2023 Predictions
Tuesday, December 6, 2023
The cybersecurity arms race is accelerating. That’s the clear lesson of 2022 for those of us committed to protecting organizations from the perils of cyberattacks. But what about the year to come? Join our host Ken Kadet as he speaks to the experts to find out their predictions for cybersecurity in 2023.
Transcript
Ken Kadet: Cybersecurity arms race is accelerating. That's the lesson of 2022 for those of us committed to protecting organizations from the perils of cyber attacks. We like to think we grow smarter and more capable by the day, but so do the threat actors. While one might argue that expect the unexpected is the only surefire prediction anyone can make, today we're going to put on our pointy hats and gaze into our crystal balls. I'm Ken Kadet and this is the Entrust Cybersecurity Institute Podcast and this is our 2023 prediction show. So with me, our three Entrust experts and today at least prognosticators, we have Anudeep Parhar, Chief Operating Officer and with a heavy focus on transformation of digital infrastructure. Hi Anudeep.
Anudeep Parhar: Hey Ken. It's a pleasure to be here.
Ken Kadet: And we have Greg Wetmore, our VP of software development and expert at many things. Hello.
Greg Wetmore: Hello Ken. Thanks for having me.
Ken Kadet: And Mark Ruchie, Entrust Chief Information Security Officer. Hello, Mark.
Mark Ruchie: Hello Ken. Thanks for using the arms race analogy because in cybersecurity that that's fairly common analogy and I align with that.
Ken Kadet: With that. Thank you. We will attempt to use as many common analogies and cliches as we can. So and on we go, why don't we dive right in. We have three predictions we're going to discuss for 2023 and beyond. And the first one we're going to start in on is about quantum computing. And the prediction is IT starts to get serious about post quantum readiness. We know it's coming. Some people talk about post quantum as if it's the next Y2K in the sense that it's a looming issue that could be huge unless we get ready for it. But in this case we actually don't know when it'll be an issue. Right. So Greg, we'll start with you. What, what's going on here with post Quantum? What does the C-suite need to know about this challenge and what you think's going to drive attention to it in the coming year?
Greg Wetmore: I've actually heard this quantum challenge referred to as Y2Q as a reference to Y2K. And the reference to Y2K, that's useful in some ways or that's certainly a call to action. We all remember the investment and time we all took to prepare our systems for Y2K. I think it's also a little dangerous because people remember Y2K as something that didn't actually manifest itself as something that important. I think people forget that there were hundreds of billions of dollars spent preparing for Y2K. Nonetheless, so the quantum challenge really is about the cybersecurity impact that a scaled quantum computer is going to have on today's digital systems. A scaled quantum computer is, it's been proven that it will be able to break the public key encryption systems used across all of our digital systems today to protect our identities, to protect our data, to protect secure transactions. And most organizations, most governments now have come out and basically said it's not a matter of if, but when a scaled quantum computer will be realized that can impact cybersecurity in this way. And so we in the cybersecurity industry are starting to prepare for this transition to what's called quantum say for post quantum cryptography. And we've certainly done cryptographic transitions in the past. We've moved, for instance, from SHA-1 to SHA-2 hashing algorithms or some systems moved from RSA to elliptic curve, public key encryption. And it hasn't gone very well, Ken. It's been costly, it's been time consuming. Legacy systems have proven to be very difficult to migrate and this transition to post quantum is going to be more complex than those in the past. So organizations need to start thinking about this and preparing.
Ken Kadet: What makes that so complex?
Greg Wetmore: Well, post quantum crypto is going to be, it's not really going to necessarily going to be a drop in replacement for our, say an elliptic curve. There's, for instance, significant performance implications to moving to quantum safe crypto, keys and messages can be much larger, processing times potentially higher. That's just one impact that organizations have to think about. But ultimately most legacy systems aren't what we call crypto agile and transitioning to new crypto systems tends to require new hardware and new software and that life cycle managing through that transition can take significant amount of time.
Ken Kadet: So Mark, how does this resonate to you as someone who's charged with protecting our own infrastructure as well as obviously that of our customers?
Mark Ruchie: It's concerning to say the least. And like Greg had given some examples, just moving from single DES to Triple DES. There was an effort behind it. There's resources, there's programs that you have to do to implement it. There's tech debt, and we're going to find that there's tech depth here for myself as the CISO side of the hat, for me it's more the mechanics of all of the work ahead, besides the concern of the risk of post quantum, it's updating policies to align with NIST publications as they get published, strategy development of resource application development to accommodate this world. And again, as Greg said, PKI is going to be tremendously affected as asymmetric keys that underlies it.
Ken Kadet: So one question I have on this is it's something that it's like every time you read about quantum computing, you hear it's going to be in five years, right? And yet I probably heard that three years ago when I heard that four years ago and we'll probably hear it next year, it'll still be five years. How, I'll ask this to Greg or Anudeep, how do you create a sense of urgency in an organization to say this really has to be-
Anudeep Parhar: I can talk about that a little bit. I think all you have to do is sort of follow the news on some of this. The conventional wisdom is in about 2030 is when we will reach the state that quantum computing is going to be ubiquitous enough that it will cause impact like Greg described. But those times are actually even getting faster. So if you just even earlier in November, IBM just released a new quantum computer which can do 433 qubits, et cetera. So the machines are getting faster. The new technology evolution, even when IBM and other folks who are building some of these computers, and I won't go into too much detail, but the cashing algorithms that are being used, they are getting to the point that you can scale these things really fast. And the reason I bring that up as one of the fundamental issues with the scaling of quantum computers outside of just the physics has been yes, there are quantum computers in our midst as we speak, but are they as scalable and generally available? So if you see that gap is closing and all you have to do is follow the news and some of this stuff, so that's sort of how we see it in terms of saying that it's actually going to get accelerated. On the other hand, it is not going to get accelerated, at least in our opinion, for everyone. There are industries that are more susceptible to this or need more preparedness. That's where one of the similarities and differences between the Y2K analogy that Greg had. So for example, if you were to take a look at why Y2K didn't have the impact that we think it would is because companies were prepared, businesses were prepared. So a similar situation here, the more our organizations and businesses prepared, the better they'll be equipped to do some of this stuff. So you don't have to go, you don't jump with both feet in, but organizations need to start preparing because all indicators from a technology and physics perspective are it's going to happen sooner than later.
Greg Wetmore: Yeah, I agree. I agree. Totally agree, Anudeep. If you look at the organizations that are funding research into quantum computing, some of the biggest super scaler tech companies in the world, the Googles and Microsofts and IBMs and then some of the biggest governments certainly motivated to invest in quantum. Almost every certainly westernized government that I'm familiar with has quantum investment strategies publicly announced. The US, China, there's an enormous, well-funded, committed set of companies and organizations investing in quantum and we're seeing very publicly continued advancements. The flip side of that, Ken, is that we have some pretty acute use cases now that call for quantum safe right now. We're talking to our customers about harvest now decrypt later concerns where sensitive data that's traveling over public networks like the internet or wide area network links, it's encrypted, but sophisticated adversaries can harvest that data now in its encrypted form, can save it and potentially decrypted later when a scaled quantum computer is realized. A lot of that data needs to be secure for longer than that seven to 10 year timeframe that Anudeep talked about. And so again, there's some very acute use cases that call for quantum safe now. Think about some of the embedded devices, medical devices, industrial devices, those that equipment lasts longer than 10 years. Even your car, you buy a car right now, we expect the lifetime of those, that equipment to last longer, the hardware that's inside your computer, hardware inside your car. So car manufacturers are thinking about do I need to be quantum safe now considering the lifetime of my equipment? So there is certainly a call to action here that there are some very acute use cases that aren't seven years away or 10 years away that are right now that organizations have to start thinking about quantum safe.
Mark Ruchie: Right. Storage is cheap, to point harvest now, save for later, storage is cheap.
Anudeep Parhar: If you look at the other end of the spectrum, if you analyze the market from where the investments are going, if you look at some of the VC investments that are going into into PQ, just the number of startups and mid-size companies that are developing PQ type infrastructure and post quantum is way bigger than, the ecosystem is way bigger than just the chip. Of course the actual chip is where a lot of R and D and a lot of scale is going, but there's a whole spectrum of tools that need to be built to help customers fix or enhance the risk posture to address for some of this stuff like Greg talked about. I think certain industries, especially in manufacturing where the average life cycle to get a product out is three to five years. They have to think about it today because the opportunity for them to upgrade their devices is not that easy. And if you look at even from revenue projection, the market sizing according to all of the experts is in billions of dollars for a post quantum market. Even the next few years it's up to 400 million to half a billion dollars that is going to be in new revenue that'll be generated from pre PQ tools and this has nothing to do with the actual chip manufacturing. And finally I would say is where we see and the long tail of this is where the investment and innovation is going to come from is, like Greg mentioned and Mark mentioned, PQ is fundamentally going to change the development paradigm. So essentially all of our algorithms for our business applications and technology are essentially limited to the traditional way and the traditional algorithms and limitations of the hardware, the chip. And if that changes, there's going to be meaningful investment in terms of saying how do you change the entire development and software delivery paradigm to address for this new speed that's going to be available to us. So I think a lot of investments going to go into it. This is not something that has a finite date that you just flip the switch and suddenly you're post quantum ready, I think it starts with understanding your real estate so you can minimize your risk going into how this will help grow your business because you'll be able to build better software, faster software, and a lot more scalable software as we go forward. So I think there's some really, really interesting things that that'll help drive this.
Ken Kadet: Yeah. And I think you were kind of getting at this, but I did want to ask as we wrap up this topic, if I'm a CEO right now, what should I be thinking about or what should I be asking about how my organization has prepared for post quantum? What should I be doing in the coming year?
Mark Ruchie: It's a formality behind it. It can't be a thing that people are doing on the side. I mean really needs, as Greg has highlighted in a couple different areas, this requires a dedicated and systematic approach because if you don't have a dedicated systematic approach, you're going to find major exposures.
Greg Wetmore: I think we can use the spring in May, the White House released a national security memorandum that basically called on all the US federal government agencies to start the preparedness, start the planning for this now and to be reporting out every year on their progress. I think that concept, that call to action is useful for every organization. I think every organization needs to start thinking about this transition. They need to start thinking about how do they inventory their cryptographic assets, how do they understand where the sensitive data is in their organization and how do they build the policy and the visualization and the orchestration to be able to move their critical systems from traditional cryptos to post quantum. That effort, that sort of step-by-step plan, that needs to start now.
Anudeep Parhar: Yeah, no I agree with both Mark and Greg. Ken, I think that the simplest question I would ask is one is a question, are we as a company prepared for post quantum world? And if the answer is yes, it has to be fast followed by saying how are we prepared? And that's where it goes to what Greg is saying. The first question is to understand your crypto real estate. If you don't understand your crypto real estate, you don't know what to fix. So I think there is a little bit time for organizations to get there, but I think the window of understanding your crypto inventory in real estate is shrinking really fast. So that should be the top of mind questions for CEOs.
Mark Ruchie: What you can measure, you can manage.
Ken Kadet: Exactly. Fantastic. We'll leave that there. Let us jump to our next prediction and that one is that consumer identity protection is going to start to lead to new strategies and maybe even new paradigms. By way of introductions, it definitely seems like big tech has taken ownership of all sorts of online identity. We seem to be overdue for a pendulum swing back to privacy and consumer and citizen control. Just a couple examples, Meta, both Meta and Google recently settled lawsuits related to misuse of consumer data. There was a consumer group that recently sued Apple about location tracking and another suit alleges that Amazon's Alexa devices are actually recording private conversations that the company is monetizing the data. Again, these are lawsuits and allegations and yet these are the companies that are often managing our identities for e-commerce and a lot of other services. So from our point of view, let's look at the bigger picture, what is going on here? What's going on with privacy and identity these days? And Greg, I'm going to start again with you because I know you've been thinking a lot about these areas.
Greg Wetmore: Yeah, so one of the things I'm certainly not willing to think is going to change is that it's been proven again and again, consumers are willing to share their personal data in exchange for services they value. That's sort of fundamental to our digital lives today and I'm not sure that changes over the next year. I think what you were starting to zero in on though is that the consequences of misusing that private data are continuing to grow and I think the expectations consumers have on being able to consent to how their data's going to be used and have the transparency around what data they're sharing and how it gets used. I think that's certainly going to be a trend that continues to grow in the coming year. One area of technology that I think is pretty relevant here is this is the growth in an area of technology that's called decentralized identity or self-sovereign identity. And this is sort of some emerging technology, emerging standards around how trusted digital identities are created and managed, leverages some pretty interesting distributed ledger, some blockchain technology. So some of the security mechanisms and trust mechanisms come from the blockchain world. It calls for consumers being able to manage their identity data and digital wallets, for instance on their mobile devices and builds in sort of consent mechanisms and other things that allow consumers to have better control over their digital identities and the data they share. And then it incorporates some really interesting privacy preserving technologies like zero knowledge proofs that allow you to disclose information about your identity potentially in a privacy preserving way. For instance, maybe I want to disclose that I've passed the age of majority so I can go to a bar or vote in an election, but I can potentially do that without actually disclosing my birthday. Just that in fact I am over 18 for instance. That's a good example of a zero knowledge proof that allows you to share an attribute about your identity that's still preserving the privacy that comes with that personal data.
Ken Kadet: Where do you think we're headed with that? Is decentralized identity, self-sovereign identity, is that stuff that we're going to, where are we going to start to see that in the real world or is it starting already and are we seeing it already in blockchain and cryptocurrency?
Greg Wetmore: So that that's a common misconception. I think decentralized identity really doesn't have anything to do with cryptocurrency. So when we say blockchain, we don't actually mean Bitcoin. We're talking here about blockchain as a potentially useful paradigm shifting technology piece of infrastructure. So yeah, don't confuse the two. I think we're starting to see just this is definitely emerging tech, it's not mature yet. We're not seeing it widespread use, but areas like the European Union are really active in progressing the standards and defining the protocols and interfaces and data formats. And so I suspect we're going to start seeing it first in some of the government digital identity space, probably out of the European Union area. But it's certainly, I think it's going to spread into other aspects of consumer identity. Enterprises that interact with consumers or partners are going to have to start thinking about some of the concepts that are coming forward with this decentralized identity technology.
Ken Kadet: So it's sort of about literally giving or assigning to consumers more responsibility in some ways.
Greg Wetmore: Yeah. Well that aspect of being able to consent, to be able to control your identity and consent to how your data is used, what data is being shared and how it's being shared. That's a big part of the technology development that's happening in the identity space right now.
Anudeep Parhar: I think that's a really a topic that's at interest at least that's very sort of close to how we think about identity and the importance of privacy and compliance and regulatory frameworks. I think especially with the next generation entering the workforce and how they conduct e-commerce and everything else, I do think privacy is going to be extremely important to the citizens of the world, so to speak. It's going to be a lot more important. To Greg's previous point, I think the technology, the concept of decentralized identity or what used to be called bring your own identity, it's not new. It's always been, if you go back when Facebook and Twitter were invented, there was a whole push for using your social identity as a login mechanism, so to speak, for every place. Then we have Yahoos of the world and Gmails and a Microsoft which assigned free identity, so to speak, that you can use to access different resources. I think the idea has been there, now it happens to be, or at least we believe that blockchain is one of those technologies that can enable the distributed nature and the decentralized nature. You could easily do it in a physical database as well. It's just not cost effective and it doesn't have the peer-to-peer type constructs that are needed. But practically speaking, to answer your question directly, Ken, I expect that coming to an Amazon page near you very soon you will be able to use decentralized identity to log in and just share a minimal but needed information to buy stuff. Today you have to share a lot more information than you're probably required to just conduct e-com. So I think those are the places you are going to start seeing subtle changes emerging. You could use your username password or you could just bring your phone with a decentralized QR code, which is pre approved for say e-commerce transaction. So I think the controls are going to shift back to the consumer and especially the commerce part of the ecosystem is going to start adopting to that.
Mark Ruchie: I'm the big fan of self sovereign identity, but I'm a little bit of a cynic for a couple reasons. One, I'm the security officer. Two, people dislike friction and they eventually will move to where there is less friction. Doesn't mean I don't think that this is going to be great tech and will work in components, but like you had talked about earlier, this is an arms race and if you go back 2000, 2500 years ago, someone would come out with a new capability, the adversary would spend years figuring out a way to get around it. This is just another form of an arms race for the bad actor. The data analytics tools that are out there, the future, we don't know how wickedly smart those are going to be. Privacy, obviously that's going to set the policy I believe for a lot of these and it's globally. Europe has generally set the example. Here in North America, Canada and California tended to be on the front end of that, but in the meantime you're still seeing all of these major data breaches around the globe where all of the data's going out the door anyways. If you look at a lot of it in North America, Europe and Australia right now, two major breaches in about the last six months looks like 20 million or 25 million people lost their private data. So that's still going on. But I'm a big fan of this, but I'm also a little bit of a realist, I think.
Ken Kadet: It does seem like you, to Greg's point to start with, that consumers will trade information for services, ease, security, and there's a good percentage of people who aren't just aren't going to let themselves be that concerned about privacy in that sense, if it makes their lives harder, which in some ways is unfortunate. In some ways, does that put more responsibility on technology companies to make this more important for people?
Greg Wetmore: Yeah, I think there's no doubt and the evolution of the regulatory environment is certainly recognizing the obligation that companies have to protect and preserve private data. You talked about California, you talked about GDPR and the European Union, but yeah, the focus on the regulatory environment around PII I know is going to continue from getting stricter and stricter with more significant penalties. It's sort of what the voting public who vote the governments in these jurisdiction and are demanding.
Ken Kadet: That definitely makes sense. So looking ahead, looking ahead to the coming year for IT and business leaders, what are some things that you should be thinking about in terms of how you are looking at privacy and identity in the coming year and how that's going to be changing based on the way that the world is changing?
Greg Wetmore: One of the things you didn't talk about, Ken, is identity verification. We're we're sort of seeing the Twitter blue check mark experience in the forefront of public debate right now. And that's really all about ultimately identity verification. When you're going to issue an identity to someone or a verifiable credential to someone, how do you know who they are? So I can see some developments in that space coming. There's some really capable technology today, very usable with great user experience that allows you to, with your mobile device, to take a selfie and compare it to your physically issued government identity and establish with a strong connection to who you actually are, your digital identity. So that's an area I certainly see as continuing to evolve in the coming year and being more and more important aspect of the digital identity ecosystem.
Ken Kadet: Well, and it's really interesting because I think there's so much, we put so much focus on your commercial identity, what you're using to buy things or your citizen identity, what you're using to access government services we put with Twitter, it's really all about in some ways your reputation. The last topic we're going to tackle, Anudeep, were you going to say something?
Anudeep Parhar: Yeah, I was thinking about the right time to insert this. I think what Greg talked about identity verification and validation, I think just for the audience, I think one way to look at it more conceptually is irrespective of centralized or decentralized identity ecosystem, I think the act of validating an identity before it can be used is not going away. So I think we are going to see a lot more focus as we go into that irrespective of how the actual activity happens, if it is to decentralized or to centralized mechanism, which in my opinion is going to be hybrid. I don't think it's going to be a singular, it's just the whole ecosystem will get bigger with both centralized and decentralized. But I think the need for identity verification and validation is going to continue going up. It could be simple things like getting your national identification or password passports or even going to say that either I need to be able to use a decentralized QR code, to Greg's previous point, to be used at a bar or a voting booth. So all of those are going to require some sort of validation verification upfront and I think that's going to be a key driver for how the ecosystem evolves.
Ken Kadet: That's fantastic. So let's jump to our next topic. Prediction, an organization's security posture is becoming a board level priority. And this kind of takes us back to where we started the potential for operational interruption, financial loss, brand damage have moved the enterprise security posture to the top of most board agendas and we think that's going to continue. Most corporate board members understand the ubiquity of cyber attacks. The idea of, it's not a matter of if but when an enterprise will suffer a breach. Anudeep I'll start with you on this one. How is the corporate board evolving the way it looks at a company's security posture?
Anudeep Parhar: So I think that that's evolving in the right direction from my perspective because I think that with the proliferation of digital transformation, and so the, I'm doing air quotes, like every business is a technology business now, technology is a critical part. IT does matter in terms of how we run a business and how we grow a business irrespective of if you are in the technology business or not. So with that comes the burden, so to speak, on boards, not to just look at how you are adhering to the values of the company as well as servicing your stakeholders, but also are you, as a board, do you have a risk posture understanding which enables continued growth and delivering to the company's stakeholder. So it's becoming an increasingly important part just like any other mechanisms such as diversity, DEI or having technology background. This is as critical as some of those vectors, so to speak for a company's growth. So you're seeing a lot more boards embedding cyber risk and remediation into their strategic plans. This is going to continue to increase as people are going to start embedding this as not just a risk reduction or a cost to reduce risk, but also as a enabler to grow. Especially as you see a lot more new business opportunities are going to require that companies have a very robust a cybersecurity risk posture and resilience in the mechanism. So it's going to become a growth enabler rather than just something to protect your assets. Business to business transactions won't happen unless you have a very strong cyber risk posture. So I think this is going to become a growth enabler. The second thing is either I think you're going to continue to see the strategic funding that's going to keep going into it, either with the technology, the way it's exploding and the way the multi-cloud world is expanding. More and more businesses are conducting a lot more business in multiple clouds that deliver value to their customers and partners through multiple clouds. In order to secure those multiple clouds, you have to put a lot more investment. So the investment that goes into cyber risk posture management as well as cybersecurity and cyber resilience is more and more directly in relation to the growth of the company. And finally, I mentioned the word a couple of times, I think the shift at boards is happening. I think Greg mentioned it and Ken you mentioned it. I think there's a realization that given the economics of hacks and threat events, it's not a matter of if, it's a matter of when. Organizations will get hacked. There is a normalization that's happening in the industry. So more and more boards are pushing their management teams as well as their charters to say how to be resilient, how to continue business continuity, how to keep making sure we can service our customers when you are attacked by threat actor rather than purely focusing on saying how do you protect the said attack from happening. So those are the kind of things that I see that the boards are doing right now and there's a lot of awareness around this stuff and the proof points are right in front of us.
Ken Kadet: Yeah, totally makes sense From that certainly seems to change the role of the CISO or at least have enough impact on the role of the CISO. What are you seeing there? Mark?
Mark Ruchie: Actually, Anudeep stated it quite eloquently where I would kind of jump to now this is in the US but the SEC currently has a proposed amendment out there today and it's actually a massive amendment and it's so it's for for-profit companies, but what generally they all follow what the SEC is going to say in the US but this is the standards that be regarding standardized cybersecurity risk management strategy governance by boards included in there is that the boards are supposed to have a cyber security aware person on the board. So not only are they asking for, traditionally boards were finance people, entrepreneurial people, which still are, but they're saying you need to have, if you're going to be a public company, you need to have or a cyber aware person, you also need to have a consistent way of measuring cyber risk because it's representing a significant danger to the investor base. So I see that as a way to provide a standard base regardless of where you're going today, because challenges with security programs anywhere today is they're either based on the service you offer, healthcare in the US had HIPAA, if you're a bank, Graham, Leach, Bliley, different countries, they have different regiments. This would actually be getting a baseline saying no, all that's important, you still need to support it. But a fundamental basis of for profit organization needs to include cybersecurity and it needs to include a standard way of reporting those metrics out. Because right now the metrics to boards are all over the place. So I think it's exciting, but it's also, it's moving it into the more clearly into the business risk side of the house.
Ken Kadet: So Mark, in some ways it's kind of counterintuitive that the CISO is thinking of themselves or thinking of security as a potential growth driver. What does that do? What does that do when you think about the role or you think about the mindset of the CISO these days?
Mark Ruchie: Well, traditionally the role the CISO was make sure we're not hacked. And the way that happened is putting friction into the business. And everybody kind of talked about you need to find that fine line between, don't put too much friction in because the operators, the development teams, they're no longer able to produce product and you can't make profitability. A lot of that has flipped around upfront. When I think about it from just revenue generating contracts, everybody now puts in significant security obligations that you need to test you upfront in order to do business. So as opposed to looking at it from your job is to make sure the windows are locked and shut, the doors are shut and nobody can come in through that side entrance to you're actually out there enabling, this is part of the enablement of your services. Doesn't matter where you are in the industry today.
Greg Wetmore: I think the other angle there, Mark, is that cyber really when it's done well is a business catalyst. It's an opportunity to enable business transformation, digital transformation. Anudeep talked about how every company now is a tech company and cybersecurity now is a part of almost every employee's job. It's a part of that job. So that concept of cyber as a business catalyst is very powerful and it's real.
Mark Ruchie: Yeah, I would kind of equate that in the old world quality into your manufacturing that cyber is to tech today, if that's a good analogy.
Greg Wetmore: I think it is.
Ken Kadet: So Anudeep you finished, when you talked a bit about resilience and resilience can go extreme or can go very flexible. Well, how do you determine the right level of resilience that an organization needs?
Anudeep Parhar: I think so it's a very interesting question from the perspective that there is no definitive answer, but in order to run your business, this gives an extreme amount of clarity in terms of understanding what are, so to speak, the top tier applications, data, colleagues, employees, processes that you need in order to run the business. So the resilience has to focus on that first and then move on to good to have and other types of items that need to be maintained. This used to be the traditional concept of business continuity planning, but it was more focused on sort of physical aspect of businesses. Cyber resilience is a little bit more in terms of putting new technology in place. So if your core technology infrastructure is under attack, you are still able to service your customers and service your colleagues. So principally, the way we look at it is there's two constituents that every business have. The employees and the customers. You have to make sure that technologies are resilient which service your customers, and then the core colleagues that are needed in order to service those customers are part of that mix as well. So there is a hierarchy that you have to build and make sure that technologies are available and resilient from that perspective. And this is not just applications, it involves data processes, even laptops and workstations, et cetera that are needed to access.
Ken Kadet: So with boards paying more attention to this, what impact do you think it's going to have in the real world across the business landscape in terms of boards paying attention more to cybersecurity? Will it change things for people or it will become a sort of check the box exercise for some?
Mark Ruchie: I think we're going to start to have consistency today. You have programs all over the board, some are really mature and others are next to nothing. I think you'll start to see a consistent approach across the board.
Anudeep Parhar: Agreed. And I think the upside of all of this is going to be as cyber resilience and the security organizations become a more critical part of the business, I think there is an entire sort of continuum of talent that's going to be needed. This is not just a back office exercise only. More and more leaders are going to have to be a lot more business savvy, a lot more customer savvy and technology and security leaders are going to have to understand how companies make money, what some of the risks are. So I think this is a good evolution from a talent and leadership perspective in companies as well. And I think that's top of mind for a lot of boards as well at this point.
Mark Ruchie: Traditionally, technologists, particularly security people viewed the world in a technical risk, but that isn't the view. You need to view it from a business risk. And suddenly cyber is also becoming a critical business risk and it needs to continue to develop. And as Anudeep said, that's how you figure out how your companies are making money.
Ken Kadet: Absolutely. Well, let's wrap things up with one more prediction from each of you. What are you expecting to see in the coming year? Mark, why don't you go first?
Mark Ruchie: I would love to go down something really thoughtful about the cloud. I kind of thought about ransomware that 2014 we thought ransomware we had figured out and it continues to get worse and I was going to make something pronation that they're going to get over ransomware finally. But actually I think kind of the topic we've been talking about post quantum, I think Moore's law is no longer going to be Moore's Law. It's going to be something different. And what that is going to be, I don't really know, but I think that's fundamentally going to change and business needs to change with it.
Ken Kadet: A new version of Moore's Law. That's a good one. How about you, Greg?
Greg Wetmore: Yeah, so I can't let the question pass without also plugging quantum as a area that's going to evolve quickly in the coming year, but I think your intent was to bring another topic to the table. I think the focus on sustainable technology, green technology is going to be a rapidly growing trend. But the angle I think that I'm watching for is the concept of green washing, representing your products or your service as greener than it really is, and people being really sensitive to that in the coming year. Yeah, so that's an area I'm looking for more progress.
Ken Kadet: We'll look for a future podcast and commentary on that one, Anudeep, we'll give you the last word on that.
Anudeep Parhar: Unlike my colleagues, I'm going to stay very lo-fi actually. Yeah, I think if you look at 2023, I think there's two things. Either I'll give you a prediction A and prediction B and see where we ended with that. I think we should get ready to see that, especially in this economic cycle, the government regulations are about to balloon. I think the regulatory environment is going to get extremely, extremely difficult and either related to it is the acceptance and finally set implementation of what is referred to as zero trust. I think where the world is going, I think friction is going to be back and wog and either security's going to take center stage in terms of saying assets need to be protected. So those are the two things that I see very tactically in 2023 that are going to take center stage.
Ken Kadet: I think that's great. Easily things we could dive in more today, but we won't hopefully people looking for future episodes on these topics. Okay, really quick, we're, we're recording this just at the start of the 2022 World Cup, who's.
Mark Ruchie: Going to take it? I'll go with the favorite England.
Ken Kadet: Anudeep?
Anudeep Parhar: I hope it's Messi, man. I hope it's Argentina.
Ken Kadet: All right, Greg?
Greg Wetmore: Well, I'm Canadian and Canada is in the World Cup for the first time since the 1980s I think. So I'm going to have to go with the dark horse and my national pride and hope that Canada at least does well, but surely a long shot to win, but we're cheering for Canada.
Ken Kadet: All right. There you have it. So whenever you're listening to this, you'll see how well they did and perhaps discover that whether our talents lie in cybersecurity or in sports predictions. So with that, thank you everybody. This has been a really fun conversation. Hope you enjoyed it as well. The Interest Cybersecurity Institute shares news analysis, insights and commentary just like this for IT and business leaders who are charged with protecting and enhancing IT infrastructure. We are leveraging insights from Entrust, a global leader in protecting identities, payments, data, and infrastructure. Check out our show page for notes and links to the content that helped inform these conversations. Our podcast today was produced by Steven Damone. If you have comments or questions or ideas for our podcast, write us at cybersecurityin[email protected]. And thank you all very much for listening.