Moreover, encryption of stored data carries significant risks. If the decryption of a transaction involving dynamic data fails, resulting in a mishmash of the original message, the data can be resent. But when the decryption of a disk drive goes wrong — an infrequent but nonetheless disturbing prospect — in most cases nothing can be done unless there is an unencrypted backup stored elsewhere. Few IT executives would relish telling a user that the 40 gigabytes of data on his or her laptop are unrecoverable. Moreover, encryption can slow performance of PCs by anywhere from 1 to 20 percent, depending on implementation, so user dissatisfaction can become a significant issue.
But those problems are minor compared to the threat of data theft. With breaches occurring literally every week, few senior managers can afford to do nothing. The situation is analogous to that of the late 1990s, when the Y2K threat presented an IT problem urgent enough to require senior management involvement to marshal the resources necessary to complete the task.
If protecting static data isn’t already a high priority for corporate leaders, it needs to become one — and fast. Theft of data can be catastrophic: It can destroy the trust a company has built with its customers, negatively affect earnings, and result in intervention by regulators or prosecutors, which could be costly. With so much at stake, the responsibility for leading the effort to safeguard confidential information must reside at the highest levels of the organization.
To minimize data theft, CEOs should oversee an enterprise-wide initiative that includes:
• Implementing stringent corporate information retention policies and processes. These rules should state explicitly what data can be stored, where it can be stored (on PCs, laptops, PDAs, etc.), and how (encrypted or not) it should be stored. The policies need to address all types of data (customer, employee, and supplier records), not just financial information, and they should include guidelines for getting rid of obsolete information as soon as it is not needed, to reduce the amount of information stored.
• Allocating resources, such as money, staff, and time. This will likely require postponing other IT work. CEOs must be vigilant that the data security program should at no point be put on the back burner while more popular projects are completed.
• Running interference. Users need to be told explicitly that the decision to protect sensitive data comes from the CEO and that IT management is simply the CEO’s agent for implementation.
The best guess is that in five to seven years, all data — be it stored in a data center, on tapes sent by messenger to off-site storage, on laptops, cell phones, PDAs, or who knows where — will be encrypted. But before then, many organizations will suffer embarrassing data losses and information theft. Smart CEOs will act now before they are victimized; others will pay the price for dismissing the vital importance of keeping data private.
George Tillmann (firstname.lastname@example.org) recently retired from Booz Allen Hamilton, where he was a vice president. He spent his first 17 years at the firm as a management consultant specializing in information technology and his last five years as its chief information officer. He now helps CIOs manage their IT organizations.