News Stay informed about the latest enterprise technology news and product updates.

Data encryption becoming easier choice, says former CISO

Steven Katz, founder and president of IT security consultancy Security Risk Solutions is widely regarded as the first CISO. He has three decades of experience in the security industry, managing information security at JP Morgan, Citigroup and Merrill Lynch. (He was named CISO at Citigroup in 1995.) Today he serves on a number of vendor advisory boards including data encryption vendor, Voltage Security, Inc. where he has become a strong advocate of data encryption technologies. He is also chief advisor and roundtable moderator at the Roundtable Network, a forum for CISOs, CROs, CIOs and IT executives to exchange views on information security topics, risk management, governance, and privacy.

You have a significant number of [encryption]vendors competing for business and there's nothing better for cost than competition.
Steven Katz,
founder, presidentSecurity Risk Solutions
What's your take on why we're seeing so many data breaches?
There are two axioms that we have to live with. I'm paraphrasing a friend of mine at a major financial institution: Data wants to be free and shared. It's just the nature of data. And the second is that networks will be attacked. The combination of the two says we really have to take a data-focused approach to protecting information regardless of where it is, where it's located and its status whether it's in transit or not. Data will ultimately become visible to people to whom you don't want it visible and the answer is that it has to be protected regardless of where it is. The only way to effectively protect it is a well implemented and well constituted data encryption program.

The concern that we've had in the past is that when we encrypt a data string we get a much larger data string. And if you look at databases, you wind up losing all kinds of referential integrity and losing all your checksums that you've pulled into this. So the challenge continues and there is at least one company probably more coming out with what's called format preserving encryption where credit card numbers, personal identification numbers and personal health information can be encrypted and you maintain the size of the data fields, maintain the check sums and retain referential integrity across databases. Isn't that easier said than done in many cases? How easy is it to deploy encryption?
It's not as difficult as it may seem. Cryptography has come a long way. There are a number of good technology companies out there that make it relatively painless. It's a challenge to deploy anything, but the reality is you have to have a trust relationship with your customer base. One of the things we had in place when I was at Citi, we had an information security awareness program. We said Citi has two products: Money and trust. If you didn't sell the trust you would have a difficult time selling the money. Anytime I used an Internet system I'm trusting them to keep my information confidential.

But many companies don't have a good handle on their data. They don't know where all their data resides, especially with larger firms with multiple complex systems. Katz: Like anything else you try to beat the elephant one bite at a time. I think you find the most critical data store and begin there and if you encrypt 50% of the problem you're 50% ahead of the game. I'll be the first to agree that we'll never get to 100% but let's get as close as we can. It's a complicated problem. Is it becoming cost effective for companies to deploy encryption?
My understanding is that the costs are starting to come down significantly. More people are rolling it out. You have a significant number of vendors competing for business and there's nothing better for cost than competition. Now that format preserving encryption has become a reality implementation is a lot more acceptable. There's nothing worse than trying to take a 15 character credit card number and turning it into a 150 or 180 character encrypted number. It doesn't work. But if you can go ahead and take a 15 character credit card number and come out with a 15 character encrypted credit card number … I don't see why there is a reason not to go ahead with it. You have such an extensive background as a CISO. What has become of the role of late and how do you see it evolving?
I was the first CISO in the industry in 1995 at Citigroup. I was two down from the CEO. This was really revolutionary for its time. We wanted to make information security a business risk management issue. A great deal of my time was working with senior business executives, Citi operations executives and working with the operations risk management committee, which was a subcommittee of the board. We're seeing much more of this now. More and more folks are moving into the chief risk officer role or chief information risk officer role who have a business perspective first and a technology perspective almost as a secondary role. There's an understanding that businesses take risks to grow and recognizing that there are tradeoffs in everything you do.

Dig Deeper on Disk and file encryption tools

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.