From the Bottom Line to the Command Line: Encryption
Everyone in an organization should be informed, but not always to the same degree. Just as dangerous as wrong information is the wrong amount of information. Too much information hides the important, decision-driving knowledge and too little information leaves the decision maker uninformed. Having the right amount of information is key to making the right decision, and this balance is especially important for cybersecurity leaders and practitioners. In the From the Bottom Line to the Command Line series we will be covering several relevant cybersecurity topics from these difference lenses.
What _____ Need to Know About Encryption
Today, we’ll look at one of the most cyber-synonymous concepts: encryption. At its core, encryption is the process of encoding messages and information so that only authorized parties are granted access. In this piece, we’ll discuss what personnel at various levels of an organization need to know about it.
Board Members and Executives
The modern, insecure world requires boards and executives to think critically about significant cyber issues facing their organizations. In order to protect their organization and its shareholders, board members and executives should have a general understanding of encryption and why it is a necessary security expense.
Giving good perspective to why encryption is necessary, let’s consider what would happen if encryption were absent. From simply scanning daily newspaper headlines, board members and executives know that data is frequently stolen or compromised. Stolen data can be sold on the black market (often via the dark web) or it can be used for corporate espionage, among other nefarious purposes.
Encryption helps prevents data theft. Since encryption stores or sends information in a form that can’t be read or accessed by unauthorized individuals, encryption helps protect information that should be kept confidential.
Board members and executives should be aware of information owned or handled by their organization that should be encrypted. Information commonly referred to by their acronyms PII (personally identifiable information), PHI (protected health information), and IP (Intellectual property) are the most sensitive data and must be protected through encryption. Business objectives and the consumers’ goodwill depend on it. This type of information is so sensitive that certain privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and The Gramm-Leach-Bliley Act (GLBA) require it be encrypted when stored or transmitted.
In sum, board members and executives should have a high-level focus on encryption, understand basic definitions of encryption, and be able to identify the information that their organization handles which merits encryption.
Practitioners require a much deeper-level understanding of encryption than board members and executives. They should know how and when to implement it, and must keep abreast on the latest developments in encryption algorithms.
Like board members and executives, practitioners should know which information merits encryption. And once that information is identified, they must ensure the encryption is actually implemented. If information or data is stationary (such as stored in a database), practitioners need to make sure the information is encrypted with a symmetric algorithm. Choosing the symmetric algorithm is another important job of a practitioner. They should stay up to date on the most secure algorithms and choose a strong and fast algorithm such as the Advanced Encryption Algorithm (AES) and avoid older, compromised algorithms such as the Data Encryption Standard (DES).
When sensitive information is in-transit (such as being emailed or uploaded), practitioners must ensure the leading asymmetric algorithms are used to establish the secure connection and then send the data between the communicating parties or devices. In some cases, they must also be able to setup and manage a certificate-based Public Key Infrastructure (PKI, the backbone of asymmetric encryption), ensuring all parties are trusted and using secure communication channels.
Knowing these subtle differences and use cases of encryption is a must-know for security practitioners, and a must-do for security engineers. Chief Technology and Information Security Officers (CTOs, CISOs), typically fall into this must-know category. Their day-to-day job won’t involve setting up a PKI, but they should know whether a company-hosted or private PKI is better for their business needs.
It’s also worth noting what on-the-ground security practitioners don’t need to know. There’s no need for practitioners to get tangled in the weeds of encryption. The mathematical equations behind how encryption actually scrambles plaintext into ciphertext can be left to those with calculators and protractors. For example, security engineers can skip understanding how Elliptic-curve cryptography (ECC) uses discrete logarithms, but they should know that ECC is used for lightweight devices, such as mobile phones.
We started with the two extremes on opposite ends of the spectrum to give clarity and context to the final group, business leaders. These leaders should have a encryption knowledge level between executives and practitioners.
Business leaders are defined as enterprise leaders who focus on aligning technology and business objectives. They come with a certain baseline of technological understanding (they know what encryption is, understand the difference between data at-rest versus in-transit), but they don’t need technical experience.The most important characteristic of these leaders is that they are consumer/stakeholder-focused and are bridging the gap between the business-driven executives and the tech-consumed practitioners.
Business leaders may include marketing and sales leaders or Chief Operations Officers (COOs). The marketing and sales leaders understand the importance of encryption from a consumer perspective. Good cybersecurity is good branding. Consumers are more likely to trust and use services that prioritize security and can protect their personal information. That little green lock in the browser when visiting your eCommerce website (meaning the site is TLS-secured for all you practitioners) is attractive and comforting to a potential customer. Poor encryption, by contrast, can be a turn-off and a liability.
The more technology-focused business leaders are the ones thinking about how business and security can work together; how security can be a business driver, not a business decelerator. Good business leaders understand that cybersecurity in an organization is like brakes on a car. The brakes on the car aren’t there to make the car go slower— they’re there to help it go faster.
Understand, Analyze, Evaluate, Create
As an education and learning science company, we’re compelled to use Bloom’s Taxonomy to wrap everything together for you. Bloom’s Taxonomy is a pyramid of learning and knowledge objectives.
The table below summarizes, using the Bloom’s taxonomy framework, what each organizational group needs to know about encryption.
Board and Executives
Identify and define encryption and understand why it’s important.
Use encryption in new ways. See how its implications affect the business.
Be able to distinguish which encryption algorithms are better than others, and be able to support encryption infrastructure.
Does your business plan call for a detailed understanding on how the role of encryption can impact your organization? We’ve got your training needs covered from the bottom line to the command line. Learn more about Cyber Resolve, training programs designed to provide cyber risk education specifically to board and executive leaders.