What A CIO Needs To Know About Encryption

CIOs need to know when to make use of encryption
CIOs need to know when to make use of encryption
Image Credit: Yuri Samoilov

Due to the importance of information technology, the person with the CIO job has been handed the responsibility of keeping the company’s information assets safe. This involves a number of different things including preventing the wrong people from gaining access to the company’s networks, etc. However, there is always the possibility that company information may fall into the wrong hands, what to do when this happens? The answer is that all important information should be encrypted, but just exactly what does this mean to a CIO?

What Can A Company Use Encryption For?

Before we dive into a discussion about what your company can use encryption to accomplish, perhaps we should first take just a moment and make sure that we all have the same understanding of just exactly what encryption is. In a nutshell, when we are talking about encryption, we’re talking about using computers to perform complex mathematical operations that turn company information into coded strings of symbols.

Every company has, by necessity, a great deal of information that it uses to conduct its business. Not all of this information is the same. Some can be classified as being critical to the operation of the business. This can include things such as customer information, banking information, etc. Other information is not nearly as important. Examples of this type of information include press releases, the cafeteria menu for the week, the annual list of company holidays, etc.

As the CIO you need to realize that you have two different collections of data. It’s the important data that you need to worry about the most. You need to understand that despite your best efforts, there is the very real possibility that one day a hacker will find a way to breach the network defenses that you’ve put in place, By ensuring that your company’s critical data is stored in an encrypted form you’ll make accessing that data worthless to any hacker who might get their hands on it.

Does Encryption Really Protect A Company?

Having made a decision to encrypt your company’s most critical data, as the CIO you are now going to have to start to manage the encryption (and decryption) processes at your company. One question that always seems to come up when we are talking about encryption has to do with the company’s email: should it be encrypted. The answer is yes, but it may prove to be too difficult to do. Both the sender and the receiver would have to have access to the encryption / decryption software to make that work.

Another question that comes up as CIOs are planning how best to encrypt the company’s data is trying to determine if going to the effort of encrypting it is really going to keep the company’s data secure. The answer is a qualified yes. The encrypted data will be secure as long as the bad guys can’t get their hands on the encryption keys that you are using. All too often in corporate data breeches, this is exactly what happens.

Finally, there is the somewhat obvious question of just exactly why every piece of data at the company is not encrypted. I mean, if you did that then you would not have to spend anytime thinking about what needs to be encrypted and what you can skip. The reason that this is not a valid solution is because it takes time (even for computers) to encrypt information and so this slows everything down. Putting the systems and processes in place to encrypt and decrypt information is a difficult process. Once such a system has been set up, controlling who has access to the encryption keys then becomes yet another important task for a CIO to do correctly.

What All Of This Means For You

Let’s face it, there is probably no way that any person with the CIO job can ever hope to guarantee that important company information will never fall into the wrong hands. What this means for you as the CIO is that you need to take steps before this event happens to ensure that valuable company information doesn’t leak outside the firm. The best way to make sure your private information stays private is to encrypt it.

Encryption simply involves taking information and transforming it into unreadable information. Things that are well suited to being encrypted include customer records, anything to do with money, and company emails. In order to make sure that the bad guys can’t read your encrypted information, you need to take special steps to make sure that your encryption keys don’t fall into the wrong hands.

Encryption may not be the right answer for all company communications – the overhead may be too high in some cases. However, for the most sensitive of company information it is probably the right choice. As CIO you need to take the correct steps to make sure that your company’s critical information is both encrypted and stays encrypted.

– Dr. Jim Anderson
Blue Elephant Consulting –
Your Source For Real World IT Department Leadership Skills™

Question For You: What company information do you think should NOT be encrypted?

Click here to get automatic updates when The Accidental Successful CIO Blog is updated.

P.S.: Free subscriptions to The Accidental Successful CIO Newsletter are now available. Learn what you need to know to do the job. Subscribe now: Click Here!

What We’ll Be Talking About Next Time

If there is one thing that I think that we can all agree on then it is that our data processing and storage needs continue to grow as the company comes to realize the importance of information technology. The person with the CIO job now has to find a way to deal with this explosive growth. This means that you are going to need to find more room to house the servers and the storage systems that your firm is going to be needing. You have three options: build, collocate, or cloud. How can you decide between these options?