Evolving role of CISOs : Quantum Safe for Financial Services
The role of Chief Information Security Officer (CISOs) is evolving in response to the growing complexity of modern threats. While cybersecurity remains a core responsibility, businesses are now looking to CISOs to address a broader range of security challenges.
- Observations from WEF Cybersecurity Outlook 2024 shows growing cyber inequity between organizations that are cyber resilient and those that? are not. The number of organizations that maintain minimum viable cyber resilience is down 30%.
- Emerging technologies will exacerbate long-standing challenges related to cyber resilience. Only 1 in 10 believe that in the next two years, generative AI will give the advantage to defenders over attackers.
- The cyber-skills and talent shortage continues to widen?at an alarming rate: Only 15% of all organizations are optimistic that cyber skills and education will significantly improve in the next two years.
Implications of Post Quantum Cryptography (PQC) to CISOs
- The recent release of post-quantum cryptography standards by the National Institute of Standards and Technologies (NIST) is seen as an inflection point in cybersecurity, as the global benchmark for cryptography
- In the Digital World, the security of sensitive data and communication depends on cryptography.? By using cryptographic schemes (AES, RSA), organizations provide protections for confidentiality, authenticity, and integrity, ensuring that only authorized parties can access or make changes to data. For e.g., In case of RSAs. quantum computer could break RSA-2048 in a matter of hours by applying Shor’s algorithm. RSA secures sensitive information such as financial details and protects transactions such as credit cards. Organizations also use RSA encryption to encrypt private information in emails and web browsers.
- Industry Implications : Financial institutions, as custodians of vast amounts of sensitive data, are at the forefront of quantum-driven risks, with the implications of a quantum attack on the core systems potentially leading to monetary losses, reputational damage, and systemic risk.?
- “Harvest now, decrypt later”: It is time critical for organizations to begin securing their data and infrastructure with the new quantum-safe algorithms. ?Data not secured today using PQC is vulnerable to “harvest now, decrypt later” attacks, whereby bad actors steal data and store it until a cryptographically relevant quantum computer becomes available to decrypt it. ?
- 3 PQC standards finalized by NIST include: ML-KEM - a key encapsulation mechanism selected for general encryption, such as for accessing secured websites; ML-DSA - a lattice-based algorithm chosen for general-purpose digital signature protocols; SLH-DSA - a stateless hash-based digital signature scheme
The Long Road Ahead: While NIST standards are a significant milestone, these algorithms represent only a part of the overall solution and are still years away from widespread adoption.
- Poor efficiency and increased cost: Post-Quantum Algorithms (PQAs) tend to be less efficient and more expensive for certain use cases.
- Ongoing Security Concerns: Migrating to new cryptographic standards presents challenges, especially for organizations unaware of how cryptography is used in their existing technology infrastructures – software upgrades, H/W adaptations, Operational procedures…
- Crypto agility: This transition involves more than just upgrading software; it requires a comprehensive overhaul of digital systems to ensure they are resilient against quantum threats. NIST themselves have predicted that “it may be decades before the community replaces most of the vulnerable public-key systems currently in use. There will be more standards, new versions, deprecated libraries etc. hence building architectural agility is key while migrating to new standards
With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt to meet the cyber challenges of the future?
