What CISOs Must Do Now About Quantum? | Interview with Andrew Gault
Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic the CEO of Advisera and the host of Secure and Simple Podcast. Today, my guest is Andrew Gault.
Dejan Kosutic:He's the CEO of ZeroTier, a secure overlay platform. And ZeroTier has built the world's first networking platform built from the ground up to be quantum resistant. So in today's podcast, you'll learn how to how will quantum computing affect cybersecurity, and what should security officers and consultants do about it. Welcome to the show, Andrew.
Andrew Gault:Thank you. It's great to be back. Had a good conversation last time and looking forward to this one.
Dejan Kosutic:Great to have you back. And, yeah, just to mention that we had this previous podcast about Zero Trust, a very interesting episode and very interesting topic. Our our viewers or listeners can actually take a look at that episode as well. Anyway, let's focus on quantum. So what or why actually is this quantum computing so important?
Andrew Gault:Well, I mean, quantum computers, we've heard about them for so long now. They've always been ten years away for decades. Right? And we're we're finally getting somewhat closer to where we think they might they might land. The key thing with a quantum computer is it's based on qubits instead of bits, which I think the easiest way to think about that is it can do almost infinite sums in parallel.
Andrew Gault:So if you think about your loop in your code, it's got to do everything sequential. A quantum computer can just try all permutations at the same time. So at least in theory, that speeds up a lot of operations, not all, but many operations can be sped up dramatically to the point where it's effectively instant to solve them. And I think where it's particularly relevant, I mean, to my space and I think to kind of a CISOs is encryption. So there's an quantum algorithm called Shor's algorithm, which again, the computer doesn't exist, but we can already write the algorithm that it would run once it exists.
Andrew Gault:And so Shor's algorithm is designed basically to factor large numbers and effectively can break classical encryption. So there's terms in terms in the industry is classical encryption, which is mostly what we use everywhere today. And then post quantum cryptography or PQC, which is encryption into the future. So I think, I mean, quantum computers in general will be a huge leap forward for the world. I think they will think of it as basically infinite compute, especially in this AI era.
Andrew Gault:I think that was, you know, the dramatic changes for all of us and probably for the better. But we do have to consider some of the impacts. Right? And one of the most obvious ones is on cryptography. I think something in the order of 25% of global GDP is digital.
Andrew Gault:However, digital is a nebulous term. And in general, that all runs in classical encryption. So that is a huge potential impact on the world, which, frankly, I think doesn't get spoken about enough. Right? If we really are within ten years, you know, estimates vary from 2028, through to 2035, incredible estimates now, that so much of global economy could be impacted, so much of what we do day to day could be impacted.
Andrew Gault:It's probably getting a lot more attention than it currently does. And so it's great to come out of pocket like this and explain to everyone why it matters to them today, you know, not just in 2035.
Dejan Kosutic:There are many of these, you know, expressions and acronyms like QDAY, Quantum Readiness, PQC as you already mentioned CNCA 2.0. What do all of these mean?
Andrew Gault:They're all basically around the same thing and they're just acronyms for these. Maybe maybe I should just run through them. Right? So I mentioned their PQC, post quantum cryptography, as opposed to classical. Quantum resistant, QR, you you sometimes see, although less so.
Andrew Gault:QDay is, I think, a terrible, actually, marketing term, but it's for the day when the quantum computer shows up and changes the world. And it's, unfortunately, I would say catching on. So you start to see Q Day mentioned quite a lot. Another one that I think has come into the conscious over the last few months is CRQC, cryptographically relevant quantum computer. So quantum computers do exist today, but they just have very few qubits.
Andrew Gault:So think of a classical computer like, you know, we're talking over right now. Imagine that this classical computer only had, you know, two bits instead of, you know, two fifty six or however many. You can't do much with only a few qubits. So really they're the kind of toys in the lab to kind of prove how these work. But the research is all in increasing the number of qubits such that they can do relevant work.
Andrew Gault:And I mean, we need to get to thousands and thousands before it's cryptographically relevant, but that's why it's less boom, bang, quantum computer exists. It's more that they are constantly improving now and they're improving quicker. Right? In general, technology improves faster over time. I think it took a hundred thousand years to go from the spear to the bow and arrow.
Andrew Gault:And now things go a heck of a lot faster than that. Right? So, yeah, that's why people are sitting up and taking notice. So,
Dejan Kosutic:So what do you think, is there some kind of a consensus on when this Q Day will come?
Andrew Gault:There's becoming a consensus. So I think just a few years ago, everyone was very much in the woods about ten years away. And the only people that really cared were governments, defense, people who are worried about ATT CK, harvest now, decrypt later, which is again a term you might see, which basically means if I record all your data and just store it, one day in ten years, I'll be able to crack it and I'll be able to read it. Who really cares about someone reading their data in ten years, twenty years? Governments do.
Andrew Gault:Defense does. Do I particularly care, you know, about what I might read on Twitter being hacked in ten years? Not really. So there were some, I would say, bureaucratic timelines. The most pressing one is CNSA two point zero, which is a US government one, which mandates quantum resistant cryptography for all new acquisitions after the 01/01/2027.
Andrew Gault:And I believe it's 2029 or 2030 before everything was being converted over. And similarly in Europe, there's European Union, not legislation, but guidance that by I think 2030 critical sectors, meaning infrastructure, telecom, banking, defense, should be quantum resistant by 2030 and everyone else following up in 2035. So again, this was the thinking a year or two ago, and obviously these get bureaucratic processes take years, right? To get to them, right? So these deadlines were being designed five years ago.
Andrew Gault:I think a lot changed over the last year or two, which made it considerably more pressing and why I think everyone should pay more attention. There was last year, I think in early summer, a paper came out that was an enhancement to Shor's algorithm that reduced in theory, the number of qubits required by 20 times. As you can imagine, that makes a big difference. And that kind of moved the timeline forward one year. And then this year, right around RSA in March, three papers all came out pretty much at the same time within, you know, weeks of each other, which together reduced the number of cubits by another 20 x.
Andrew Gault:And obviously, these things compound. So 20 x and 20 x is 400 x. Right? And things aren't slowing down. Right?
Andrew Gault:So that, I think that made a lot of news a couple of months ago. Well, it's only a month ago now. Right? And I'm sure many of your listeners would have seen Google announce they did a big press release around this and a blog, and that they were bringing forward their internal deadline for full quantum resistance across the organization to 2029. And very quickly Cloudflare actually followed up with the same internal deadline, which is I think dramatically quicker than people were thinking.
Andrew Gault:I've been speaking to some well connected people in the industry and that the general vibe, and I'm kind of paraphrasing here was we thought maybe a 10% chance this would be, you know, relevant. It's graphically relevant quantum computer. It's quite a mouthful. Might show up by 2032. And now we're really thinking that, wow, 2029 to be safe, 2030 for sure.
Andrew Gault:So that's, you know, in a period of a couple of months or a year, the timeline moved forward by two or three years, depending on who you listen to.
Dejan Kosutic:So it's very close?
Andrew Gault:It's very close. Yeah. 2028 is soon. And maybe you haven't asked the question, but I'll say I think this is primarily and I don't I don't wanna yeah. I don't wanna scare everyone too much.
Andrew Gault:I think the new algorithms are designed. The new algorithms exist. In many cases, the software patch already exists. The problem is one of operations, right? It's not that we have to Some scientists have to go off and do research.
Andrew Gault:It's more that, okay, I have a patch, relatively small patch, but I have to get it onto every single device and system in my organization. And I have to do it now by 2029 if I wanna keep up with people who probably know a lot more than me. Right? Yeah. And I think that that's an enormous endeavor.
Andrew Gault:Right? I mean, how many routers? How many servers? How many software systems? How many, hosts does an enterprise have?
Andrew Gault:A lot. Do you even know how many there are? And we some of them will be a patch. Some of them may need replaced. There's gonna be a budgeting exercise.
Andrew Gault:It's a lot of work. I think it's a multi year effort, frankly. I think it would be a real struggle to do that in months. And well, 2028, you know, 2029 is only about two years away now. So that should be very top of mind, I think, this year already about what's the plan?
Andrew Gault:What budget do we need? We got to kick this off, you know, as we roll into next year and that budget cycle.
Dejan Kosutic:Okay. But what about these new encryption algorithms? So are these new algorithms published and are they verified and somehow accepted by the government?
Andrew Gault:Yes. So the problem, and maybe apologies for being a little technical here, it's mostly the public private key encryption. So usually when we're talking right now, right? We're talking over the internet, the encryption on our video stream is symmetric. So both sides have the same key.
Andrew Gault:Usually, AES 256 is totally standard. It's been built into Intel chips since like 2013 or something. Right? That is quantum safe. So the symmetric encryption is good.
Andrew Gault:The problem is how do you and I agree on the symmetric key that we will use? How do I tell you the key I've chosen? Well, that's what public private encryption is for. Right? And that's I'm sure everyone's familiar.
Andrew Gault:You know, you generate a private key. From that, you can generate a public key. I can give you my public key. It's public. And based on the public key, we can prove that I signed something.
Andrew Gault:Right? It's that dance, that kind of, you know, little handshake at the beginning, which is susceptible to Schrodinger's algorithm. So if you think about that, it's not just creating the connection, it's also the basis for certificates on identity. And I think last time we spoke in quite some depth about Zero Trust. And what's the number one thing you do with Zero Trust?
Andrew Gault:Verify identity in media all the time, every time, verify identity. But this, that breaks, if a quantum computer exists, I can't really trust your identity. I don't really know who is it really you who's telling me to use this key? So anyway, there's been, there are several algorithms. I think the most common one, the one I know because we use the zero tier is an algorithm called MLChem, which is standardized.
Andrew Gault:So the US government's NIST has actually approved it. FIPS two zero three is the approval. That's kind of the official approval. There are other ones as FIPS two zero four and two zero five, which I believe are still in a preliminary phase, but there are other ways to to kind of solve this same magic. So so like you say, I think the the updated PQC algorithms exist.
Andrew Gault:This is not a research problem or a science problem. At this point, it's not really an engineering problem. These algorithms are in OpenSSL. Right? They exist.
Andrew Gault:It's just by default, most things don't use them. So how do I go and configure them to patch them, update them? It's an operational and infrastructure engineering challenge.
Dejan Kosutic:Yeah. Okay, we'll definitely come to this question, but before, you mentioned that there's this threat of harvest now and decrypt later. Are there any other threats because of quantum computing?
Andrew Gault:The other one, the updated one is HarvestNow, ForgeLater or sorry, TrustNow, ForgeLater, which is I 've heard, in fact, an analyst tell me that they were preferring to move to that because like you say, the problem is less the bits and the wire. The problem is the identity, which effectively lets us make that connection. And so if you think about trust now forwards later, it's I can capture your public key now and just know that when the quantum computer shows up, I can generate the private key. And so I can pretend to be you. It's the most pressing one.
Andrew Gault:I think I saw it framed once as look through the data that you share in your org. And obviously, SAPN, it's a bit like zero trust, right? You don't have to do this across the whole org. It's like, what are the crown jewels? Okay, let's make sure they're updated, they're patched.
Andrew Gault:The way to think about it is this set of data, is it important, you know, now? Yes. Otherwise you wouldn't have it. Will it still be important next year? Or do I not care that someone could decrypt it next year?
Andrew Gault:Will it still be important in two years? Will it still be important in three years? And I think with that mindset, there's always there's some data which is this is the crown jewels, you know, forever. Obvious obviously priority number one. Some other, you know, data collections maybe, you know, you really don't care whether it's some web logs or whatever.
Andrew Gault:It's just, it's I mean, it should be updated. I think over time, everything will be updated, but it's not something to prioritize.
Dejan Kosutic:Okay, so basically the, I would say deadline, so to say, is very close, like, okay, 2029 or 2030, right? I mean, when the quantum computing technology will be ready, there are already algorithms, new algorithms, which are quantum resistant. So why companies are okay, maybe I have two questions here why companies are not moving faster, and is it really only changing the, let's say, algorithm within IT systems, or is this also about something else?
Andrew Gault:So I think first, why not faster? Again, this has always been ten years away, right? And, you know, we humans, we love to procrastinate. And especially when it's a budget thing, it's like, well, I can just I can wait a year. I can wait the two years.
Andrew Gault:Does it does it really matter? And I think it reminds me remember the Y2K bug? And you remember that was very well publicized. Everyone knew about it. I can still remember, you know, feeling a little nervous, like, the day before that that new year.
Andrew Gault:That was because we'd known about it for decades, but almost everyone updated their systems like two weeks before New Year. Right? You you can remember the news cycle. Everyone delayed the last possible moment. But here, we have a deadline that it's unknowable and it's not public.
Andrew Gault:Imagine Y2K didn't actually have a hard date, and now you wanna wait or maybe not want to. The inclination is to wait to the weeks or the months before that deadline, but we don't have a hard deadline. And it's even worse than that. Google also said as part of their announcement that they would stop publishing their research because they now thought it was so close that they would be giving away effectively national security secrets. Right?
Andrew Gault:And it no. Remind me. I wasn't around. But prior to the atomic bomb, there was a lot of research and research labs in the decades leading up to that all in public. And then the last few years before the atomic weapon showed up, everything stopped and was top secret.
Andrew Gault:And I think we might be starting to enter that phase. And when the US government or the Chinese government or someone else develops a quantum computer and it works, they're not gonna make a press release. Right? You're not gonna know. And it might be years before you know.
Andrew Gault:And how are you gonna know? It's probably gonna come out because there was some attack. Probably, I would guess with Bitcoin or Ethereum or one of these crypto chains because that's where you have an awful lot of value dependent on pure cryptography. So it's the natural place to to be attacked first. And and and I should throw out here all the classical crypto chains or classical encryption and completely, you know, susceptible to this.
Andrew Gault:There is existential Bitcoin risk potentially two or three years away, which again shocks me that isn't in the headlines more. But imagine Y2K was potentially had an adversary trying to come up with that deadline who was doing it in secret. So I think we all kind of have to battle upon ourselves to force ourselves to be proactive. There will be no forcing function. And if you're relying on a headline in The New York Times to be your forcing function, that's pretty horrific.
Andrew Gault:Right? Because that's way too late. If you haven't done anything and that headline comes, for all you know, you've already, you know, been attacked. So, yeah, again, it's hard not to doomonger in these conversations. I don't think it's like panic here on fire.
Andrew Gault:We have years. I think what's the takeaway here for me is this needs to be something you're thinking and actively planning for now because it's a multiyear journey. I feel like you asked me a second part to that question, and I've forgotten what?
Dejan Kosutic:Basically, is it I mean, for companies to prepare, is it as straightforward as only, let's say, changing these algorithms and introducing the quantum resistant algorithms, or is there also something else to it?
Andrew Gault:No, I mean, I think that's as much it. It's more that it's pretty hard because there's a lot of systems out there. Right? I have a relatively small company. I would find it hard to make a full inventory of every system, every connection.
Andrew Gault:Mhmm. So I think the classical advice here from, you know, the big, big analyst firms is to inventory, basically build a QBOB, build a quantum, materials, inventory all your connections, all your, you know, your hosts and your servers, and what kind of cryptography they're using. And then with that giant inventory, make the plan, you know, in what order do I upgrade them? Is this a simple software update? Well, it may just be a configuration change.
Andrew Gault:One, that's obviously easy, although you do have to touch device. Is it a software update? It may already exist. Do I have to go back to the vendor? Do I have to Is there something hardware related where I do have to do an upgrade cycle?
Andrew Gault:I have to tear out and replace. And then, course, it's pretty obvious when you think through, we're gonna end up on those legacy systems. Those, you know, that old COBOL system that's running on some server in a closet that no one's touched in twenty years. What do I do with that? Right?
Andrew Gault:How do I can I update it? And I think that's where things like overlay networks like ZeroTier come in because they we enable you to put a small router or something in front or encapsulate that and make it effectively quantum resistant over the wire without needing to actually patch that server. Another approach, but again, it's one that's going to take a lot of planning, right? And you need to know if you did go down the Jira route, where do I need to install it, right? So there's some pretty clear solutions.
Andrew Gault:Like I say, this isn't a science or an engineering problem. It really is just a giant, you know, it's a project management problem, right? It's a big task.
Dejan Kosutic:Okay. And since, you know, it will take a huge effort actually to kind of inventory everything and do the whole change. So how should actually the executives, let's say, focus on should they focus first on a particular type of systems or a particular type of data?
Andrew Gault:I think, well, yes, of course. Right? And feel I always give you the same answer with a zero interest conversation, right? It's like you start with the billing, the crown journals, the customer data, and you work down. I think what's maybe is more interesting is thinking through the complexity of this happens within an organization, because I feel, I assume the CISO is gonna get this and understand why it's a problem, right?
Andrew Gault:And then you have to go to the budget owner, which is probably the CIO, and and convince them why this is more pressing. I think I would expect a CIO as a a little more technical leading and will probably be a relatively easy sell. But this is such a large operationally complex thing that it's probably gonna have to pull more of the C suite in, right? The CEO is probably gonna have to be aware of this. And that side of the organization is usually thinks in terms of quarters and a year, and obviously thinks of revenue on the upside.
Andrew Gault:Doesn't usually, in my experience, like thinking about costs and effectively uses insurance we're talking about, and potentially a large insurance bill. So it's getting this through the organization could be tricky. I think it helps a lot that it's Google that made the announcement. And I don't mean the science, I mean the name. Because when someone like, well, my company is explaining that this is a problem and the CISO gets it, it's a type of sell to a CEO and, know, the ultimate budget owner.
Andrew Gault:But when you can say, look, Google says, here's the blog Google says, which is written frankly in a way a layman could understand, and you can link that to the CEO, I think it really helps that conversation and speeding it forward.
Dejan Kosutic:What do you expect? Kind of, let's say, what percentage of IT budget is this change going to take? Is it like, I don't know, five to 10% or more like 20 to 30 or maybe 50% of the IT budget?
Andrew Gault:It's so hard to say because it depends so much on the layout of the organization, right? It's probably a factor of how many systems you have. And I would think, if I just step back and first principle it, probably the age of your systems. Right? If you have modern, you know, if you if your organization popped into existence last year and you bought everything new, it's probably already in there in some fashion, it's just configuration, and that's relatively cheap.
Andrew Gault:If things are relatively modern, it's still being patched, still getting updates. This is on, you know, the most of the vendors' radars. Right? If if if you look back over the last year or two, there have been announcements and releases for almost every vendor, right? The patch exists.
Andrew Gault:So again, it's more as a manpower problem rather than a big heavy one. I think where it's gonna start getting expensive is if you're an organization that's been around a long time, hasn't say invested into upgrading and replacing systems, networking gear, servers in a while, you know, things worked, your business was stable. There was no need to, you know, no judgment there. Disks suddenly get expensive because if you're on an older version of the software, you're on the previous platform of the router hardware, and the vendor is only giving security updates at this point, or even worse, not updating at all, then we're in rip out and replace territory. And that obviously gets very, very, very expensive, very, very quickly.
Dejan Kosutic:Yeah. And very, and very long.
Andrew Gault:Yes. Yes. And, and again, I should say, and apologies, I don't mean to, I'm not trying to make a plug here, but the other way of using some kind of overlay network is it's much cheaper for that legacy system. And I think that's where our sweet spot If is, you've the modern stuff and you just need to make a configuration change or patch it as you should be doing anyway, go for it. That's gonna be cheaper and easier.
Andrew Gault:It's when you have legacy systems and you're just not quite sure. Again, might I have missed a system? Might there be a hole here? An overly network is your tier. Or or or right now, we're the only quantum resistant.
Andrew Gault:I expect there will be others showing up in a few years. An overly network over the top of your network quite solves it quite neatly and quite cheaply. Cheaply because it's software only. You're tearing up. It's a hardware now.
Andrew Gault:It's a software that you can install in front of or on the device. That's a known quality. That's quick. And if you're going over a frankly a quantum resistant VPN, which is effectively what it is, you know, at a lower layer, you don't really care if the underlying physical network is classical encryption. Right?
Andrew Gault:You you can you can know. So so but saying that, it's it might be easier. It might be cheaper, but it will still cost you some budget. Right? You know, these are state of the art bits of software.
Dejan Kosutic:Okay. And how should CISOs actually or or what should CISOs ask from their vendors, you know, having this perspective of quantum computing coming?
Andrew Gault:I mean, yeah, I would I think it's a good point. I would explicitly ask them, you know, what are you doing? Is this on your radar? So when I say almost all the vendors have up sent out updates or or patch things, I'm thinking of the big ones. Right?
Andrew Gault:The big the big legacy kinda network vendors. We're in a networking space. But there are a lot of niche players, right? And you obviously have a, we have a wide listener base here and there will be a lot of people in more niche industries, which, you know, which have vendors, hardware vendors, which are specific to that niche. And the worry here, or the hypothetical, is that vendor has also been in ten years mode because maybe they're a slightly smaller company, you know, hey, that's next decade's problem.
Andrew Gault:And is that vendor now waking up over this last few months? I hope so. But what's the roadmap look like? What's their timeline look like? Again, it's hard to say without knowing the specifics, but I would expect all will have a plan or a roadmap or will very quickly be making one.
Andrew Gault:I don't think, or I would be surprised if you had to change vendor over this given we have a couple of years, but this is all part of the planning process, right? It's now, and which vendors you even reach out with? Well, it's time to make an inventory.
Dejan Kosutic:And should companies already start communicating, let's say, this issue towards their customers?
Andrew Gault:I don't think so. I think, and again, I've said myself a couple of times, even in this conversation, I don't mean to fear monger because this is not the house is not on fire. It's more like there's a much higher chance the house will go on fire in a couple of years. Right? So communicating to customers the risk, I think is just gonna worry customers for no reason at this point.
Andrew Gault:I do think the inverse of that is totally true, right? It's announcing to your customers that you are quantum resistant, that you do have PQC throughout is a win, especially when your competitors may be behind or maybe a little flat footed. Right? There's a reason Google didn't quietly do this, but made a big splash and posted a blog and a press release. Right?
Andrew Gault:There's a real PR win there. They start to look like thought leaders. They look like at the front of the line. And, you know, when you're trying to sell them to a customer, you want the customer to feel safe and comfortable, right? It's like sales as much about emotions as it is about the technicalities and feeling confident and comfortable and just getting the warm fuzzies.
Andrew Gault:I think this is a good way, right? You still see in websites all the time, your checkout is encrypted with state of the art SSL encryption. It's like, well, it was state of the art back in the nineties. I don't remember when that started, but it works. So I wouldn't be messaging any risk.
Andrew Gault:I think I don't think there's a liability issue there yet where you you would have to. I think at the moment, it's still a PR win. If you haven't done anything, you know, and it's 2029, then maybe there's a liability and a disclaimer type argument for announcing I would say, again, if you think through the auditors, you know, SOC two audits or ISO 27,001 audits, Right now, all those audits are framed as you must use, quote, state of the art encryption. And I would argue PQC is state of the art. But at the moment, at least, the auditor doesn't think that.
Andrew Gault:So you can use classical encryption today, this year, and the auditor is not gonna ding you for that. Right? But again, that will change. When will it change? I don't know.
Andrew Gault:I'm not not on the committees that is setting up these. I think they're gonna move faster than governments. I think I would be stunned if all these regulatory deadlines didn't move forward. And if there wasn't even a legal law dictating PQC with a hard deadline, you know, by 2030. These are not government.
Andrew Gault:I think they will move quicker. It wouldn't surprise me if next year, state of the art was starting to be interpreted as PQC. And just getting your SOC two certificate and getting through that audit next year required maybe not fully deploying this, but at least having a plan to show the auditor. So I think there's gonna be some forcing functions, whether you like it or not in the nearer term.
Dejan Kosutic:Yeah, actually the same thing happened with Y2K, because the auditors were actually requiring you to resolve the Y2K before wasn't.
Dejan Kosutic:OK, and what do you think? How will the role will the role of the CISO change actually as this new, let's say technology is coming?
Andrew Gault:I'm not sure it changes much from what it is right now, right? I think it's still there, responsible for security within the organization, still a little bit of a sales job to try and get budget and a little bit seen as a cost center. I think that's just one of the complexities of the role. I think this is a good way to increase the standing within the organization. This, because this surfaces to the CEO, right?
Andrew Gault:It bubbles out of your immediate kind of your team, the CIO, the engineering side of the house, and kind of bubbles up through the CEO. I expect that this will hit boards, right? I'm not sure if the board cares in great detail, but it will be probably more than a footnote in board decks. And it's a way, I think, raise your profile if you're a CISO, right? It's not often you get a project which can bubble up to board level.
Andrew Gault:So I would I think it's if you wanna increase your political capital, it might be something to maybe prioritize yourself so that you appear incredibly well prepared and ahead of things, so that when it does bubble up to the, you know, the outside the normal orbit that you and your organization look good.
Dejan Kosutic:And could actually CISOs or tech executives in the company actually use this opportunity, use this, let's say, threats for actually doing something else along the side, because this will certainly take a huge, I would say, overhaul of their IT systems. So what else could they actually do as part of this bigger project?
Andrew Gault:Great, great question, which actually I find myself suggesting to a customer just last month. You're now going to inventory and touch every system. It won't be an easy touch, it might be a difficult touch, but you will touch everything. Now sounds like a great time to maybe get some more budget to replace some of the older legacy systems, right? I mean, the legacy system in this context is a major, major, major headache, but they were already a headache, right?
Andrew Gault:Were already the security risk in their organization. They were already at some kind of special case that you had to monitor. And this feels like a great way to engineer some extra budget for yourself to get those replaced, get them upgraded, right? If you're gonna touch everything, do you wanna waste that time touching and finding some bespoke solution for some legacy system? Or is now the time finally to actually say, hey, look, the costs to just keep this running now outweighs the cost of updating Or sorry, the cost of updating outweighs the cost of maintaining.
Andrew Gault:It's finally time. Let's just tear this out and be done with it. I think there's a huge opportunity there. And definitely, again, you you have eyeballs from the ultimate budget owner and you have a a plausible and and conceivable argument. Right?
Andrew Gault:So I would use it for sure.
Dejan Kosutic:And again, if we brought apparel to Y2K, the same thing happened then. Right? Many companies go through their legacy systems back then. So because of this really good reason. Yeah.
Andrew Gault:Yeah. And again, you I mean, if you were around sorry to interrupt. If you were around doing Y2K, I think that was hard, but you had a deadline. I think that what's tricky here is there's no deadline. And when it happens, it will happen in secret.
Andrew Gault:So it's maybe one should maybe you should unapologetically doom hunger, actually. Maybe choose the opposite of my advice. Right? So I think it depends a lot on the organization, how you work around that. There'll probably be some politics involved.
Andrew Gault:But yeah, it's very, very similar to the Y2K problem, but a little riskier because of the lack of that hard deadline.
Dejan Kosutic:Do you think that companies will have to change some security processes or let's say roles because of Quantum?
Andrew Gault:I'm not sure. I think it is mostly the same, right? We already are using encryption in these places. We should, in theory, already have an inventory of all the encryption used in the organization, right? There are, you know, how long are the keys, right?
Andrew Gault:Are they long keys? Are they short keys? When are they last cycled? These are all things we should be doing. And this is just, you know, thing added to that process.
Andrew Gault:So, it just happens to be a really big one, right?
Dejan Kosutic:Yeah, yeah. Yeah. Okay, and this also seems to me like a great opportunity for consultants, right? They usually So like these kind of big what kind of advice would you give to consultants and what to focus on? Where is the market for them?
Andrew Gault:Start prepping those sales decks. Right? And gonna be the legacy systems. Right? I think that's where the gold lies.
Andrew Gault:I mean, the crown jewels. We've all heard of these organizations. And I said, I mean, joking. So that system in COBOL that no one's touched for twenty years, those do still exist in most organizations. That's not, it's not just a flippant example.
Andrew Gault:It's like, that's true. That is there, you know? You see your, you know, that you go to get cashed out and the ATM is crashed and there's a Windows 95 desktop staring back at you, right? These systems are still out there. Many organizations, they don't have anyone I guess they do have an owner, but they don't have anyone who wants to be an owner.
Andrew Gault:And they probably don't have anyone itching to take on the project of updating that. And it's also a one time need. Right? If we update that and make it PQC and make it secure, it's project. It's a big project.
Andrew Gault:It might be an expensive project, but it has an end time and it's done. It's not something that's hitting every quarter or every year. So if I'm running my organization, that is just everything about that screams consultant or contractor. Right? Just, okay, come up with a plan, come up with a budget, let me sign off and outsource this.
Andrew Gault:I'm not gonna hire for this, right? I'm not gonna add people to payroll for this. It really is one and done. So yeah, good time to be consulted for this one.
Dejan Kosutic:Yeah, definitely. Okay, to wrap things up, what would you what would be your top recommendations for security officers in in companies, you know, with regards to this upcoming Quantum?
Andrew Gault:Yeah, I'll reiterate a lot of what I've said over the last forty minutes. I think the time is now. Don't wait till next year. If we're serious about 2028, we need to be doing this next year. And that means getting the budget and the plan this year.
Andrew Gault:And that means, you know, we're already almost halfway through the year, right? That this is a now project for you and start with the inventory, right? What do I have? What is the scope of the systems? What vendors do I not need to talk to?
Andrew Gault:I think it's an enormous task in venturing every single network connection in an organization to the point where it's a fool's errand. But I'm sure you can quite quickly come up with a macro level inventory and get an idea of the scale of the idea and the scale of the project and start, you know, pre selling that through the organization and what's coming. And basically, I'm saying plan for the plan, because I think you, by the end of this year, I mean budget season, you better have a pretty concrete plan in place.
Dejan Kosutic:Yeah. Great. And thanks. Thank you for these insights, Andrew. And it's been a pleasure talking to you.
Andrew Gault:Yes, great fun conversation and look forward to coming back some other time in the future. Thank you.
Dejan Kosutic:Sure, it's gonna be great. So thanks again and thank you everyone for listening or watching this podcast and see you in two weeks time in our new episode of Secure and Simple Podcast.
Dejan Kosutic:Thanks for making it this far in today's episode of Secure and Simple Podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business.
Dejan Kosutic:For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients. White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIST 2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients' workforce. Check out the links description below for more information.
Dejan Kosutic:If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues. That's it for today, stay safe!
Creators and Guests
