Aligning encryption with business goals and risk management

Executives must establish data encryption as a strategic control that delivers enterprise value. Organizations that adopt a risk-based encryption approach can identify and prioritize data according to its impact on business.

CISOs and their teams should align data security with regulatory compliance -- e.g., data sovereignty laws and industry standards; customer trust and brand protection; and digital transformation initiatives, such as cloud, data sharing and AI.

Governance must include clear executive ownership for data assets across business units. Mandate accountability for encryption key management and technical support.

Executive insight: Protect data where it reduces material risk exposure.

How to secure data at rest: Foundation of data protection

Data at rest encompasses databases, cloud storage, endpoints, backups and other static data repositories. In today's distributed environments spanning regional data centers, edge computing and IoT, these locations can be very diverse.

To protect stored data, prioritize the following five specific actions:

• Data discovery and classification. Identify and label what matters most to the business. An organization cannot protect what it does not know about.
• Encryption strategies. Determine whether full encryption -- encrypting all data -- or selective encryption -- encrypting only specific, sensitive data -- is best based on sensitivity and performance requirements. Endpoint systems in particular will require attention and support.
• Infrastructure security. Secure cloud and on-premises environments, including patching, monitoring, key management and physical security.
• Access governance. Limit access based on roles and business needs, and implement MFA and zero-trust security where possible.
• Human risk mitigation. Conduct encryption training and awareness.

An effective system to manage data encryption and secure storage offers several positive business outcomes, such as reduced breach likelihood, reduced breach impact, stronger compliance posture with reduced penalties and improved audit readiness.

How to secure data in use: Protecting active data

Data in use includes information that is being processed, accessed or analyzed by users and systems.

Four leadership priorities exist to secure data in use:

• Access control and minimal privileges. Configure fine-grained access controls that adhere to the principle of least privilege to mitigate common data risks.
• Data minimization. Use masking, tokenization and obfuscation to help hide data that users aren't authorized to access.
• Emerging technologies. Use approaches such as confidential computing, secure enclaves and memory protection.
• Insider threat mitigation. Establish user behavior and access patterns using logging and data monitoring.

Beneficial business outcomes include reduced insider risk from deliberate or accidental threats, safer analytics and AI adoption, and improved collaboration and data sharing.

How to secure data in motion: Protecting data flows

Data in motion includes information moving across on-premises, cloud and public networks. Data in transit can be intercepted, blocked or modified, posing a significant risk to critical business operations.

Top leadership priorities for protecting data in motion include:

• End-to-end encryption. Integrating data encryption across all connections, including the internal network, is essential. Key technologies include TLS, HTTPS, VPNs and secure tunnels.
• Network security architecture. Establish zero-trust principles in network authentication and access control to mitigate impersonation and hijacking attacks.
• Third-party and supply chain risk management. Secure data exchanges with partners and vendors. Set clear security requirements for all communications between these entities.
• Continuous monitoring. Use monitoring tools to detect anomalies in data movement that suggest misuse or an attack.

Securing data in motion on all networks brings several crucial business benefits, including mitigation of data interception, modification and exfiltration; secure digital ecosystems and partnerships, and reduced data exposure in cloud environments.

Visibility, metrics and KPIs for encryption effectiveness

Measuring success is crucial to justifying investments, maintaining auditability and satisfying compliance requirements.

Key metrics for measuring encryption and data security performance include:

• Percent of data identified and classified.
• Percent of data encrypted in each phase -- data at rest, in use and in motion.
• Time to remediate encryption gaps.
• Key management incidents or failures.
• Mean time to detect and mean time to respond to data threats.
• Unauthorized access attempts blocked.
• Compliance audit success rates.
• Compliance audit failure rates.
• Third-party data compliance.

These metrics directly tie to risk reduction and compliance outcomes, both of which are fundamental to an organization's data management strategy. CISOs should provide stakeholders with dashboards for easy visibility and reporting.

Strategic recommendations and next steps

Treat data security as a board-level requirement with enterprise strategy implications. Establish a lifecycle-based security strategy that allocates resources according to data value and risk. To do this, first assess where critical data resides. Then, align encryption to risk and compliance goals. Finally, invest in the technologies, training and governance needed to protect data in all three phases.

Organizations that act now will reduce risk, strengthen trust and enable secure growth as they secure data at rest, in use and in motion.

Damon Garn owns Cogspinner Coaction and provides freelance IT writing and editing services. He has written multiple CompTIA study guides, including the Linux+, Cloud Essentials+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.