached data is encrypted and (2) breach
data is not encrypted. As can be seen, respondents in all countries recognize that data
encryption minimizes notification requirements to breach victims. US respondents appear to be
most sensitive to this data breach notification requirement than those in all other countries. The
overall average response to notification in the case of unencrypted data loss or theft is 37
percent. In contrast, the average response to notification in the case of encrypted data loss or
theft is only 20 percent.
Figure 17. Would a data breach of customers’ personal data require notification?
70%
61%
60%
46%

50%
40%

35%

33%

30%

33%

31%

30%
25%

24%
20%

20%

13%

15%

16%

16%
11%10%

10%
0%
US

UK

DE

FR

Customer data was not encrypted


AU

JP

BZ

RF

Customer data was encrypted

Page 17

Discovering where sensitive data resides in the organization is the biggest challenge.
Figure 18 provides a list of six aspects that present challenges to the organization’s effective
execution of its data encryption strategy in descending order of importance. Sixty one percent of
respondents say discovering where sensitive data resides in the organization is the number one
challenge. In addition, 50 percent of all respondents cite deploying encryption technology as a
significant challenge.
Figure 18. Biggest challenges in planning and executing a data encryption strategy
Two choices permitted

Discovering where sensitive data resides in the
organization

61%

Deploying the encryption technology effectively

50%

37%

Classifying which data to encrypt

Obtaining the budget to deploy

24%

Determining which encryption technologies are
most effective

18%

Measuring the effectiveness of the data
encryption technologies deployed

11%
0%

10%


20%

30%

40%

50%

60%

70%

Page 18

Deployment choices and decision criteria
We asked respondents to indicate if specific encryption technologies are widely or only partially
deployed within their organizations. “Extensive deployment” means that the encryption
technology is deployed enterprise-wide. “Partial deployment” means the encryption technology is
confined or limited to a specific purpose (a.k.a. point solution).
As shown in Figure 19, no single technology dominates because organizations have very diverse
deployments. Encryption of external public networks, databases and data backup are the most
likely to be deployed. In contrast, encryption for smart phone and tablets and external cloud
services are the least likely to be deployed.
Figure 19. Consolidated view on the use of encryption technologies
External public networks

35%

Databases

47%

33%

Backup files

48%

43%

38%

Data center storage

33%

47%

Software applications

32%

47%

Desktop & workstation

31%

47%

Internal networks

32%

46%

Laptop

32%

45%

Email

25%

File server

27%

Cloud encryption gateways

52%

27%

Smart phone & tablet

48%
44%

24%

External cloud services

40%

18%
0%

10%

19%
20%

30%

Extensive deployment


40%

50%

60%

70%

80%

90%

Partial deployment

Page 19

Figure 20 provides a histogram showing the percentage frequency of 13 encryption technologies
deployed by respondents in all country samples combined. As can be seen, 70 percent of the
consolidated sample says their organizations use five or more separate encryption technologies
with 44 percent of organizations deploying between four and six different types of encryption
technology.
Figure 20. Histogram of 13 encryption technologies deployed
19%

20%
18%

15%

16%

13%

14%
12%

10%

10%

8%

8%
6%

8%

8%

5%

4%

4%

3%

4%

2%

2%

1%

0%
1

2

3

4

5

6

7

8

9

10

11

12

13

Number of seperate encryption technologies deployed

The use of encryption varies among countries. Figure 21 reports the extensive and partial
deployment data of encryption technologies for eight countries. As shown, respondents in
Germany US and Russia have the highest encryption deployment rates than other countries.
Figure 21. Extensive and partial deployment of data encryption technologies consolidated
for 13 encryption technologies
100%
90%
80%
70%
60%

47%

49%

47%

50%

44%

41%

40%

40%

40%

39%

30%
20%

39%

34%

34%

32%

28%

24%

24%

23%

US

RF

BZ

UK

JP

FR

AU

10%
0%
DE

Extensive deployment


Partial deployment

Page 20

Figure 22 presents a proportional analysis of 13 encryption technologies extensively deployed
within eight country samples. Specifically, Germany and the US are the most extensive users of
the encryption technologies listed in the figure. In contrast, France, Japan and Australia seem to
be the least extensive users of encryption.
Please note that the percentage shown in each cell represents the extensive usage rate only.
Because organizations are using multiple encryption tools as indicated in the histogram in Figure
20, the sum of these cells across encryption categories and countries exceed 100 percent.
Figure 22. The extensive use of 13 encryption technologies by country

Backup files

39%

41%

62%

External public networks

44%

Databases

37%

34%

41%

28%

Data center storage

36%

33%

40%

25%

Internal networks

30%

Laptop

33%

29% 34%

23%

42%

Software applications

34%

46%

28%
29%

40%

Desktop & workstation

45%

28%

22%

39%
40%

30%

31%

25%

File server

29%

25%

34%

Email

25%

Smart phone & tablet

22%

29%

External cloud services

22%

28%
0%
US

10%
UK

28%
18%

32%

36%

29%

35%

43%

25%

30%

40%

50%

21%

DE

FR

AU

JP

60%
BZ

38%

33%

34%

29%

31%

12%

37%

36%

30%

35%

26%

31%

33%

31%

25%

32%

29%

28%

14% 9%

19%

12% 16%

17%

20%


40%

21% 15% 15%
28%

17%

33%

20% 19%

19% 19%

41%

22%

26%

31%

26%

51%

31%

28%

22% 17%

36%

57%

25%

30%

19% 21%

36%


32%

29%

26%

35%

70%

80%

90% 100%

RF

Page 21

Encryption features considered most important
Respondents were asked to rate encryption technology features considered most important to
their organization’s security posture. According to consolidated findings, system performance and
latency, automated management of encryption keys and automated enforcement of policy are the
three most important features. The ratings of encryption technology features are listed in
descending order of importance in Figure 23. In comparing this year to last year’s results, it is
interesting to see 10 of 12 encryption technology features receiving a higher rating. The most
significant difference concerns conformance with security standards (Diff = 12 percent).
Figure 23. Most important features of encryption technology solutions
Very important response

51%

System performance and latency

47%

Automated management of keys

56%

52%

43%
47%

Automated enforcement of policy

40%
44%

System scalability

38%
41%

Tamper resistance by dedicated hardware
27%

Conformance with security standards

39%
35%
39%

Centralized management interface

33%
30%

Support for the widest range of applications

25%
28%

Formal product security certifications

29%
28%

Support for emerging algorithms
19%

Support for format preserving encryption

26%

16%
19%

Supports longer encryption keys
0%

10%

Very important response FY2012


20%

30%

40%

50%

60%

Very important response FY2013

Page 22

Attitudes about key management
Using a 10-point scale, respondents were asked to rate the overall “pain” associated with
managing keys or certificates within their organization (where 1 = minimal impact, risk and cost to
10 = severe impact, risk and cost). Figure 24 clearly shows that 53 percent of respondents chose
ratings at or above seven – suggesting a fairly high pain point.
Figure 24. The overall impact, risk and cost associated with managing keys or certificates
35%
29%

30%
24%

25%

21%

20%
15%

16%
11%

10%
5%
0%
1 to 2

3 to 4

5 to 6

7 to 8

9 to 10

Rating of the overall impact, risk and cost associated with managing keys or certificates where
1 = nominal to 10 = severe

Figure 25 shows the so-called “pain index” for respondents in eight countries. As can be seen,
the extrapolated average in all country samples is above the scale median of 5.5, which suggests
that most respondents view managing keys and certificates as a challenging activity. The highest
value is 6.94 in Brazil and the lowest value is 5.60 in Japan.
Figure 25. The average overall impact, risk and cost associated with managing keys or
certificates
10.00
9.00
8.00
7.00

6.40

6.74
6.00

6.52

6.94

6.44

6.74

BZ

RF

5.60

6.00
5.00
4.00
3.00
2.00
1.00
US

UK

DE

FR

Average rating on impact, risk and cost


AU

JP
Average

Median

Page 23

Figure 26 lists what respondents view as the primary drivers for developing a key management
strategy. Increased business efficiency and reduced operational cost are the top two issues for
the past two years. The largest difference between 2013 and 2012 is an eight percent increase in
operating cost as a primary driver for building a key management strategy. In other words, cost
reduction is a higher priority in 2013 than 2012.
Figure 26. Primary drivers for developing a key management strategy
50%
52%

Increase business efficiency
42%

Reduce operational cost

50%
33%
36%

Improve security

30%
30%

Demonstrate compliance

31%
28%

Reduce complexity
4%
4%

None of the above
0%

10%

20%

Primary drivers FY2012


30%

40%

50%

60%

Primary drivers FY2013

Page 24

Figure 27 reports how key management tasks are viewed within respondents’ organizations.
More than half (52 percent) of respondents believe their key management tasks are constrained
because their organizations do not have dedicated staff or tools to perform key management
tasks. Only 23 percent of respondents say their organizations are performing key management
with a dedicated expert staff and specialized tools according to well defined practices.
Figure 27. Key management deployment models

Key management tasks are well defined but the
organization does not have dedicated staff or
tools to perform key management tasks

52%

Key management activities are ad-hoc with
minimal or no formal definition

25%

Key management is viewed as a distinct
discipline that is defined or performed by
dedicated or specialist staff and associated tools
according to well defined practices

23%

0%

10%

20%

30%

40%

50%

60%

Figure 28 compares country samples for one of the conditions indicated in the above chart.
Accordingly, following are the yes responses to the selection that key management is a distinct
discipline performed by dedicated staff and specialized tools according to well-defined practices
(a.k.a. the nirvana state). While all responses are fairly low, respondents in Germany have the
highest percentage yes response while respondents in Japan have the lowest percentage yes
response.
Figure 28. Perceptions about the key management nirvana state
Percentage Yes response

28%

30%
25%

23%

23%

26%

24%

22%

20%

25%

BZ

RF

17%

15%
10%
5%
0%
US

UK

DE

FR

AU

JP

Key management is viewed as a distinct discipline that is defined or performed by
dedicated or specialist staff and associated tools according to well defined practices
Average


Page 25

Figure 29 reports the percentage of respondents that report their organizations operate an
internal public key infrastructure (PKI). US organizations appear to have the highest percentage
rate at 35 percent, while organizations in France has the lowest percentage rate at 15 percent.
Figure 29. Percentage of respondents’ organizations that operate an internal PKI
40%

35%

35%

31%

30%

26%

24%

25%
20%

15%

18%

17%

19%

BZ

RF

15%
10%
5%
0%
US

UK

DE

FR

AU

JP

Percentage of organizations that operate their own internal PKI


Average

Page 26

Importance of the key management Interoperability protocol (KMIP)
Figure 30 summarizes the response to the question,” Does your organization deploy encryption
or key management products that support the KMIP key management standard?” As can be
seen, 35 percent of respondents say they plan to make KMIP support a future requirement. Only
13 percent of respondents say KMIP support is a primary requirement today.
Figure 30. Is KMIP supported as a primary or secondary requirement?
No, but we plan to make KMIP support a future
requirement

35%

Yes, KMIP support is a secondary requirement

19%

No, we have not considered KMIP support

19%

No, KMIP support is not relevant

14%

Yes, KMIP support is a primary requirement

13%
0%

5%

10%

15%

20%

25%

30%

35%

40%

Does your organization deploy encryption or key management products that support the KMIP key
management standard?

Figure 31 summarizes the yes responses in the above chart for eight country samples. As
shown, 47 percent of German respondents say their organizations presently support KMIP as
either a primary or secondary requirement. Only 28 percent of respondents in Australia, Brazil
and Russia say their organizations support KMIP as a primary or secondary requirement.
Figure 31. KMIP support as a primary or secondary requirement by country
47%

50%
45%
40%
35%

34%
30%

30%

US

UK

30%

30%

28%

28%

28%

BZ

RF

25%
20%
15%
10%
5%
0%
DE

FR

AU

JP

Yes, KMIP support is either a primary or secondary requirement


Average

Page 27

According to 54 percent of respondents, KMIP is most important for cloud based applications and
storage. This represents a 12 percent increase between 2013 and 2012. As shown in Figure 32,
KMIP appears to be least important for end user devices such as laptops, tablets and smart
phones or remote applications such as retail locations.
Figure 32. Where KMIP is most important
Two choices permitted

42%

Cloud based applications and storage

54%
36%
37%

Storage systems

35%
35%

Application infrastructure in the data center

35%
34%

Network infrastructure
16%
16%

Remote applications

12%
13%

End user devices

11%
9%

None
0%

10%

Where is KMIP most important, FY2012


20%

30%

40%

50%

60%

Where is KMIP most important, FY2013

Page 28

Importance of hardware security modules (HSM)

9

Figure 33 summarizes the percentage of respondents in eight countries that deploy HSMs as part
of their organization’s key management program or activities. As can be seen, the rate of HSM
deployment increased in the US, UK, Germany, Australia, Japan and Brazil between 2012 and
2013. Similar to last year, the pattern of responses suggests Japanese and German respondents
are more likely to deploy HSMs to their organization’s key management activities than other
countries. The overall average deployment rate for HSMs as part of key management activities
this year is 28 percent – representing six percent growth from last year’s average deployment
rate.
Figure 33. Deployment HSMs as part of key management activities
*2012 data is not available for the RF sample

40%
35%
30%

38%
35%

35%34%
30%
27%

25%

26%
23%

24%25%

25%24%

23%
20%19%

20%
15%
10%
5%
0%
US

UK

DE

FR

HSM deployment rate in FY2013

AU

JP

BZ

RF*

HSM deployment rate in FY2012

9

HSMs are devices specifically built to create a tamper-resistant environment in which to perform
cryptographic processes (e.g. encryption or digital signing) and to manage the keys associated with those
processes. These devices are used to protect critical data processing activities associated with server based
applications and can be used to strongly enforce security policies and access controls. HSMs are typically
validated to formal security standards such as FIPS 140-2.


Page 29

Figure 34 summarizes the percentage of respondents in eight countries that rate HSM as either
very important or important to their organization’s key management program or activities. It is
interesting to note that the importance level appears to be increasing between 2012 and 2013 for
eight country samples. Similar to last year, the pattern of responses suggests Japanese and
German respondents are most likely to assign importance to HSMs to their organization’s key
management activities. The overall average importance rating in the current year is 46 percent.
Last year’s average importance rating was 39 percent.
Figure 34. Perceived importance of HSM as part of key management activities
*2012 data is not available for the RF sample

60%
50%

56%
51%

55%
49%
45%

51%

48%

43%

45%
40%

40%

33%

36%
29%

30%

29%
26%

20%
10%
0%
US

UK

DE

FR

Important or very important FY2013


AU

JP

BZ

RF*

Important or very important FY2012

Page 30

Figure 35 summarizes the primary purpose or use cases for deploying HSMs. As can be seen,
the number one purpose is authentication followed by SSL and database encryption. This chart
also shows differences between today’s HSM use and deployment in 12 months. The most
significant increases predicted for the next 12 months, according to respondents, are code
signing, document signing and database encryption.
Figure 35. How HSMs are deployed or planned to be deployed in the next 12 months
More than one choice permitted

56%
54%

Authentication
49%
48%

SSL
Database encryption

47%

Application level encryption

37%

Payments processing

35%

PKI or credential management

26%

Document signing

15%

Code signing

10%

42%

41%

30%

23%
21%

8%
0%

54%

20%

30%

HSMs planned to be deployed in the next 12 months


40%

50%

60%

HSMs deployed today

Page 31

Budget allocations
The percentages below are calculated from the responses to survey questions about resource
allocations to IT security, data protection, encryption, and key management. These calculated
values are estimates of the current state and we do not make any predictions about the future
state of budget funding or spending.
Figure 36 reports the average percentage of IT security spending relative to total IT spending
over the last nine years. As shown, the trend appears to be upper sloping, which suggests the
proportion of IT spending dedicated to security activities including encryption is increasing over
time.
Figure 36. Trend in the percent of IT security spending relative to the total IT budget
12.0%
9.1%

10.0%

FY2005

8.0%

7.5%

7.2%

7.5%

7.9%

FY2006

FY2007

FY2008

9.9%

8.6%

8.8%

9.1%

FY2010

FY2011

FY2012

6.0%
4.0%
2.0%
0.0%
FY2009

Percentage of IT security spending relative to the total IT budget

FY2013

Average

Figure 37 shows the percent of current IT security spending relative to the total IT budget for
individual countries. As shown, Germany and Japan report the highest proportional ratings and
UK and Brazil report the lowest proportional ratings.
Figure 37. Percent of current IT security spending relative to the total IT budget by
country
16.0%

13.7%

14.0%
12.0%

12.2%
10.1%

10.0%

9.9%

8.0%

9.3%

8.6%

7.8%

7.4%

6.0%
4.0%
2.0%
0.0%
US

UK

DE

FR

AU

JP

Percentage of IT security spending relative to the total IT budget


BZ

RF
Average

Page 32

Budget allocated to data protection. Figure 38 reports the percentage of data protection
spending relative to the total IT security budget over nine years. This trend appears to be slightly
upward sloping, which suggests data protection spending as a proportion of total IT security is on
the rise.
Figure 38. Trend in the percent of IT security spending dedicated to data protection
activities
40.0%

34.5%

35.0%
30.0%
25.0%

22.7%

24.9%

23.6%

FY2006

FY2007

26.1%

FY2009

29.7%

32.4%

25.9%

FY2008

32.7%

20.0%
15.0%
10.0%
5.0%
0.0%
FY2005

FY2010

FY2011

FY2012

Percentage of IT security spending dedicated to data protection activities

FY2013
Average

Figure 39 shows the average percent of current IT security spending dedicated to data protection
spending by country sample. As shown, the percentage of data protection spending relative to
total IT security is highest in the UK and Germany and lowest in Brazil and Australia. Perhaps
more important is the consistency in percentage values observed across most countries.
Figure 39. Percent of current IT security spending dedicated to data protection activities
by country
45.0%
38.3%

40.0%
35.0%

38.2%

31.4%

31.2%

30.0%

28.4%

31.1%

32.3%
28.4%

25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
US

UK

DE

FR

AU

JP

Percentage of IT security spending dedicated to data protection activities


BZ

RF
Average

Page 33

Budget allocated to encryption. Figure 40 reports the nine-year trend in the percentage of
encryption spending relative to the total IT security budget. Again, the trend appears to be
increasing from a low of 9.7 percent in 2005 to 18.2 percent in the present year’s encryption
trends study.
Figure 40. Trend in the percent of IT security budget dedicated to encryption
17.6%

20.0%
18.0%

15.7%

16.0%

13.8%

14.0%
9.7%

FY2006

FY2010

FY2011

FY2012

FY2013

15.1%

13.1%

10.3%

FY2005

12.0%

14.6%

18.2%

10.0%
8.0%
6.0%
4.0%
2.0%
0.0%
FY2007

FY2008

FY2009

Percentage of IT security spending dedicated to encryption

Average
10

Figure 41 reports the percentage of IT security spending dedicated to encryption. Again, the
country comparisons are very consistent. Respondents in Germany show the highest average
percentage of encryption spending, while those in the UK show the lowest average percentage
spending levels.
Figure 41. Percent of the IT security budget dedicated to encryption by country
25.0%
20.0%

21.7%
16.6%

17.4%

15.8%

18.1%

FR

AU

19.7%

19.1%
16.9%

15.0%
10.0%
5.0%
0.0%
US

UK

DE

JP

Percentage of IT security spending dedicated to encryption

BZ

RF
Average

10

The figures in this graph suggest that encryption spending represents nearly 60 percent of the total data
protection budget (which is a subset of the total IT security budget). However, debriefing interviews with a
subset of respondents revealed that encryption spending might not be contained solely in the data protection
category, but rather other earmark categories such as security technologies.


Page 34

Budget allocated to key management. Figure 42 reports the three-year comparison in the
percentage of encryption key management spending as a proportion of the overall encryption
11
spend, showing a six percent increase.
Figure 42. Budget allocation to key management
35.0%

31.9%

29.5%

30.0%
23.5%

25.0%
20.0%
15.0%
10.0%
5.0%
0.0%

FY2011

FY2012

FY2013

Percentage of encryption spending dedicated to key management

Average

Figure 43 reports the proportion of spending on key management relative to the total spending on
encryption solutions for country samples. Perhaps the most interesting finding is the consistency
in spending on key management across all eight countries, with the exception of Australia and
Brazil.
Figure 43. Percent of encryption spending dedicated to key management activities by
country
40.0%
35.0%

37.0%
33.6%

34.9%

32.7%

31.1%

31.3%
27.5%

27.2%

30.0%
25.0%
20.0%
15.0%
10.0%
5.0%
0.0%
US

UK

DE

FR

AU

JP

Percentage of encryption spending dedicated to key management

BZ

RF
Average

11

The analysis of key management spending was first conducted in 2011 and, hence, we don’t have the
ability to conduct a full trend analysis.


Page 35

Part 3. Methods & Limitations
Table 1 reports the sample response for eight separate country samples. The sample response
for this study was conducted over a 49-day period ending in December 2013. Our consolidated
sampling frame of practitioners in all countries consisted of 118,423 individuals who have bona
fide credentials in IT or security fields. From this sampling frame, we captured 4,802 returns of
which 547 were rejected for reliability issues. Our final consolidated 2013 sample was 4,275, thus
resulting in a 3.6% response rate. The first encryption trends study was conducted in the US in
12
2005. Since then we have expanded the scope of the research to include eight separate
country samples. Trend analysis was performed on combined country samples. As noted
before, we added the Russian Federation in this year’s study.
Table 1. Sample response in eight countries
Countries

Sampling frame

Total returns

Rejected surveys

Final sample

United States

26,553

1,001

109

892

United Kingdom

15,995

688

71

637

Germany

16,030

650

48

602

France

15,916

558

80

478

Australia

9,503

456

42

414

Japan

14,020

569

48

521

Brazil

14,371

603

73

530

6,035

277

76

201

118,423

4,802

547

4,275

Russian Federation
Total

As noted in Table 2, the respondents’ average (mean) experience in IT, IT security or related
fields is 10.25 years. Approximately 25 percent of respondents are female and 75 percent
13
male.

Experience levels
Overall experience
IT or security experience

Table 2. Other characteristics of respondents
Mean years
Gender
11.02
Female
10.25
Male

Combined%
25%
75%

12

The following matrix summarizes the samples and sample sizes used in all figures showing trends.

Country/year

2013

2012

2011

2010

2009

2008

2007

2006

2005

Australia

414

938

471

477

482

405

0

0

0

Brazil

530

637

525

0

0

0

0

0

0

France

478

584

511

419

414

0

0

0

0

Germany

602

499

526

465

490

453

449

0

0

Japan
Russian
Federation

521

466

544

0

0

0

0

0

0

201

0

0

0

0

0

0

0

0

United Kingdom

637

550

651

622

615

638

541

489

0

United States

892

531

912

964

997

975

768

918

791

4,275

4,205

4,140

2,947

2,998

2,471

1,758

1,407

791

Total
13

This skewed response showing a much lower frequency of female respondents in our study is consistent
with earlier studies – all showing that males outnumber females in the IT and IT security professions within
the seven countries sampled.


Page 36

Figure 43 summarizes the approximate position levels of respondents in our study. As can be
seen, the majority (52 percent) of respondents are at or above the supervisory level.
Figure 43. Distribution of respondents according to position level
Consolidated from eight separate country samples

3%
3%
18%
Executive/VP
Director
Manager/Supervisor

44%

Associate/Staff/Technician
Other

32%

Figure 44 reports the respondents’ organizations primary industry segments. As shown, 16
percent of respondents are located in the financial services industry, which includes banking,
investment management, insurance, brokerage, payments and credit cards. Another 11 percent
are located in public sector organizations, including central and local government.
Figure 44. Distribution of respondents according to primary industry classification
Consolidated from eight separate country samples

3% 2%

2%

16%

4%
4%
5%

11%

5%
5%

10%

5%
7%

7%
7%

7%


Financial services
Public sector
Manufacturing
Healthcare & pharma
Retailing
Services
Hospitality & leisure
Consumer products
Transportation
Communications
Entertainment & Media
Energy
Education & research
Defense
Other

Page 37

According to Figure 45, the majority of respondents (70 percent) are located in larger-sized
organizations with a global headcount of more than 1,000 employees.
Figure 45. Distribution of respondents according to organizational headcount
Consolidated for eight separate country samples

4%
11%

12%
Less than 500
500 to 1,000
18%

1,001 to 5,000
5,001 to 25,000

26%

25,001 to 75,000
More than 75,000
29%

Limitations
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from the presented findings. The following items are specific limitations that
are germane to most survey-based research studies.


Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of IT and IT security practitioners in eight countries,
resulting in a large number of usable returned responses. Despite non-response tests, it is
always possible that individuals who did not participate are substantially different in terms of
underlying beliefs from those who completed the survey.



Sampling-frame bias: The accuracy of survey results is dependent upon the degree to which
our sampling frames are representative of individuals who are IT or IT security practitioners
within the sample of eight countries selected.



Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from respondents. While certain checks and balances were incorporated
into our survey evaluation process including sanity checks, there is always the possibility that
some respondents did not provide truthful responses.


Page 38

Appendix 1: Consolidated Findings
The following tables provide the percentage frequencies for all survey questions combined for
eight country samples (weighted by sample size). All survey responses were gathered over a 49day period ending in December 2013. Please note that certain survey questions were omitted if
not utilized in the report.
Part 1: Your organization’s encryption posture
Q1. Please select one statement that best describes your organization’s approach to
encryption implementation across the enterprise.
We have an overall encryption plan or strategy that is applied consistently across the entire
enterprise
We have an overall encryption plan or strategy that is adjusted to fit different applications
and data types
For certain types of sensitive or confidential data such as Social Security numbers or credit
card accounts we have a limited encryption plan or strategy
We don’t have an encryption plan or strategy
Total
.
Q2a. Does your organization encrypt sensitive and confidential data when sending it by
email?
Yes, most of the time
Yes, some of the time
No
Total

Consolidated
35%
26%
24%
15%
100%

Consolidated
25%
52%
23%
100%

Q2b. Does your organization encrypt sensitive and confidential data stored on shared file
servers?
No
Total

Consolidated
27%
48%
25%
100%

Q2c. Does your organization encrypt sensitive and confidential data stored on a laptop
computers?
No
Total

Consolidated
32%
45%
23%
100%

Q2d. Does your organization encrypt sensitive and confidential data stored on a desktop
PCs or workstations?
No
Total

Consolidated
31%
47%
22%
100%

Q2e. Does your organization encrypt sensitive and confidential data stored on a mobile
data-bearing device such as a smart phones or tablets?
No
Total

Consolidated
24%
40%
36%
100%


Page 39

Q2f. Does your organization encrypt sensitive and confidential data stored on backup files
or tapes before sending it to off site storage locations?
No
Total

Consolidated
43%
38%
19%
100%

Q2g. Does your organization encrypt sensitive and confidential data when sending it by
external public networks such as the Internet or VPN (for example using SSL or IPSec)?
No
Total

Consolidated
35%
47%
17%
100%

Q2h. Does your organization encrypt sensitive and confidential data when sending it by
internal networks (i.e., within your own private network)?
No
Total

Consolidated
32%
46%
22%
100%

Q2i. Does your organization encrypt sensitive and confidential data located in databases?
No
Total

Consolidated
33%
48%
18%
100%

Q2j. Does your organization encrypt sensitive and confidential data within business
software applications that are exposed to it?
No
Total

Consolidated
32%
47%
21%
100%

Q2k. Does your organization encrypt sensitive and confidential data that is passed to
external cloud based services using cloud encryption gateways?
No
Total

Consolidated
27%
44%
29%
100%

Q2l. Does your organization encrypt sensitive and confidential data using encryption
capabilities within external cloud based services?
No
Total

Consolidated
18%
19%
63%
100%

Q2m. Does your organization encrypt sensitive and confidential data stored within your
datacenter storage environment?
No
Total

Consolidated
33%
47%
20%
100%


Page 40

Q3. Please rate the following list of 13 encryption technologies based on the importance of
each technology in protecting your organization’s sensitive or confidential data. Percentage
very important and important responses combined.
Email encryption
File server encryption
Laptop encryption
Desktop or workstation encryption
Smart phone or tablet encryption
Data center storage encryption
Back-up or tape encryption
Encryption of external public networks
Encryption on internal networks
Database encryption
Encryption within cloud based services
Average

Consolidated
42%
49%
52%
42%
35%
27%
66%
62%
57%
65%
39%
27%
24%
45%

Q4. In your organization, who has responsibility or is most influential in directing your
organization’s strategy for using encryption? Please select one best choice.
No single function has responsibility
IT operations
Finance
Lines of business (LOB) or general management
Security
Compliance
Other
Total

Consolidated
19%
35%
3%
26%
15%
1%
0%
100%

Q5. What are the reasons why your organization encrypts sensitive and confidential data?
Please select the top two reasons.
To avoid having to notify customers or employees after a data breach occurs
To ensure that our organization’s privacy commitments are honored
To comply with privacy or data security regulations and requirements
Total

Consolidated
46%
6%
42%
44%
40%
22%
200%

Q6. In your opinion, would your organization be required to notify customers after the data
breach involving the loss or theft of their personal information?
Q6a. If the data that was lost or stolen was not encrypted (in clear text)
Yes
No
Unsure
Total

Consolidated
37%
54%
9%
100%

Q6b. If the data that was lost or stolen was encrypted
Yes
No
Unsure
Total

Consolidated
20%
71%
9%
100%


Page 41

Q7. What are your organization’s biggest challenges in planning and/or executing its data
encryption strategy? Please select the top two challenges.
Classifying which data to encrypt
Discovering where sensitive data resides in the organization
Determining which encryption technologies are most effective
Deploying the encryption technology effectively
Obtaining the budget to deploy
Measuring the effectiveness of the data encryption technologies deployed
Total

Consolidated
37%
61%
18%
50%
24%
11%
200%

Q8. What are the main threats that might result in the exposure of sensitive or confidential
data? Please select the top two choices.
Hackers
Malicious insiders
System or process malfunction
Employee mistakes
Temporary or contract workers
Third party service providers
Legal and law enforcement (e.g., e-discovery)
Other (please specify)
Total

Consolidated
13%
10%
15%
27%
9%
8%
15%
1%
100%

Q9. How important are the following features associated with encryption solutions that may
be used by your organization? Most important and Important response combined.
Automated enforcement of policy
Automated management of keys
Support for the widest range of applications
Centralized management interface
System scalability
Tamper resistance by dedicated hardware (e.g. HSM)
Conformance with security standards
Support for format preserving encryption (FPE)
System performance and latency
Support for emerging algorithms (e.g. ECC)
Supports longer encryption keys
Formal product security certifications (e.g. FIPS 140)
Average

Consolidated
69%
71%
52%
69%
63%
57%
65%
52%
71%
66%
49%
55%
62%

Part 3. Encryption key management
Q11a. In general, how does your organization view key management tasks? Please select
only one choice.
Key management is viewed as a distinct discipline that is defined or performed by
dedicated or specialist staff and associated tools according to well defined practices
Key management tasks are well defined but the organization does not have dedicated staff
or tools to perform key management tasks
Key management activities are ad-hoc with minimal or no formal definition
Total


Consolidated
23%
52%
25%
100%

Page 42

Q11b. What are, or would be, the primary drivers for developing a key management
strategy? Please select the top two choices?
Increase business efficiency
Reduce operational cost
Reduce complexity
Demonstrate compliance
Improve security
None of the above
Total

Consolidated
52%
50%
28%
30%
36%
0%
4%
200%

Q13. Please rate the overall “pain” associated with managing keys or certificates within
your organization, where 1 = minimal impact, risk and cost to 10 = severe impact, risk and
cost
1 to 2
3 to 4
5 to 6
7 to 8
9 to 10
Total

Consolidated
11%
16%
21%
24%
29%
100%

Q14. Does your organization operate its own internal PKI?
Yes
No
Total

Consolidated
25%
75%
100%

Q15. What best describes your level of knowledge about KMIP?
Very knowledgeable
Knowledgeable
Not knowledgeable (Go to Q18)
Total

Consolidated
20%
30%
49%
100%

Q16. Does your organization deploy encryption or key management products that support
the KMIP key management standard?
Yes – KMIP support is a primary requirement
Yes – KMIP support is a secondary requirement
No, but we plan to make KMIP support a future requirement
No - KMIP support is not relevant
No – we have not considered KMIP support
Total

Consolidated
13%
19%
35%
14%
19%
100%

Q17. In what areas of your encryption and key management strategy is KMIP most
important? Please select you top two choices.
Storage systems
Application infrastructure within the datacenter
End user devices e.g. laptops, tablets or smart phones
Remote applications e.g. retail locations
Cloud based applications and storage
Network infrastructure
Other (please specific)
None
Total

Consolidated
37%
35%
13%
16%
54%
34%
1%
9%
200%


Page 43

Q18. What best describes your level of knowledge about HSMs?
Very knowledgeable
Knowledgeable
Not knowledgeable (Go to Part 5)
Total

Consolidated
26%
43%
30%
100%

Q19a. Does your organization deploy HSMs?
Yes
No (go to Part 5)
Total

Consolidated
28%
72%
100%

Q19b. For what purpose does your organization presently deploy or plan to deploy HSMs?
Please select all that apply.
Q19b-1. HSMs deployed today
Database encryption
SSL
Document signing (e.g. electronic invoicing)
Code signing
Authentication
Payments processing
Not used
Total

Consolidated
37%
47%
48%
26%
15%
8%
54%
35%
7%
0%
279%

Q19b-2. HSMs planned to be deployed in the next 12 months
Database encryption
SSL
Document signing (e.g. electronic invoicing)
Code signing
Authentication
Payments processing
Not planning to use
Total

Consolidated
42%
54%
49%
30%
23%
21%
56%
41%
2%
0%
319%

Q20. In your opinion, how important is HSM to your encryption or key management
strategy? Very important and Important responses combined.
Q20a. Importance today
Q20b. Importance in the next 12 months

Consolidated
46%
53%

Q21. Who are your primary vendors for HSM products and services? Please select all that
apply.
Thales/nCipher
SafeNet/Eracom
IBM
Utimaco
HP/Atalla
FutureX
Bull
None of the above
Not using HSM
Total

Consolidated
17%
23%
27%
7%
15%
4%
7%
24%
7%
131%


Page 44

Part 4: IT security & encryption budget
Q22a. Are you responsible for managing all or part of your organization’s IT budget in
2013?
Yes
No (Go to Part 5)
Total
Q22b. Approximately, what is the dollar range that best describes your organization’s IT
budget for 2013?
Extrapolated average value in millions (billions for JPY & RUB)

Extrapolated values computed from scaled responses
Q22c. Approximately, what percentage of the 2013 IT budget will go to IT security
activities?
Q22d. Approximately, what percentage of the 2013 IT security budget will go to data
protection activities?
Q22e. Approximately, what percentage of the 2013 IT security budget will go to encryption
activities?
Q22f. Approximately, what percentage of the 2013 encryption budget will go to key
management activities?
Q23b. Approximately, what percentage of the 2014 IT security budget will go to encryption
activities?
Q23c. Approximately, what percentage of the 2014 encryption budget will go to encryption
key management activities?

Consolidated
58%
42%
100%

NA

Consolidated
10%
33%
18%
32%
35%
29%

Q23a. Please check the security initiatives that will be earmarked in the 2013 budget?
Select all that apply.
Identity & access management
Intrusion detection and prevention systems
Data loss prevention
Encryption solutions
Key and certificate management
Security intelligence (e.g., SIEM)
Tokenization
Public key encryption (PKI)
Database monitoring & behavior analysis
Endpoint security
Average

Consolidated
52%
83%
19%
57%
38%
29%
19%
36%
53%
49%
44%

Part 5: Security effectiveness
Computed value based on 48 items

Consolidated
0.60

Part 6: Role and organizational characteristics
D1. What organizational level best describes your current position?
Senior Executive
Vice President
Director
Manager/Supervisor
Associate/Staff/Technician
Other
Total

Consolidated
1%
2%
18%
31%
44%
3%
100%


Page 45

D2. Check the functional area that best describes your organizational location.
IT operations
Security
Compliance
Finance
Lines of business (LOB)
Other
Total

Consolidated
60%
14%
8%
3%
13%
3%
100%

D3. What industry best describes your organization’s industry focus?
Financial services
Public sector
Health & pharmaceuticals
Manufacturing
Communications
Consumer products
Hospitality & leisure
Transportation
Retailing
Services
Defense
Education & research
Energy
Entertainment & Media
Other
Total

Consolidated
16%
11%
7%
7%
10%
5%
5%
5%
5%
7%
7%
2%
3%
4%
4%
2%
100%

D4. What is the worldwide headcount of your organization?
Less than 500
500 to 1,000
1,001 to 5,000
5,001 to 25,000
25,001 to 75,000
More than 75,000
Total

Consolidated
12%
18%
30%
26%
11%
4%
100%


Page 46

About Thales e-Security
Thales e-Security is a leading global provider of data encryption and cyber security solutions to the financial
services, high technology manufacturing, government and technology sectors. With a 40-year track record
of protecting corporate and government information, Thales solutions are used by four of the five largest
energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide
payment transactions. Thales e-Security has offices in France, Hong Kong, Norway, United States and the
United Kingdom. www.thales-esecurity.com.
About Thales
Thales is a global technology leader for the Defense & Security and the Aerospace & Transport markets. In
2011, the company generated revenues of €13 billion with 68,000 employees in more than 50 countries.
With its 22,500 engineers and researchers, Thales has a unique capability to design, develop and deploy
equipment, systems and services that meet the most complex security requirements. Thales has an
exceptional international footprint, with operations around the world working with customers as local
partners. www.thalesgroup.com.
About Ponemon Institute
Ponemon Institute is dedicated to independent research and education that advances information security,
data protection and privacy management practices within businesses and governments. Our mission is to
conduct high quality, empirical studies on critical issues affecting the security of information assets and the
IT infrastructure. As a member of the Council of American Survey Research Organizations (CASRO), we
uphold strict data confidentiality, privacy and ethical research standards. www.ponemon.org.


Page 47

2013 global encryption trends study

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (20)

Semelhante a 2013 global encryption trends study

Semelhante a 2013 global encryption trends study (20)

Mais de Bee_Ware

Mais de Bee_Ware (20)

Último

Último (20)

2013 global encryption trends study