After 25 years in the data security space, I still shake my head when I read about some data breach where hackers were able to extract data from a corporation. Nine times out of ten, the data extracted was unencrypted. In rare cases, the data was encrypted, but the company left the encryption key unprotected. In every case, the hackers made it past their perimeter security system.
Those who know me have heard one of my many mantras: "Every data breach begins with a firewall breach." This is a fact.
So here we are in 2023. The industry as a whole has had access to the most comprehensive encryption technologies for decades that would make the WWII Enigma device look like a toy, but companies still choose to spend millions of dollars protecting their data by denying access to same. Why?
After studying this issue for several years, I've settled on five potential reasons why companies struggle to use the most powerful tool available to them to keep their data secure:
1. Complexity of cryptography
In the early 1990s, Mattel came out with a Barbie doll that talked. One of the phrases was, "Math class is tough." Mattel was roundly criticized for this statement, but the truth is that math is tough for most people, and if math is tough for most people, cryptography is even tougher.
There is no doubt that the concepts of cryptography are difficult to understand, but in reality, most of the complexity is handled by the current solutions on the market. For example, the Diffie-Helmen key exchange for symmetric encryption is handled as a matter of course when using a solution that requires symmetric key exchange. You don't need to understand the inner-working complexities of AES encryption to make it work. Yet, very few people invest the time to understand even the basics of this important part of data security. Don't be afraid. Dive in.
2. CISO/CIO challenges to understand knowledge of cryptography
Given that the complexity of cryptography is an issue, most (not all) CISOs/CIOs find it challenging to understand the basics of cryptography. It's a problem because they cannot engage in a strategic conversation about protecting their corporate data. Cryptography seems to be their kryptonite, and you don't want to walk into a room with your CISO/CIO holding a chunk of kryptonite in your hand, so most "trusted advisors" of the CISOs/CIOs don't bother. Sorry, it's true.
3. Lack of internal resources that can be assigned to a cryptographic project
So, for argument's sake, let's say you've made it to the CISO/CIO level with an idea to encrypt data or sign code for a project that will protect your corporation's data. Congratulations.
The next big hurdle is that the number of people on an IT staff that can lead a project of this type is limited or non-existent, and hiring someone with these skills is expensive. The average salary for a person with extensive cryptographic experience is probably 30% higher than your typical network engineer. Most network engineers who have passed the CISSP exam cannot tell you the difference between symmetric and asymmetric cryptography because they typically don't dedicate their post-exam practical experience to this practice.
4. The difficulty of explaining a cryptographic project to the people who approve the budget
This is probably one of the biggest blockers of all the reasons for not implementing a data protection strategy. Implementing an effective data protection strategy is expensive; invariably, someone holding the corporate purse strings will ask: "What's the return on investment for this expense?" or "Can you explain how this will work?" The former question has always been impossible to answer; the latter requires the person requesting the funding to explain cryptography. After about ten minutes of trying to explain even the basic points of cryptography, the expense approver will undoubtedly begin to lose interest. It's at this time when the expense request will probably shift the request to asking for more money for a firewall. "Now that I can get my head," around says the expense approver.
5. Fear that they might prevent their own people from accessing the data
This is a real fear IF a company enters a data protection strategy without the proper resources. In my career, I've seen this happen more times than I want to admit.
Here's the scenario: A young engineer just passing his CISSP exam enters the IT VPs office and discusses the advantages of implementing a PKI solution. The IT VP listens intently but understands very little of what the young engineer tells him (See item 2). However, The IT VP thinks it might be a good idea to try it considering that there's no software cost for a Microsoft PKI. Sure, the IT VP says…." Go ahead. Let's give it a try."
Over the next few days and maybe a weekend, the young engineer implements a PKI without documentation. Initially, it's successful, and the company starts adding to it. Let's try encryption. Let's try authentication.
At this point, one of two things happens: first, the young engineer leaves, or in the second scenario, he asks for more money because only he knows how this new system works.
The solution will fail as time progresses due to a lack of up-front planning, and the fear becomes a self-imposed reality. See items 1, 2, and 3.
If any of these items ring true, don't be discouraged. Learn about cryptography. Spend money on talented resources who understand cryptography.
Don't complicate the business case for cryptography to those who pay the bills and remember that every data breach begins with a perimeter breach. While it might be the "easy" button just to spend more money on your firewalls, you're not doing yourself any favors. Cryptography and encryption are the only proven solutions to protecting your company's data.
Fortanix was developed to simplify cryptography and to provide the systems/resources to make the promise of the security associated with cryptography a reality. Our SaaS offering makes it even easier to deploy, and eliminates the cost and skilled resources associated with hosting and managing an on-promises solution. Connect with our team of experts to discuss this further.