What's the best way to fit those capabilities into your data processes and overall business strategy?

Joel Schwalbe is CIO and senior vice president at Orlando, Fla.-based CNL Financial Group Inc., which acquires and develops businesses in the financial and real estate industries. Schwalbe says his firm's emphasis on encryption comes directly from the executive suite. "The primary way we distinguish ourselves from our competitors," he says, "is through our reputation for integrity and protecting the interests and confidentiality of partners. Executives here are well aware that we'd have a much harder time raising capital if we had a serious data breach." CNL met that need through a hardware encryption product from Decru, a Network Appliance Inc. company, to encrypt their backup tapes.

Yet even organizations that do not need high-powered security are considering encryption in order to appease business partners. Loyalty Lab Inc., which helps organizations such as credit-card companies create and manage loyalty programs, doesn't normally deal with sensitive data. But, says Barak Engel, the San Francisco-based company's CSO, "It makes it a lot easier for us in our sales cycle if we can tell partners we are compliant with good security standards."

So while his company almost never has to access consumers' credit card account numbers, some clients find it easier to send the entire database, without deleting the private fields. They expect Loyalty Lab to protect any secure data fields, and they're increasingly demanding assurances to that effect. Loyalty Lab purchased SecureDB, encryption software from UK-based nCipher Corp. Ltd., which allows Engel to encrypt just one critical column in the database: the credit-card number.

What are our current data access policies and how are they enforced?

We need to look carefully at how our security policies align with overall corporate strategy.

Story Guide:

Next page: Implementation