Navigating the Digital Future: Threading Trust, Innovation, and Governance
Cybersecurity is no longer seen as the sole responsibility of the CISO but as something that could potentially impact the entire organisation, says Christopher Painter, president of the Global Forum on Cyber Expertise Foundation.
“Understanding cybersecurity is no longer something that is beneath the attention of the CEO or CFO. Especially when it comes to threats like ransomware, which impacts business operations. CISOs understand how ransomware works at a technical level, but CEOs understand the business interruptions it causes, too,” observed Painter.
As the threats faced by organisations continue to evolve at a breakneck pace, how can security and business leaders work together to build trust, foster innovation, and advance governance in the face of emerging technologies?
New technologies, new threats
To begin with, navigating the digital future requires CISOs to be ready for new and anticipated threats arising from new technologies. Take quantum computing. As research progresses on advanced quantum computers, the potential for these machines to disrupt existing cryptography is very real.
To put this into perspective, Professor Lam Kwok Yan, the associate vice president of strategy and partnerships at the Nanyang Technological University (NTU), explained that quantum algorithms must first be designed for a specific algorithm. Therefore, it’s unlikely that a quantum computer would crack every cryptography algorithm on its debut day.
“There is still a process of designing what we call quantum algorithms to break cryptographic systems. These systems are usually based on mathematical structures. Not anything can be broken or take advantage of quantum computing,” said Prof Lam.
However, this notion goes out the window for vulnerable algorithms: “There is existing work that is proven to break a cipher if a quantum computer is available. So certain algorithms might prove vulnerable the moment a sufficiently powerful quantum computer is introduced.”
Preparing ahead of time
Thankfully, work has already begun on post-quantum cryptography systems, which in theory would stymie even quantum computers by taking an infeasible amount of time to crack. Until such algorithms become widely deployed, what can organisations do to prepare themselves?
Prof Lam advises organisations to take a closer look at their cryptographic modules, whether they would be adversely impacted by quantum computers, and how they might strengthen them.
“Of course, it is not so straightforward as simply swapping out the algorithm. It's a matter of software architecture, and how to upgrade the cryptographic algorithm seamlessly.” Pointing to how financial institutions successfully migrated from DES to 3DES encryption decades ago, he said: “In cybersecurity, it's always good to be aware of the potential threat, the risks, and prepare ahead of time.”
It is worth noting that new technologies can also aid cyber defenders. Generative AI, for instance, can help cyber professionals dramatically ramp up their productivity.
“Cybersecurity analysts often focus their efforts on security logs and analysing network activities. When anomalies are discovered, they need to turn their findings into a report and send out an advisory. We’ve noticed security professionals using generative AI to quickly create security advisories, allowing them to distribute their findings much faster.”
The foundation for innovation
On his part, Painter emphasises the need to strike the right balance when addressing future and current threats. “You can't just focus on new threats and ignore existing challenges. You must look at both, stay aware, and prioritise accordingly.”
Another consideration is gaining the trust of customers, which is increasingly vital as consumers become more aware of data privacy concerns. “CISOs and C-suites must understand how important data is and that it's a long-term relationship with their customers. Cybersecurity is critically important here. If you're losing data and customers lose trust in your business, that hurts your business.”
In Painter’s view, cybersecurity is the foundation for innovation, not the opposing force people often perceive it to be. “Think about it, good cybersecurity fuels innovation. You produce something valuable. But because it has lots of vulnerabilities, it gets hacked quickly, it breaks down and is not reliable. That doesn't help you; it hurts innovation. And you lose the trust of your customers.”
He outlined an ideal scenario where security professionals are roped into discussions with product teams and vice versa: “You need to promote conversations between those two camps. You can't have two silos; you need them working together.”
Reaching out, planning ahead
In closing, Painter noted that governance is important, but will only work if they are well designed. “The wrong kind of regulation could inhibit innovation, but the right kind of regulation that establishes a baseline level of security can protect data and help innovation.”
CISOs, on their part, should rally senior executives, stakeholders, and their organisations to raise the bar on cybersecurity. “Don't just look inward at your little fiefdom. I think CISOs need to be storytellers or messengers within their organisations. They need to find ways to translate technical terminologies and challenges into concepts their colleagues can easily grasp.”
On this part, Prof Lam called on organisations to evaluate the threat posed by quantum computing sooner rather than later. They should ensure that they can upgrade their cryptographic technique when the time comes, and prepare by experimenting and implementing pilot projects rather than relying completely on second-hand information.
“You don't want to get into a situation where your cryptography technique is shown to be vulnerable. And then you have to shut down your system because you're not prepared,” he concluded.