Encrypting laptops is worth the money
IT security budgets remain tight. One major exception, however, is the willingness of companies to pay for full disk encryption for laptops.
For the most part, security technology procurement is a struggle as security budgets have always been low and remain under-funded.
Security executives have to justify purchases in terms of business risk--a daunting task for even the most skilled professionals. As the old saying in the security world goes, organizations don't want good security, they want good-enough security. Paying for anything more is often viewed as a waste.
In general, frugal security strategies remain but my colleagues and I at Enterprise Strategy Group see one particular area that bucks this trend--full disk encryption (FDE) for laptops. Many large organizations are retroactively adding FDE software to existing systems or require FDE on all new laptop purchases. These decisions are almost always being driven by business managers rather than IT. There's no security magic here. CEOs see a pretty simple relationship between problem and solution.
What does this mean for the industry?
• Companies like GuardianEdge, PointSec (now Check Point Software), Safeboot, and Utimaco are selling tens of thousands of licenses at a time. Business will continue to be good for another three years or as long as businesses hold on to legacy PCs. Smart vendors in this space are already diversifying into other security areas. The writing is on the wall.
• Ultimately, this market will be dominated by hard drive vendors (Seagate, for example) and Microsoft. I took some flak for suggesting in an earlier blog that large organizations fast-track Vista for laptops solely to get BitLocker disk encryption. I'm now finding some firms headed down this path.
• PC encryption is the calm before the impending key management storm. Managing all of these keys in a formal and organized way is not a well-understood practice and many tools are pretty weak. Get ready for headlines about unrecoverable data or malicious key-management administrators.
• Infrastructure-based security and encryption is inevitable. FDE is the first chapter in a long book.
Losing a corporate laptop should be a minor inconvenience not a publicly disclosed security breach leading to millions of dollars in public relations, legal and customer service costs. It appears that CEOs recognize this trade-off and taking proactive security countermeasures--for once.