One of the first questions asked when a breach occurs is “Was the data encrypted?” The answer is usually, “No, not all of it.” This often results in outrage and anger when customers find this out. The group agreed that one of the biggest issues is that most customers and even some organization members really don’t understand how encryption works. Customers will sometimes demand to know that an organization is using certain encryption metrics, but don’t necessarily understand what each of them means. The group also agreed that as the need to encrypt more data arises, overall performance has to slow down to accommodate. For some executives, this becomes an issue with higher ups in an organization who don’t want to improve security and the cost of slowing down productivity. Another topic that arose is the nature of monitoring encrypted data. In order to know what encrypted data needs more intensive monitoring, security teams need to implement strong data classification standards to better determine which sections of encrypted data are worth placing a heavier focus on. You shouldn’t encrypt everything, but it is vital to distinguish between what needs to be encrypted vs. what doesn’t need to be. Another topic that arose was key management. Encryption isn’t a panacea. Someone has to have the key to be able to access encrypted data. Some group members likened the way encryption is being used today to covering a small wound with a Band-Aid. The problem is, this kind of thought process just leaves some organizations covered in proverbial Band-Aids without addressing the underlying problems. Instead of this, one solution comes in the form of looking at and assessing potential problems that can arise in the environment. Once an incident happens and is remediated, the next step should be asking “how can we change the environment to help prevent future incidents.” We have to view encryption as a deterrent and not a panacea.