Oftentimes there is a big gap between what a person imagines a CISO’s position to be, and what the organization expects it to be. This kind of discrepancy leads to frustration that can build into burnout. 

There is this veneer that makes the CISO position appealing and enticing. When you get into the details of the day-to-day responsibilities and how they report, and how seriously – or not seriously – their input is regarded, then the reality is less glossy. With such a big push right now for cybersecurity to be in the boardroom, and for CISOs to be part of the business conversation, it is becoming evident that not all CISOs have the skillsets that organizations want. 

Aligning expectations with reality is key. 

If you don’t have a good grasp of what your role is, and you’re giving senior management information that’s tactical – like how many endpoints we have with antivirus – rather than strategic – how can I help the business — then you lose credibility very quickly.

A CISO has to look in the mirror and ask, am I really ready to do this job? Do I understand what the position requires? There is a lot of talk about putting CISOs on boards, and many aspire to that. They envision a nice check, and an opportunity to order the company around on security matters. But there is nothing further from the truth. Being on a board comes with fiduciary consequences that can get you sued or land you in jail if something detrimental happens.

And as for snapping fingers and giving orders, that’s not how it works, either. A lot of CISOs are not prepared for all the pushback they are going to get, especially if they do not have the business skillsets and acumen they need to get the attention of senior leaders and the board.

And then frustration starts building up. They feel belittled and not taken seriously. They end up treading water instead of gaining in stature. 

That is why it is important to understand what your position entails and the organization’s expectations of your role.  

CISOs with the right experience and skillsets will never deluge a CEO with all sorts of terms and information that the CEO will not understand. They will not put security considerations before business goals. If an organization wants to do something that makes the security chief uncomfortable, the answer is not to dismiss it, but to face it and try to make it less risky and more secure. 

A successful CISO will build alliances, not walls, and will be part of the team. As difficult as it sounds, you need to understand that there are certain things that the organization will decide even with risks involved, because they have a business goal that overrides those risks. Incurring a $1 million compliance fine may be worth a $40 million profit. 

Being a CISO requires understanding beyond cybersecurity. You need to understand business if you want to be successful in the organization. Although we are subject matter experts, we must be deferential and recognize that we are not the reason the business exists. 

I think the industry would do well by itself by setting up a third-party vetting organization to standardize the skillsets necessary for the job, like engineers, doctors and lawyers have. Something like the Professional Engineers exam, which would set a consistent level of skills for CISOs. That way, people go into the job with a specific skill, up-to-date know-how of business practices, and what they need to know to succeed. This will mitigate the frustrations on the job that lead to burnout and make all CISOs proficient and efficient.

The post Aligning Expectations with Reality is Crucial to Success – and Avoiding Burnout appeared first on Security Current.

Underwriters are under extreme pressure these days to counter the soaring number of ransomware payouts occurring all over.

Whereas companies’ policies have been outdated in terms of protecting customers’ needs, in several cases, courts have decided in favor of companies that have submitted claims.  This has sent shivers throughout the insurance industry.

Insurers have countered vigorously by requiring very onerous demands.  Insurers want full monitoring of the entire organization, a 24/7 SOC service, for instance.  Moreover, they want endpoint detection and response.

For large organizations, these requirements present less of a problem.  They have an army of people looking at these things all the time.  For small and medium-sized enterprises, these new requirements call for sizable investments that have not been budgeted.  This poses serious considerations.

This is not where the additional outlays end.  It is probably safe to say that even with these tighter requirements, insurers will raise premiums significantly because of the billions of dollars they’ve had to pay out.  If the industry is experiencing this surge in ransomware attacks, then everyone’s cyber insurance premiums will be affected.  Insurers are going to recover that money they paid out.  That’s just how insurance works.

Inevitably companies will have the double whammy of being required to make big investments and pay higher premiums.

For smaller businesses, when it comes to investments, they can take action to deflect the expenditures, at least in the short term.  They can do that by understanding specifically what insurers are looking for.  The key is that insurers want to see good, solid foundations for cybersecurity programs in place.

In the absence of 24/7 SOC or EDR, smaller organizations want to demonstrate to the insurance company that they’re following best practices and taking cybersecurity seriously.

Having controls in place could help to mitigate some of the insurers’ concerns. Even without a 24/7 SOC, you may have a tool that collects alerts and generates automated alerts to the person on call.

That may not be as real time as having somebody on the glass, but it’s an approximation, and you can present that control to the insurer as a mitigating factor.

Email is still a high vector of infections.  If there is efficient control there, then that would also be a persuasive argument that you have put the right foundational elements in place.  The same goes for endpoint: though you might not have an EDR, if you have a superior, reputable piece of antivirus, anti-malware software running on the endpoints and servers, that weighs quite solid, even if it doesn’t give you protections for zero day.

Most concerning for insurers at this point is ransomware due to the big payouts.  If you demonstrate that your first line of defense – your users – are being trained and assessed, and you provide metrics to validate where they stand, then in a critical way it proves your commitment to a cybersecure environment.

It should be obvious, but I will say it anyway: essential to all this is to ensure that the good controls you have are fortified and working as advertised.  Extremely important in making a convincing argument to the insurer of the effectiveness of the controls in place, is to demonstrate using metrics and other evidence.  Taking these measures is a persuasive and verifiable validation that you are on top of things.

Smaller businesses may not be able to stave off those big cybersecurity outlays forever, but for the time being, convincing the insurer of your seriousness can benefit to keep you covered until that time.

The post As Cyber Insurance Requirements Soar, Smaller Businesses Have Ways to Mitigate appeared first on Security Current.

It may seem clear-cut that organizations should have a security plan in place, but the reality is that many don’t. 

When we talk about protecting an organization, we are typically looking at its risk exposure.  If we do not have a first-rate way to identify and quantify the risk, then it is exceedingly difficult to say whether the organization is secure or not. 

And if you have not defined the components needed to drive your security program, then it makes things even more difficult because it becomes like an ad hoc activity.  Organizations end up buying tools when they do not even have a good understanding of what their needs are. 

CISOs need to know first the organization’s goals to start building a plan.  If an organization is not looking into digital transformation and is going to stay in a data center that it owns, then its cybersecurity plan must be built accordingly.  Requirements will be based on that strategic planning. 

If the organization wants to move away from being its own service provider and wants to outsource applications, then the CISO will have to meet a separate set of requirements.  Before considering specific tools, a CISO needs to define what the security program needs to make the organization successful and secure.

Immature organizations typically look at tactical-level things or even lower.  As they start making and implementing decisions, they face having to backtrack, having spent a considerable amount of money on tools that have a considerable number of resources tied to them.  This happens because these companies have not defined their needs ahead of time.  If you cannot even apprise what your security posture is at your endpoint, then what are you going to do, for example, with a service that provides threat intelligence from the dark web? 

The importance of understanding the goals and plans of an organization is therefore paramount.  Only then can you put in all the building blocks and prioritize what would have the highest impact on coverage and protection – because let’s face it, the smaller the organization, the fewer the resources it will be able to provide.

When you come into an organization that has a hodgepodge of different things, none of them really well coordinated or delivering outcome from investment, then you need to pause until you stabilize the security program, and make sure the organization is protected as best as possible with what you have. Only then can you start looking at areas where you can improve and mature.  And all the while, you’re evangelizing the organization on the importance of structuring a good security program that will drive all initiatives and investments going forward.

It’s at this point that you can become an organization that can be measured and show it’s sustainable, with repeatable processes.

Most important, it’s then that you became an organization that really supports and manages the organization’s risk.

While on this journey, it is important not to let yourself become overwhelmed by all the deficiencies you see.  Ground yourself in the fact that things are not where they need to be and be cognizant that the organization may not be ready to make the changes that are necessary.  It may not even be capable of understanding what its security posture is. 

Smaller organizations may not have caught up with how AI is making attacks much easier.  They are now in a more dire shape because their risk has increased exponentially.  It is our job to encourage them to look at the situation comprehensively and programmatically – so with the limited resources you have, you can put forward something solid.  It is particularly important to help them realize the value of taking the right approach as opposed to advising them to put in another tool.

The post Unbelievably, This Needs to be Said: All Organizations Need a Security Plan appeared first on Security Current.

Digital transformation is a term bandied about a lot, but it means different things to different people.  It’s not a monolithic process.

Because digital transformation has become critical for organizations to survive, organizations must clearly know what it means specifically to them and align accordingly.  Will the organization move completely to the cloud?  Will it give up its data centers?  Will it be a hybrid environment?  Organizations must continuously assess transformation goals, what is achievable and what is not. 

Typically, when we are talking about digital transformation, CISOs are rarely at the table, coming into the process at the tail end.  And when we are afterthoughts, it affects our own strategic planning because the intended solution might not allow us to protect information. 

Without any extra budget to account for these things, we are playing catch-up with a digital transformation journey that we should have been a part of.  We find ourselves accountable for the decisions of others. 

Alternatively, we are sounding the alarm about risk, without necessarily having the capabilities or the solutions in place to help the organization protect its information.  It forces us into a position where we must fight the organization to either slow down the project – something it often does not have the luxury to do – or secure the resources and funding to do the right thing.  CISOs have enough budget challenges to begin with, but when you do not even know what is in the pipeline, then it becomes an even bigger problem. 

Smaller organizations typically will go with tools that fit their budget.  Because they cannot afford the big guys, we cannot always get satisfactory information about the security controls a less expensive vendor has in place. 

Communication and relationship-building will go a long way to head off these problems.  We need to build ties with IT.  We need to build very tight relationships with the CTO and the CIO to understand the journey and where it is heading.  In some cases, we also need to collaborate with the CFO. 

And we need to extend ourselves to business units because many times they are the ones driving decisions and procurement.

But when we find ourselves with a considerable amount of residual risk on our hands, we have to figure out how to turn this around and try to mitigate some of these things.

At the highest level, start thinking about what type of protections are needed as a baseline to cover as much as we can.  If you do not have baseline security in place, and you are moving into digital transformation, then your gaps are only going to get exponentially bigger. 

Visibility is essential.  If you can see what is happening, and you are able to detect things very quickly, then you can take countermeasures and start building a case to make investments. 

With digital transformation exploding at an exponential rate, if we do not have that visibility in place, it is going to be extremely hard to prioritize to mitigate risk.  Because if you look at reality, you are not going to be able to put everything in at once because of budgetary constraints. 

Organizations are asking everyone to do a lot more with less.  Inevitably, we must be creative.  To go to the business and present a convincing case for investment, we need data to rank risk.  If you can’t quantify it and you can’t qualify it, you’re not going to be able to protect your organization.

The post Digital Transformation: It’s Not a Monolithic Process appeared first on Security Current.

In today’s complex world, CISOs face increased pressure to provide a winning value proposition to their organizations. 

Sometimes that sets up a clash between compliance and risk management. 

Risk management, by its predictive and strategic nature, tends to create value.  By spinning out risk scenarios and identifying potential risks, businesses should benefit from new and innovative processes that could augment revenue, reduce operational costs, and empower executives and board members with actionable information to make the right business decisions. 

Obviously, security teams cannot provide ironclad protection against risk, because foreseeing every possible scenario is not guaranteed, since risk is constantly evolving.  Because it allows businesses to take steps to create value, risk management has a value beyond just minimizing risk. 

The compliance component is a different beast.  Compliance is valuable because it instills a rigor that organizations are required to take seriously.  There is a school of thought that states that a robust compliance program will make you secure. 

Compliance requirements are very specific, very reactive, and very prescriptive.  The guiding principle is to lay out some best practices.  Since the scope is narrower than risk management, and broad interdepartmental transparency is not required, compliance does not necessarily assure a more comprehensive protection security teams are seeking.

If you do not comply, though, you get fined. 

There is a juggling act between compliance and risk management that is harder to maintain in times when resources are tight.  Organizations may not have the budget to assure the best risk management strategy while also fulfilling the compliance requirements necessary to avoid sanctions and correspondent reputational damage. 

That creates a dilemma requiring some tough decisions.  Oftentimes, organizations find themselves having to focus on compliance when 1) they know it is not offering top protection and 2) it doesn’t make sense within their risk profiles.  When regulators ask for something, it must be supplied. 

Moreover, some businesses have multiple and sometimes overlapping regulatory frameworks to comply with.  As they cannot present the same evidence to different frameworks, compliance becomes a burdensome business requiring an army of people to prepare and present evidence for regulatory requirements several times a year.  

It is time to bring people into a room and hash out a proposal to consolidate regulations that comply more cost effectively thereby leaving more money available to focus on broader risk management.  When you look at the cyber component of regulations, a lot of things are duplicated.  Passwords are passwords, no matter what your business does.  Our business is constantly evolving in these volatile times, and it is time for the regulatory landscape to keep pace with this ever-changing environment. 

The post Compliance and Risk Management: It’s a Juggling Act appeared first on Security Current.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires companies operating in critical infrastructure sectors to report covered cyber incidents within 72 hours of their reasonable belief that a cyber incident has occurred and report within 24 hours after a ramson payment.  Critical infrastructure sectors, as defined in a 2013 presidential policy directive, include financial services, telecommunications, information technology, healthcare, energy, and others.

The U.S. Securities and Exchange Commission has stepped in with its own efforts to improve disclosures around cybersecurity risk management and governance including a proposal for companies to report Cyber incidents within four days of the incident that has been deemed material.

The SEC maintains that swift reporting would “significantly improve the timeliness of cybersecurity incident disclosures, as well as provide investors with more standardized and comparable disclosures.” In our industry, however, determining whether the incident really rises to the standard of materiality is not a straightforward endeavor.

With the pressure of classifying the incident correctly, we as an industry need to find a formula to quickly determine what “material” means.  Experiencing an incident of high importance does not necessarily mean its impact is material.

In the case of a pharmaceutical company, for instance, if someone working for the company deliberately, or even inadvertently, discloses information that will affect the stock, like the failure of a clinical trial and the stock plunges as a result, which is clearly a material incident, there is no room for debate.

On the other hand, say a company has a ransomware attack.  This is a high-impact event, and instinctively may lead to a rush to report it.  What if the organization was able to recover quickly, operations were not interrupted, and no information was compromised that were known of?

This leads to the fact that some things are very easy to determine; others are less so – especially when the time frame for reporting is so short.  We want to prevent reporting things and putting our organizations in the public realm by publishing reports prematurely.  On the other hand, keeping our mouths shut and crossing our fingers hoping for the best is obviously not a strategy, either.

“The plain truth is that many CISOs don’t understand materiality,” Malcolm Harkins, a fellow at the Institute for Critical Infrastructure Technology think tank, said in an April report.

The purpose of materiality, Harkins said, is to ensure that accurate and relevant information is relayed to investors and shareholders so they can make informed business decisions and understand the business’s performance.

Harkins has identified three primary types of impact an incident can have: financial, brand and societal. He looked at this axis through the lens of the infosec triad — availability, confidentiality, and integrity — and created a matrix to explore impact.

Cybersecurity leaders need a matrix of this sort, a framework to help us determine quickly whether an incident is material or not.  It will not guarantee everything, but we would have a good starting point for performing due diligence.

The post Materiality: It’s Not Always Straightforward appeared first on Security Current.

We are business leaders.  When we talk about supply chain, we are tasked to expand our focus beyond cyber risks to look at things that have a larger impact on our organizations, such as:  the diversification of supply and suppliers, reducing carbon footprints, governance issues, and other matters of importance in the business world.

But instead – as was the case 10 years ago – we’re stuck talking about the vulnerabilities supply chains introduce. It is time to put a stop to unnecessary supply chain vulnerabilities.  Let’s establish a workable framework that can serve as a first line of defense to lower the perpetual risk of having these issues. 

Like other parts of the business, we depend on suppliers who themselves depend on third, fourth and fifth parties. For  the most part, there is no active examination of their products until a vulnerability is discovered, at which point it’s too late.

Take the zero-day vulnerability published in December 2021 about Apache Log4j. This vulnerability came from an obscure open library. No one was paying attention.

Our knee jerk reaction is to patch, which is necessary. We have to stop doing things after the fact and  understand what risks we introduce by failing to have  a verification and validation process, agreeable across the industry, that won’t be an impediment to getting things done.

Below are some major factors contributing to these vulnerabilities and recommendations for mitigating them:

1) Open source software. When we use open source software, in many instances it’s packaged with many modules. We may only need one or two pieces, but people tend to take the whole package and install it. We open ourselves up to risk by introducing libraries that aren’t doing anything for our organizations, but can contain vulnerabilities that someone can exploit.

The solution: Install only what you need. Do the analysis. Don’t take the whole bundle and put it in.

2) Coding that doesn’t follow accepted standards.  Coding continues to be very unstructured, despite the existence of various standards. Developers have the freedom to put in what they want, and aren’t necessarily following standardized structure. They may be putting the coding in an environment that is secure, but aren’t making sure it won’t develop issues in other environments. The current climate of getting to market fast rather than getting it right is only encouraging that laxity.

The remedy: We need, as an industry, to require software developers to follow agreed, acceptable standards. Otherwise, we will never know if there have been quality checks when we buy something.  After  the fact, we’re going to find out that we’ve installed a piece of Swiss cheese, with holes everywhere. The cycle will repeat again and again.

3) Lack of transparency. There is not a lot of transparency on those packages. We rely on vendors to tell us what has been done. We don’t have a lot of insight into what’s inside until it’s too late. We need details about what pieces have gone into the technologies.

The answer: Demand a move from obscurity to greater transparency.  I’m not asking for anyone to give away the secret sauce. But the push must be for the supply chain to be more honest and open.

4) We’ve been turned into guinea pigs. Because of the immense pressure to get technology to market, developers often don’t do a lot of rigorous testing.  Customers are used as the test pad. We’re the ones who end up doing the penetration testing and dynamic application testing after we’ve installed the software. We have a piece of software that might be critical to our business, but we put ourselves at risk because the developer didn’t test extensively.

The antidote: Demand proof of some baseline testing at the very least.  We shouldn’t be the ones to find out that there is a vulnerability that would have been discovered if the developer had done the testing.

Supply chain inherently has many deficiencies. Time consumed with the vulnerability problem is not allowing to think about things like automation and consolidation.  If we correctly address how to fix this, it will make our lives easier.   

The post It’s Time to Put a Stop to Uncalled For Supply Chain Vulnerabilities appeared first on Security Current.

When we talk about budgeting, there’s no exact science to quantifying risk or determining the likelihood of the threat materializing. Although there are some elements that we can quantify and qualify, there are so many unknowns. And because each organization is different, there can be no cookie-cutter approach.

The best we can do is make some educated guesses based on the type of industry and actors attempting against us, and then go with what we think is the best approach for our organizations. There’s no formula, because so much about budgeting is based on uncertainty.

The first premise that we have to build into budgeting is that you won’t be able to eradicate risk. It will be ever present because it evolves. You need to live with the fact that what you’re doing is to mitigate risk to the lowest possible level on the basis of what you know. 

“What you know” is key here because you can never know with certainty how the security landscape will evolve. We have to be forthright with decision makers about the limitations of what we know.

So based on what you know, and on your understanding of your business, you have to establish communications with stakeholders about what you see potentially affecting the business, do a rough calculation of what this will cost the business, and then put forward a dollar amount that you think you need to protect your organization. You most likely will not get that amount, but at least you have a solid foundation for the calculation you’ve disseminated to stakeholders, and then you negotiate from there.

By educating the decision makers about the risks, you’ve put the onus of accepting or rejecting risk on them. You’ve educated and informed them of what the needs are, and then they decide what they’re willing to accept.

“Understanding the business” means two things. It means understanding what the enterprise does, and what things could potentially go bad. The second part is understanding how prevalent or pervasive the threats against that industry are. Financial institutions, critical infrastructure and healthcare are major targets. But you don’t hear about people trying to attack restaurants, because the financial motive isn’t there.

Once you’ve identified potential threats, you have to determine whether the cost of securing against all of them is worth it. Some coverage costs may outstrip potential damages. For the longest time, people opted for blanket coverage. But not all assets are critical. You need to know what’s worth protecting and what is not, otherwise the business will never make money.

To make budgeting decisions based on what you know, it’s essential to identify your assets. There’s no way to protect an organization if you don’t know everything an organization has. It’s like having 1,500 miles of border wall with a gap that you can drive a truck through. If your security metrics start with an inaccurate base, then the information that flows from that is skewed.  And if you don’t have a clear picture of what you have to protect, your budget request will rest on rocky ground.

We have to be forthright with decision makers about what we know and do not know. We need to build the relationships and trust links with different stakeholders in the organization so we’re comfortable presenting the best information we have to get the best budget possible.  At the same time, we do not want to create a false sense of security. It’s important to make disclaimers.

If you aren’t candid, people will put your feet to the fire, especially these days, when you may be liable as a chief information security officer if you don’t get information out. And most important, you’re putting your organization at risk by not doing so. 

The post Building a Budget When So Much is Unknown appeared first on Security Current.

When survey after survey indicates that employee satisfaction is at an all-time low, then it is clear we as business leaders have a problem. When people feel stifled, uninspired, without  a path to grow and succeed, this breeds dissatisfaction and creates a toxic atmosphere and attrition

That’s why we have to build our organizations smartly to inspire loyalty and ensure resilience.

The starting point is to get to know our own people and to see them as individuals. We can’t expect people to conform to a single template. It’s been tried time and again, and it has not worked.

While we cannot fully customize things all the time, we have to recognize that people have different aspirations, pursuits and points of view. Spending time with your team members beyond the confines of their daily tasks, even if it’s just for five or 10 minutes before or after a meeting, for instance, is an investment in them.  Creating open channels of communication with your people will establish trust and insight.  

Many companies do performance reviews on a yearly basis, but that’s not enough; in fact, it is quite harmful. It is more effective to be part of the journey with your employees. Both parties should clearly define expectations – what you expect from your team, and what team members can expect from you to help them grow.

Obviously, we need to be realistic: Organizations don’t have endless resources, and it can be hard to accommodate all the distinctive things that people will want. This requires transparency on your part. If as a leader, there is fear of losing employees by being honest and transparent with them, and instead information is withheld from them, then you’re creating a huge problem for yourself, thus, they will leave regardless. You need to build trust into your organization and rally your people behind you to weather tough times and share in the good times. 

Another key to building a resilient organization is to encourage team members to learn about the work their colleagues are doing. Not only does this cross-pollinate across distinct functions, but then your people can step in to help in times of crisis because they’ve developed other skills.

Team building must be done effectively. If you can perform a function with one person, don’t go out and hire two people to perform that function, because that second person will be cut loose when the belt-tightening comes. That second salary could be reinvested in training or team-building activities, which I passionately believe in. It can be streamed into something that can benefit all employees. This builds morale and loyalty and encourages employees to go the extra mile because they will feel valued by the company. 

Now, there will be times, even in an organization that fosters professional development, when an employee will seek a different path elsewhere. We should see that as a positive, not a negative. It shows that you, as a leader, have instilled ambition into your employee. I’d even encourage you to help that person find another position if you can. If they’re discontented, that negativity can infect the team environment and undermine your organization’s resilience.

It’s tough to carry out these goals in a vacuum: Chances of success are higher if other departments and senior management are on board. You don’t want a situation where your employees think you have their back but that senior executives don’t care or do not know your methodology

Build a partnership with the human resources team to work within the bounds of what you can realistically accomplish. Encourage open channels of communication with your own boss to strengthen your organization and do your due diligence of keeping your goals aligned with those of your boss as well.  

Organizations where I’ve seen high employee retention encourage people to express themselves all the way up the hierarchy.

Lastly, there is a generational divide at play here. Older generations are more reticent about speaking their minds. Younger people have no such inhibitions. If they do not like something, they’ll leave. When people sense that their bosses have their backs, then that’s a major inducement to stay and it exemplifies good leadership overall. 

The post For a Resilient Organization, Building Employee Loyalty is Key appeared first on Security Current.

Chinese researchers claim they have devised a new algorithm that can crack the widely used RSA-2048 encryption key, using a quantum computer that can be built today.

Senior security and quantum computing experts have questioned this claim, which defied expectations that the technology to allow this kind of codebreaking was many years away.  But the truth is, it doesn’t matter whether it’s true or not.  Either way, we must start putting a lot of energy and money into a new approach to encryption since this type of breakthrough is inevitable and carries enormous implications across business and government.

If this code is broken, it could potentially threaten everything from the mundane things that we do today, like online banking and secure communications, to classified government information. If we are not ready when it happens, we are going to spin into a real crisis, because, how will we do business then?

One of the biggest issues at the beginning of the internet was how to conduct e-commerce safely. We worked to guarantee integrity and non-repudiation and other pillars of information assurance. We must do something similar now.

If the Chinese are able to break encryption – or are moving closer to doing so – they’ll be able to actually see what we are transmitting. We don’t have any alternative encryption right now that we can readily implement.

Looking at potential mitigating alternatives, we could consider increasing the key length, but this will have a detrimental effect on transactions as hardware will need to be on par with it and there is no way to predict how long this would be safe.  We could move to a symmetric encryption model but that would require a constant exchange of keys resulting in a very labor intensive, disruptive, and costly endeavor. Both scenarios would create an environment that is very challenging to maintain, and at the same time, prone to errors. 

Another alternative is to come up with your own algorithm, but it’s not clear that the receiving end would take the risk and accept it. Furthermore, you’ve already implemented a number of tools that actually inspect this type of traffic, but they’ll become useless because if you change the paradigm, they won’t understand how to use the algorithm. Neither of these potential solutions are workable.

Therefore, we may be looking at a doomsday-type situation because most people will be at risk of compromise. Obviously, not everything is created equal. If a company doesn’t have anything highly sensitive that could potentially take them out of business, then that’s not the same as governments or militaries with highly classified information whose disclosure would have vast consequences. But that does not mitigate the risk.

Some experts who have gone through this paper say the science looks sound but it’s not clear whether today’s quantum technology is advanced enough to apply it in practice. Even so, it suggests that quantum computers are going to be used to crack encryption earlier than expected, some of them say.

We need to be smart about the fact that it’s going to happen sometime soon. We need to innovate and disrupt very quickly. We’ll have to find new methods to protect information that don’t rely on a 45-year-old encryption algorithm that we know at one point or another will be broken. This is closer than we think, and we need to start working yesterday.

 

The post Quantum Computing Requires Urgent New Approach to Encryption appeared first on Security Current.