Now is the time for CISOs to prepare for quantum computing
As we make headway into 2023, corporate entities both big and small are continuing to reckon with the threat of routine large-scale hacking and data breaches. Last year saw migration to the cloud at a record level, subsequently creating an array of weaknesses for cyberattacks. Whilst Chief Information Security Officers (CISO) will undoubtedly be preoccupied with managing their approaches to cloud security this year, the next generation of threats are closer than expected.
Quantum computing has long been the fascination of nation states and computing giants, looking to pull ahead in the cyber race and protect vital state secrets. Countries like the U.S. are actively prioritising the acquisition of, and migration to, IT systems with post-quantum cryptography across entire governmental departments.
Although at the geopolitical level, the situation is much more urgent, the majority of companies are increasingly fearful of the dangers of quantum computing and the threat that “harvest now, decrypt later” attacks could pose to corporate cybersecurity structures. With IT giants already starting to commercialise quantum computing, many CISOs are beginning to ask what they can do to ready their company for the threats posed by quantum computing.
While expectations for the day that quantum computing can break RSA encryption have lingered around the 2030 mark, the date has drawn increasingly near as record levels of investment are pumped into preventing a geopolitical quantum capability gap.
The American National Institute of Standards and Technology (NIST) has announced that a new post-quantum cryptographic standard will be launched in 2024 for commercial use, which will likely provide the first major guidance for western companies in transitioning their corporate cybersecurity structures. Ahead of this day, there are some major essential steps that all CISOs should be undertaking to ensure that transition is as smooth as possible.
As CISO, you can employ a wide range of tactics to help manage the potential security concerns posed by quantum computing which could threaten your organisation.
Strategies such as securing encryption keys generated at the source & destination with an additional layer of encryption can make it more difficult for attackers planning on ‘harvest now, decrypt later’ approaches in particular.
Although zero trust has prevailed in the cloud environment, utilising a castle & moat approach to identify the data landscape that needs to be protected can allow cybersecurity teams to deploy hairline triggers around and inside the identified data estate should a breach occur. Having a defined isolation and lockdown standard operating procedure will also be critical to keep the attackers out in case of any breach.
Keeping one eye to the future through continuous monitoring of the quantum computing environment for any anomalies will also be of increasing importance to defend against potential breaches.
Quantifying Cyber Risk
One of CISOs top priorities this year should be developing a clear process for cyber risk quantification. When presenting to the board, CISOs must be in a position to clearly portray a company’s cybersecurity preparedness against different eventualities. This should involve benchmarking against global standards and a detailed breakdown of the potential mitigation of risk posed by additional technology controls.
Demonstrating this risk and the ROI of increased cybersecurity controls will mean CFOs are much more likely to approve relevant investments in future. This will be critical for preparing not just yourself, but your board for a post-quantum future, where investments will need to be readily made for a range of potential solutions.
This will also be of importance given the likelihood of a shifting insurance landscape in a post-quantum world. Given that many organisations heavily rely on cyber insurance to transfer their maximum risk liabilities, it is important that CISOs can demonstrate an excellent control implementation, backed by well-defined processes to help ensure you minimise premiums and deliver cost savings where possible.
Top tier Cloud protection
Large scale shifts to the cloud in recent years have meant that regular cloud security assessments, beyond the implementation of technology controls, are no longer optional but essential. CISOs will have to perfect their approaches to cloud security over the next few years, in order to provide the best possible defences against hackers looking to steal data with the hopes of being able to decrypt it in a post-quantum world.
In the case of cloud, Shadow IT is a major area of concern, with unsanctioned applications becoming a serious security threat. Identity has become another key concern, since the majority of the security breaches are attributed to credential theft and compromise. With DevOps also moving to the cloud, security will become an extremely critical part of application development.
CISOs therefore need to develop a cloud security strategy that continuously protects and monitors a> User b> Infrastructure and c> Data with the right Governance methodologies. Organisations will be looking to CISOs to develop integrated approaches that can be relevant across the board as they increasingly adopt a multi-cloud strategy.
In providing the best protection against data harvesting attacks, CISOs will need to evaluate their usage of Managed Detection and Response (MDR) wherein they can handover full monitoring and response to a third party. Being prepared for breaches which can occur when teams have limited availability is a necessity and an incident response retainer (IRR) will allow teams to face cyberattacks at all hours and mitigate risk through immediate responses.
Alongside this regular monitoring, proactive measures such as Red Teaming, Configuration Review Continuous Control Validation and External Attack Simulation all form essential ingredients to effectively future-proof corporate cyber security. Security Orchestration & Automation should be on the agenda of every CISO to ensure increased Incident Management efficiency. This can be attained by automating mundane tasks at a security analyst level to begin with and maturing over the years with proven playbooks to take remedial actions in an automated manner. Ongoing work on XDR evolution should also help to bring in better intelligence across SaaS applications which can be presented in one dashboard.
As the corporate world awaits the imminent adoption of next-generation cybersecurity approaches, CISOs will have the difficult role of juggling the pressing need to perfect approaches to contemporary threats, while keeping an eye to how they can defend against the next generation of attacks.
Any organisation which holds RSA-encrypted data pertaining to topics such as banking details, national security issues, medical records and more should be building the quantum future into its long-term planning, because on current trends it is becoming clear that the future could be here sooner than we think.
- How data cleaning tech can reduce inflationary pressuresData & Data Analytics
- Former Infosys President Joshi to become Tech Mahindra CEOEnterprise IT
- Machine Customers one of the biggest growth opportunitiesDigital Transformation
- Melanie Nakagawa, Chief Sustainability Officer at MicrosoftEnterprise IT