Encryption

Encryption and Key Management

August 2007

http://www.aberdeen.com/common/send_to_friend.asp?cid=4262

Encryption & Key Management Page 2

© 2007 Aberdeen Group. Telephone: 617 723 7890

Executive Summary To support the broader deployment of encryption for the protection of sensitive data and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.

“You have to plan. We spend a lot of time planning. If you don’t, you’re likely to get

yourself in a hole you can’t get out of. The number of keys

under management never goes down … and we may need to

go back and recover encrypted data at any time.”

~ Trusted Computing

Development Manager, $5.7B US-based Industrial Equipment Manufacturer

(managing encryption keys since 1996, with >3M keys

currently under management)

Best-in-Class Performance Based on feedback from more than 150 organizations, Aberdeen used the following performance criteria to distinguish Best-in-Class companies from Industry Average and Laggard organizations in the protection of sensitive data using encryption and key management:

• Increase in the total percentage of sensitive data identified, compared to a year ago;

• Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and

• Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.

Competitive Maturity Assessment Survey results show that the firms enjoying Best-in-Class performance shared several common characteristics. Compared to one year ago:

• 81% increased the number of application types / use cases using encryption

• 71% increased the number of encryption keys under management

• 50% increased the number of locations (including multiple sites, branches, outsourcing partners, partner extranets) implementing encryption

• 46% increased the consistency of encryption and key management policies across multiple applications / use cases

Required Actions In addition to the specific recommendations in Chapter 3 of this report, to achieve Best-in-Class performance organizations should build the strategic capability to support the flow of information across organizational and network boundaries, by using encryption solutions to secure the data coupled with an infrastructure to manage, protect and control access to the encryption keys that provide the foundation for this higher level of protection.

www.aberdeen.com Fax: 617 723 7897



© 2007 Aberdeen Group. Telephone: 617 723 7890 www.aberdeen.com Fax: 617 723 7897

Table of Contents Executive Summary....................................................................................................... 2

Best-in-Class Performance......................................................................... 2 Competitive Maturity Assessment........................................................... 2 Required Actions ......................................................................................... 2

Chapter One: Benchmarking the Best-in-Class ..................................................... 4 Expanding Use of Encryption .................................................................... 4 Maturity Class Framework ........................................................................ 5 Best-in-Class PACE Model......................................................................... 6

Chapter Two: Benchmarking Requirements for Success ..................................10 Competitive Assessment..........................................................................10 Organizational Capabilities and Technology Enablers .......................13

Chapter Three: Required Actions .........................................................................15 Laggard Steps to Success..........................................................................15 Industry Average Steps to Success.........................................................15 Best-in-Class Steps to Success ................................................................15

Appendix A: Research Methodology.....................................................................17 Appendix B: Related Aberdeen Research............................................................20

Figures Figure 1: Leading Drivers for Use of Encryption (all respondents) .................. 4 Figure 2: Strategic Approach to Securing Sensitive Data .................................... 7 Figure 3: Strategic Approach to Encryption............................................................ 8 Figure 4: Key Management – Level of Automation.............................................13

Tables Table 1: Companies with Top Performance Earn “Best-in-Class” Status ....... 5 Table 2: Best-in-Class PACE Framework................................................................ 6 Table 3: Competitive Framework ...........................................................................11 Table 4: PACE Framework Key...............................................................................18 Table 5: Competitive Framework Key...................................................................18 Table 6: Relationship Between PACE and Competitive Framework..............19



Chapter One: Benchmarking the Best-in-Class

Expanding Use of Encryption Fast Facts

Compared to one year ago:

√ 81% of the Best-in-Class increased the total number of application types / use cases for encryption

√ 71% of the Best-in-Class increased the total number of encryption keys under management

√ 50% of the Best-in-Class increased the number of locations (including multiple sites, branches, outsourcing partners, and partner extranets) using encryption

Encryption is the process of transforming information into a form that cannot be read without the possession of special knowledge, referred to as a key. The purpose of encryption is to ensure that the information remains private from anyone not authorized to read it, even from those who may have access to the encrypted data. Although the use of encryption to protect sensitive data – whether the data is at rest, in transit, or in use – is anything but new, its application is growing ever more widespread. High-profile data breaches, identity theft, industry and government regulations, insider attacks, softening consumer confidence, and the increasing mobility of sensitive information are among the many motivations for the expanding use of encryption.

Figure 1: Leading Drivers for Use of Encryption (all respondents)

66%

19%13% 11%

0%

10%

20%

30%

40%

50%

60%

70%

Protect sensitivedata

Protect againstthe threat of

external attacks

Protect againstthe threat of

internal attacks

Support themobility

requirements ofemployees

Source: Aberdeen Group, August 2007

The increasing adoption of encryption-enabled solutions, however, also translates to a proliferation of encryption keys, and creates a new security management problem: all keys have a lifecycle, which includes generation, distribution, storage, use, archiving, backup and retrieval, replacement, revocation, and eventual expiration and termination. To support the broader deployment of encryption and to deal with the management of encryption keys over their lifecycle, Best-in-Class organizations are beginning to look towards centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.




Objectives for this Report This research report was designed to give new insights into how organizations are leveraging encryption and key management solutions to:

• Support the use of encryption across an increasing volume of applications, servers, end-users, and networked devices;

• Manage encryption keys across their complete lifecycle, from generation to eventual termination;

• Manage risk in a consistent way across multiple use cases and geographically dispersed locations; and

• Achieve and sustain compliance with internal security policies and external regulations.

For additional details on Aberdeen’s research methodology, see Appendix A.

Maturity Class Framework Aberdeen used the following performance criteria to distinguish “Best-in-Class” organizations from “Industry Average” and “Laggard” organizations in their use of encryption and key management to protect sensitive data:

• Increase in the total percentage of sensitive data identified, compared to a year ago;

• Decrease in the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago; and

• Decrease in the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago.

Companies with top performance based on these criteria earn “Best-in-Class” status, as described in Table l. (For additional details, see Table 5 in Appendix A.)

Table 1: Companies with Top Performance Earn Best-in-Class Status

Definition of Maturity

Class Mean Class Performance

Best-in-Class: Top 20% of

aggregate performance

scorers

• 64% increased the total percentage of sensitive data identified, compared to a year ago

• 82% decreased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago

• 72% decreased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago



Definition of Maturity

Class Mean Class Performance

Industry Average:

Middle 50% of aggregate

performance scorers


• 6% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago

• 4% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago

Laggard: Bottom 30% of

aggregate performance

scorers


• 33% increased the number of incidents of exposed or potentially exposed data due to inconsistent encryption and key management policies, compared to a year ago

• 31% increased the number of incidents of inaccessible data due to mismanagement of encryption keys, compared to a year ago

Note: the percentages reflected in Table 1 represent the net of all responses of “increased”, “remained the same”, and “decreased” compared to one year ago.

Source: Aberdeen Group, 2007

Best-in-Class PACE Model Achieving superior performance in protecting sensitive data using encryption and key management requires a combination of strategic actions, organizational capabilities, and enabling technologies, as summarized in Table 2. (For a description of Aberdeen’s PACE Framework, see Table 4.)

Table 2: Best-in-Class PACE Framework

Pressures Actions Capabilities Enablers

• Protect sensitive data

• Support the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, end-users, and networked devices

• Protect and control access to the network and to the data itself

• Flexible distribution and integration of keys to a wide variety of encryption-enabled endpoints

• Management of encryption keys across their complete lifecycle, from generation to eventual termination

• File Encryption

• Full-Disk Encryption

• Mobile Device Encryption

• USB Device Encryption

• Database Encryption

• Storage / Backup Encryption

• Application Encryption



Pressures Actions Capabilities Enablers

• Secure the data, and protect and control access to the encryption keys that secure the data

• Enforcement of consistent security policies to manage business risk

• Audit, analysis and reporting capabilities to address compliance requirements

• Key Management

• Hardware Security Modules (HSM)

• Trusted Platform Modules (TPM)

• Public-Key Infrastructure (PKI)

• Smart Cards; Card Issuance Systems


In response to the pressure to protect sensitive data, 40% of the Best-in-Class indicate that they are supporting the use of third-party encryption solutions across an increasing range of existing infrastructure, applications, servers, end-users, and networked devices. Best-in-Class companies have begun to shift their strategic approach to securing sensitive data:

• from the traditional, perimeter-based approach of protecting the network and controlling access to the data itself (39%),

• to an information-centric, de-perimeterized approach of securing the data combined with protecting and controlling access to the encryption keys that secure the data (25%).

Compared to the Industry Average, the Best-in-Class companies in the survey were 1.9X more likely to have adopted an information-centric, de-perimeterized approach than a traditional, perimeter-based approach to securing sensitive data. See Figure 2.

Figure 2: Strategic Approach to Securing Sensitive Data

39%45%

25%

15%0%

10%

20%

30%

40%

50%

Best-in-Class Industry AverageProtect and control access to the network and access to the data itself

Secure the data, and protect and control access to the encryption keys that secure the data





To date, the most common adoption of encryption across all companies surveyed has been the tactical deployment of point solutions where specific needs exist. However, the research indicates that a new, more strategic approach to encryption and key management has emerged. Best-in-Class companies have started to shift:

• from tactical deployment of point solutions for encryption, where specific needs exist (46%),

• to a top down, enterprise-wide view of encryption for protecting sensitive data (36%).

Compared to the Industry Average, the Best-in-Class companies in the survey were 1.6X more likely to take a strategic, pan-enterprise approach to encryption and key management than a tactical, point wise approach to deployment of encryption solutions. See Figure 3.

Figure 3: Strategic Approach to Encryption

36%46%

18%26%

52%

22%

0%

20%

40%

60%

Top down, enterpriseview of encryption forprotecting sensitive

data

Point solutions forencryption have been

deployed wherespecific needs exist

Limited deploymentsof encryption

Best-in-Class Industry Average


In the next chapter, we will see what the leading companies are doing to achieve superior performance in encryption and key management.

Aberdeen Insights – Strategy

Not quite 25 years ago now, the innate tension between two contrary aspects of electronic information was first noted: on the one hand, information can be immeasurably valuable; on the other hand, “information wants to be free”. This tension between value and the ease and convenience with which information can be perfectly replicated is at the heart of the different strategic approaches to protecting sensitive data that we see highlighted in this report.




Aberdeen Insights – Strategy

The traditional, perimeter-based approach to protecting sensitive data manages information in a central location, and controls access to the information itself – analogous to putting the eggs in one basket, then guarding that basket. But as more open, flexible network access and distributed computing models dissolve the traditional network perimeter, the centralized “fortress” model for data protection can be increasingly impractical and ineffective.

In its place, an information-centric approach to protecting sensitive data is clearly emerging. By securing the data, rather than only the network and IT infrastructure, information that inherently “wants to be free” can flow freely across organizational and network boundaries – to stretch the previous egg/basket analogy, although they are no longer in one basket the eggs still have a protective shell. This information-centric approach requires – among other things – that along with encryption to secure the data, an infrastructure must be put in place to manage, protect, and control access to the encryption keys. The research shows clear evidence of growth in encryption-related infrastructure solutions that is consistent with the evolution from tactical point deployments of encryption to such a strategic enterprise-wide approach.



Chapter Two: Benchmarking Requirements for Success

The selection and deployment of encryption and key management solutions, and their successful integration with existing business process, plays a crucial role in the ability to leverage these enabling technologies to support higher scale, reduce costs, manage security risk, and achieve compliance with internal policy and external regulations.

Fast Facts

Based on survey responses for current use vs. planned use in the next 12 months, organizations will:

√ Significantly expand the use of encryption to gain control over ‘data in use’ by mobile end-users, with greatest attention on smart phones and PDAs, USB devices such as iPods and thumb drives, and flash memory cards (>100% year-over-year growth)

√ More uniformly deploy encryption for protection of data in back-end applications, including database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions (>50% year-over-year growth)

Case Study: Maritz, Inc., Fenton, Missouri

Maritz, Inc., a $1.3B provider of integrated performance improvement, incentive travel, and market research services headquartered near St. Louis, is home to 10 business units and 17 call centers. They use encryption throughout the organization for file transfers, wireless connections and to protect payment card data. Maritz has recently put policy and process in place to centralize the management and distribution of encryption keys and to enforce responsible key usage.

“Currently, most of our process is manual,” say enterprise architect Bill Hamilton. “We want physical signatures.” Hamilton says there’s been some pushback within the organization against the strict language associated with key usage, but feels that Maritz is getting what it wants in terms of manageability and accountability. ”Our key management process is relatively new,” says Hamilton, “and it’s helping us manage our Service Level Agreements. We want everything managed from one central location, so we know exactly what got sent and when.”

Identification and classification of information assets is the first step in any encryption and key management initiative, and as the saying goes the first step can be the hardest. “The hardest part [of protecting sensitive data] is finding all the places it’s being used,” notes Hamilton.

A higher degree of automation of the key management process remains possible for the future, but in the early stages Maritz will continue to rely on its proven manual processes. “Because our auditors require paper trails, we’re likely to stick with our manual process for now – it’s working.”

Competitive Assessment The aggregated performance of surveyed companies determined whether they ranked as Best-in-Class, Industry Average or Laggard. Each class also shared common characteristics in the following categories:

(1) Process (scope of process standardization; efficiency and effectiveness of these processes);

(2) Organization (how the company is organized to manage and optimize these processes);




(3) Knowledge (visibility into vital information and intelligence required to manage these processes);

(4) Technology (selection of appropriate enabling tools, and intelligent deployment of those tools); and

(5) Performance (measurement of the benefits of technology deployment, and use of the results to improve processes further).

These characteristics (identified in Table 3 below) serve as a guideline for best practices and correlate directly with Best-in-Class performance across the respective metrics.

Table 3: Competitive Framework

Best-in-Class Average Laggards Distribution and integration of encryption keys to a wide variety of encryption-enabled endpoints

46% 30% 16%Management of encryption keys across their complete lifecycle, from generation to eventual termination

36% 26% 8%Enforcement of consistent security policies related to encryption and key management

46% 27% 14%Controls to ensure that monitoring and compliance methods satisfy the requirements of INTERNAL policies

71% 47% 31%Controls to ensure that monitoring and compliance methods satisfy the requirements of EXTERNAL regulations

Process

64% 44% 20%Responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices

50% 40% 18%Formal awareness and end-user training programs around encryption and key management

Organization

32% 14% 14%Consistent asset classification scheme

40% 40% 10% All data assets are identified and classified

Knowledge

36% 27% 12%



Best-in-Class Average Laggards Selected encryption technologies currently in use:

Technology

• 57% File encryption (desktop / laptop)

• 57% File encryption (server)

• 22% Full-Disk encryption

• 39% Database encryption

• 46% Client certificates

• 46% Public-Key Infrastructure (PKI)

• 29% Key Management (as a standalone product)















Support encryption at more endpoint types 81% 52% 35%

Manage larger number of encryption keys 71% 55% 27%

Greater consistency of encryption and key management policies across multiple applications / use cases

46% 18% 8%Support encryption at more locations (including multiple sites, branches, outsourcing partners, partner extranets)

50% 38% 12%Greater consistency of encryption and key management policies across multiple locations

Performance

29% 18% 8%

Note: the percentages reflected under “Performance” are in comparison to one year ago.


As shown in Figure 4, the research shows that Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a per-key basis.



Figure 4: Key Management – Level of Automation

1.8

3.4

2.9

1.6

2.3

3.0

2.32.0

1.4

1

2

3

4

ONE YEAR AGO CURRENTLY PROJECTED ONEYEAR FROM NOW

Ave

rage

Per

form

ance

Rat

ing

(1=L

ow, 5

=Hig

h)

Best in ClassIndustry AverageLaggards


Organizational Capabilities and Technology Enablers A well-designed implementation strategy for encryption and key management includes the following essential steps:

• Identify and classify all information assets – Best-in-Class organizations are 4X more likely than Laggards to have a consistent asset classification scheme, and 3X more likely than Laggards to have classified and identified all data assets.

• Establish policies for all classifications, applications, use cases, and locations involving sensitive data – Best-in-Class organizations enforce consistent policies for encryption and key management at a rate 3.3X higher than that of Laggards.

• Implement enabling technologies to remediate known risks and to protect against future risks to sensitive data – as detailed in Table 3, Best-in-Class organizations have deployed encryption technologies and encryption-related infrastructure more broadly than their counterparts in Industry Average or Laggard organizations to achieve these objectives. See additional discussion on enabling technologies in the Aberdeen Insights section on Technology, below.

• Establish controls to ensure that monitoring and compliance methods satisfy the requirements of both internal policies and




external regulations – Best-in-Class organizations have established consistent controls at a rate 1.5X higher than that of the Industry Average, for both internal and external requirements.

• Educate relevant stakeholders with formal awareness and end-user training programs around encryption and key management – Best-in-Class organizations do this with 2.3X higher incidence than all other companies, although at only 40% even the Best-in-Class can improve in this regard.

Aberdeen Insights – Technology

To date, companies surveyed deploying encryption to protect ‘data at rest’ on end-user devices have focused most heavily on file encryption (45%) and full-disk encryption (20%) on desktops and laptops. Nearly twice as many respondents indicate they will deploy full-disk encryption versus file encryption for desktops / laptops in the year to come. In the next 12 months, organizations surveyed also indicate that they are seeking to gain more control over the data that is flowing to end-user devices, with significantly increasing attention on smart phones and PDAs, as well as USB devices such as iPods (to combat potential “Pod-slurping”) and USB thumb drives (to prevent loss of data through “thumb-sucking”). Projected year-over-year growth in these areas (planned use versus current use) is >100%. The data wants to be free, and yet it must be protected.

For protection of data in back-end applications, the data indicates more uniform deployment in areas such as database encryption, application encryption, server-to-server encryption, and encryption of Web Services transactions – each with >50% year-over-year growth in planned deployment.

Indicated growth of several encryption-related infrastructure solutions is consistent with the expected evolution from tactical, point deployments to a more strategic, enterprise-wide approach to protecting sensitive data. Hardware Security Modules (HSMs), standalone Key Management solutions, Public-Key Infrastructure (PKI), and Smart Card Issuance systems all had year-over-year growth outlooks of about 50%. In addition, although starting from a relatively small base, the projected growth outlook for Trusted Platform Modules (TPMs) was very strong at >120%.

As more technology solutions provide native, out-of-the-box support for encryption, organizations have the promise of broader deployment and better protection of sensitive data in the long term – as well as the short term potential for market confusion and redundant management costs. Compared to the Industry Average, Best-in-Class organizations are about 10% more likely to support the use of third-party encryption solutions, but they are 2X more likely to support the use of encryption as it is supported natively in their portfolio of deployed solutions. This open attitude towards early adoption of native encryption by the Best-in-Class is more feasible due to the fact that these are the companies who have also adopted the more strategic, enterprise-wide approach to encryption and key management.



Chapter Three: Required Actions

Fast Facts

• Best-in-Class companies are investing in automated key management and key distribution capabilities to cope with, and reap the benefits of, significantly broader use of encryption. Compared to all companies surveyed, the Best-in-Class supported 1.9X more keys with an estimated 34% lower total annual cost on a per-key basis.

Whether an organization is trying to move its performance in encryption and key management from “Laggard” to “Industry Average,” or “Industry Average” to “Best-in-Class,” the following actions will help drive the necessary performance improvements.

Laggard Steps to Success • Identity and classify all information assets – only 10% of Laggard

organizations have a consistent asset allocation scheme, and only 12% indicate that they have identified and classified all data assets. The hardest part of protecting data is first finding where it is.

• Establish consistent policies – very few (8%) Laggard organizations indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago. Planning and knowing what to do is a critical prelude to implementation of enabling technologies.

• Assign clear organizational ownership – only 18% of Laggard organizations have a responsible executive or team with primary ownership for the creation and revision of encryption and key management policies and practices. Clear responsibility and accountability (“one throat to choke”) is a critical success factor for any IT security project.

Industry Average Steps to Success • Identity and classify all information assets – Industry Average

organizations are on par with the Best-in-Class at having a consistent asset allocation scheme (40%), but only 27% indicate that they have identified and classified all data assets.

• Increase consistency of policies – more than 50% of Industry Average organizations indicated an increase in number of endpoint types using encryption and number of encryption keys under management … but only 18% indicated an increase in consistency of policies across multiple applications, use cases and locations compared to a year ago.

• Improve controls to sustain compliance – less than half of Industry Average organizations had implemented controls to ensure that their monitoring and compliance methods satisfy the requirements of both internal policies and external regulations.

Best-in-Class Steps to Success • Identity and classify all information assets – Best-in-Class

organizations led the way at having identified and classified their data




assets, but at only 40% they should continue to carry out their work in this vitally important step.

• Continue steps towards a strategic, top-down view of encryption and key management – only 36% of Best-in-Class organizations currently report management of encryption keys across their complete lifecycle, from generation to eventual termination.

• Invest in end-user training and awareness – only 32% of Best-in-Class organizations indicate that they currently have formal awareness and end-user training programs around encryption and key management. The technological aspect of data protection is necessary, but not sufficient – the human factor plays a critical role as well.

Aberdeen Insights – Summary

In an information-centric, de-perimeterized approach to protecting sensitive data, all organizations need to:

• identify and classify their information assets;

• establish consistent policies;

• implement an appropriate portfolio of enabling technologies for encryption and key management; and

• establish controls to ensure compliance with both internal policies and external regulations.

Technical controls alone are not enough – companies must also educate all relevant stakeholders through formal awareness and end-user training programs around encryption and key management. Clear ownership and accountability for the creation and revision of encryption and key management policies and practices by a senior executive or team is also a critical factor for successful implementation.

Best-in-Class organizations have not only deployed encryption more widely for the protection of sensitive data, but also have begun to implement centralized key management and automated key distribution solutions to deliver higher scalability, lower operational costs, reduce risk, establish consistent security policies, and sustain regulatory compliance.





Appendix A: Research Methodology

In August 2007, Aberdeen Group examined the current and planned use of encryption to protect sensitive data, and best practices for managing the encryption keys that secure the data over their life cycle. The experiences and intentions of more than 150 enterprises from a diverse set of organizations are represented in this study.

Respondents completed an online survey that included questions designed to determine the following:

• The degree to which organizations are using encryption across an increasing variety of applications, servers, end-users, and networked devices;

• The approaches taken to manage encryption keys across their complete lifecycle, from generation to eventual termination;

• The degree to which encryption is being used to help organizations manage risk in a consistent way across multiple use cases and geographically dispersed locations; and

• The impact of encryption and key management on achievement of compliance with internal security policies and external regulations.

Aberdeen supplemented this online survey effort with telephone interviews with select survey respondents, gathering additional information on encryption and key management strategies, experiences, and results. The study aimed to identify emerging best practices for encryption and key management, and to provide a framework by which readers can assess their own capabilities in these areas.

Responding enterprises included the following:

• Job title/function: The research sample included respondents with the following job titles: President/CEO/COO/CIO/CSO/Chief Compliance Officer (28%); Vice President/Director (20%); Manager (22%), Staff/Consultant (25%). The largest segment by functional responsibility was IT, representing 56% of the sample.

• Industry: The research sample included respondents from a wide variety of industries, including Finance/Banking (20%), Government /Aerospace/Defense (17%), Telecommunications (14%), Healthcare (7%), and Insurance (7%).

• Geography: The majority of respondents (54%) were from North America. Remaining respondents were from Europe/Middle East/Africa (25%), the Asia-Pacific region (16%), and South/Central America (5%).

• Company size: Large enterprises (annual revenues above US$1 billion) represented 22% of the respondents; 26% were from



midsize enterprises (annual revenues between $50 million and $1 billion); and 52% of respondents were from smaller enterprises (annual revenues of $50 million or less).

Solution providers recognized as sponsors of this research were solicited after the fact and had no substantive influence on the direction of the final Encryption & Key Management benchmark report. Their sponsorship has made it possible for Aberdeen Group to make these findings available to readers at no charge.

Table 4: PACE Framework Key

Overview

Aberdeen applies a methodology to benchmark research that evaluates the business pressures, actions, capabilities, and enablers (PACE) that indicate corporate behavior in specific business processes. These terms are defined as follows:

Pressures — external forces that impact an organization’s market position, competitiveness, or business operations (e.g., economic, political and regulatory, technology, changing customer preferences, competitive)

Actions — the strategic approaches that an organization takes in response to industry pressures (e.g., align the corporate business model to leverage industry opportunities, such as product/service strategy, target markets, financial strategy, go-to-market, and sales strategy)

Capabilities — the business process competencies required to execute corporate strategy (e.g., skilled people, brand, market positioning, viable products/services, ecosystem partners, financing)

Enablers — the key functionality of technology solutions required to support the organization’s enabling business practices (e.g., development platform, applications, network connectivity, user interface, training and support, partner interfaces, data cleansing, and management)


Table 5: Competitive Framework Key

Overview The Aberdeen Competitive Framework defines enterprises as falling into one of the following three levels of practices and performance

Best-in-Class (20%) — Practices that are the best currently being employed and significantly superior to the Industry Average, and result in the top industry performance.

Industry Average (50%) — Practices that represent the average or norm, and result in average industry performance.

Laggards (30%) — Practices that are significantly behind the average of the industry, and result in below average performance.

In the following categories:

Process — What is the scope of process standardization? What is the efficiency and effectiveness of this process?

Organization — How is your company currently organized to manage and optimize this particular process?

Knowledge — What visibility do you have into key data and intelligence required to manage this process?

Technology — What level of automation have you used to support this process? How is this automation integrated and aligned?

Performance — What do you measure? How frequently? What’s your actual performance?





Table 6: Relationship Between PACE and Competitive Framework

PACE and Competitive Framework: How They Interact

Aberdeen research indicates that companies that identify the most impactful pressures and take the most transformational and effective actions are most likely to achieve superior performance. The level of competitive performance that a company achieves is strongly determined by the PACE choices they make and how well they execute.




Appendix B: Related Aberdeen Research

Related Aberdeen research that forms a companion or reference to this report includes:

• The Ins and Outs of Email Vulnerabilities (July 2007)

• Protecting Cardholder Data: Best-in-Class Performance at Addressing the PCI Data Security Standard (June 2007)

• Thwarting Data Loss (May 2007)

Information on these and any other Aberdeen publications can be found at www.aberdeen.com.

Author: Derek E. Brink, Vice President & Research Director, IT Security ([email protected])

Aberdeen is a leading provider of fact-based research and market intelligence that delivers demonstrable results. Having benchmarked more than 30,000 companies in the past two years, Aberdeen is uniquely positioned to educate users to action: driving market awareness, creating demand, enabling sales, and delivering meaningful return-on-investment analysis. As the trusted advisor to the global technology markets, corporations turn to Aberdeen for insights that drive decisions. As a Harte-Hanks Company, Aberdeen plays a key role of putting content in context for the global direct and targeted marketing company. Aberdeen's analytical and independent view of the "customer optimization" process of Harte-Hanks (Information – Opportunity – Insight – Engagement – Interaction) extends the client value and accentuates the strategic role Harte-Hanks brings to the market. For additional information, visit Aberdeen http://www.aberdeen.com or call (617) 723-7890, or to learn more about Harte-Hanks, call (800) 456-9748 or go to http://www.harte-hanks.com.

V073107b

http://www.aberdeen.com/summary/report/benchmark/4124-RA-email-vulnerabilities.asp

http://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asp

http://www.aberdeen.com/summary/report/benchmark/4102-RA-protecting-data.asp

http://www.aberdeen.com/summary/report/benchmark/3967-RA-Data-Loss.asp

http://www.aberdeen.com/

mailto:[email protected]

http://www.aberdeen.com/

http://www.harte-hanks.com/

Date post:	13-May-2015
Category:	Documents
Upload:	technical-dude
View:	1,117 times
Download:	0 times

Encryption

Documents