How to Prepare for the Quantum Revolution

The quantum revolution is coming to the financial sector. Debbie Janeczek, Global Chief Information Security Officer, ING, is preparing for it and says the rest of the sector should, too. She suggests starting with building leadership’s awareness of quantum risks, inventorying algorithms, and developing the skill sets needed for post quantum cryptography. Those moves, among others, will help financial firms be ready when the quantum revolution arrives — and it’s getting closer every day. 

Transcription (edited for clarity)

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC. Nobody really knows when quantum computing will become a reality, and many financial firms take the view that it's a problem for tomorrow. But Debbie Janeczek, Global CISO at ING, makes a very strong business case for why we need to start preparing for the quantum revolution today.

Heathfield: Thank you so much for being here. I'm excited for this conversation because we have had a couple of conversations on the more technology side about post quantum cryptography and quantum computing. With all the things that CISOs need to be thinking about right now. Why should they dedicate time, resources, and consideration to PQC and quantum computing? 

Debbie Janeczek, Global Chief Information Security Officer, ING: Because it's going to be a long journey to get to the cryptography, the secure algorithms, and get those rolled out into your system. You have to start from scratch. You have to start first from awareness — what is it? How is it going to impact us? And getting your leadership on board with why they need to think about it. And it shouldn't be a security-led function. It should be led from the top because it impacts the whole company. 

So first getting awareness across the company. And then once you get that awareness, you have to know where your cryptography is. You have to have an inventory of your cryptography throughout the company. 
And how do you do that? There's going to be a lot of manual work. There's going to be automation that you can use to find your cryptography. And how do you assess what you need to secure first? You're going to have to use a risk framework — what are the crown jewels? What would be the biggest impact if that cryptography failed? Would it be in finance? Would it be reputation? Would it be customer data? All of those things have to be taken into consideration when you're doing your inventory across the organization. 

But you can't do one-and-done. As new systems, applications, and processes, come in, you have to update that inventory — annually at least — because there's going to be new cryptographically-safe algorithms that come out. You're going to have to know where that is. So you're going to have to have a risk framework. You're going to have to put it into your governance to keep that inventory updated for the future.

Heathfield: Would you say that this whole preparation for the post-quantum age is a parallel effort to everything else that you're doing? Or do you embed it in, for example, third-party risk management and the other kinds of risk management frameworks that you already have? 

Janeczek: It can be both. It depends. Some companies have a dedicated team; they are dedicated to driving [preparation]. Depending on how much head count you have, if you can do a separate team, you might have to do parallel efforts. I think it should be, like I said, company-wide. Once you get the buy-in, there should be terms of reference developed. There should be a working group that includes architecture and production — especially production, because they've got a lot of the crypto. Once you get [preparation] into the company it needs to be company-wide so that every piece of the company has to do a parallel effort. Or have a separate team dedicated to it. 

Heathfield: You mentioned ‘once you get the buy-in.’ How would you suggest that CISOs and others who are at the forefront of this go about securing buy-in from the very top when there are so many other competing priorities for resources?

Janeczek: You have to lay out the argument very carefully. What I've seen some companies do, what I've done in the past, is bring in experts and do tech talks. You do articles. Some of the research institutes have really good articles on how companies need to be prepared and why it's important. You have to have the conversation. CISOs have the floor with their executive committee, with the board. [Preparation] needs to be integrated into those conversations so that you get that awareness. 

Heathfield: I was going to say, when you think about qubits and physics and all this kind of thing, probably for your average C-level executive, this is not something they’re spending a lot of time on. So what balance do you strike between giving them a bit of an understanding of the technology and the technical challenge there, and the business impact that the technical challenge is going to have?

Janeczek: I think it's just a story of ‘here's our PKI [public key infrastructure], here's what would be impacted, and here is what the result would be if we weren't quantum ready.’ So I think it's a very easy story without even going into qubits, because myself and qubits — we’re not friends. But it’s an easy story to tell, I think, when you have the inventory with the crown jewels and you can use that as a story of the impact. 

Heathfield: You mentioned third party, but I think it'd be interesting to think about that. One of the biggest challenges facing the sector, obviously, is managing third-party and supply chain risk writ large. How are you thinking about your conversations with your suppliers and making sure that they are also thinking about moving towards a post-quantum future?

Janeczek: I actually think this is one of the easier parts because as a CISO-organization — and for companies writ large — we’re already dealing with third-party risk management. We're already looking at how do we manage third parties? Who are our most strategic third parties, our most critical third parties? How are we making sure that they have their security in place? And there are regulatory questions — how are we securing our third parties? Can we pen test? We're looking at their security plans, and putting information in their contracts to make sure they have a security program. 

This is just another step in that process. It doesn't have to be a whole separate process. It can be implemented into your already established governance process for your third-party risk on what you are doing for post-quantum cryptography. 

I think it's our responsibility to work with our closest vendors, our most critical vendors, and have that conversation, asking what is their roadmap? What is their timeline? What are they planning? Are they looking at it yet? And also partnering with them. You know, we have old systems, new systems. How are those going to be impacted when you're rolling out these new algorithms? You can use your third-party partners to help test those before you roll them out. So I think it's a partnership, but also a contractual obligation, that they need to be prepared for post-quantum cryptography. 

Heathfield: So you said that that was easy and I see why, because you're already having to do a lot of this anyway. 

Janeczek: Well, the conversation might not be easy. The governance is already there.

Heathfield: Okay, so what's the hardest part? Not necessarily specifically in your organization, but sector-wide, what are you finding is actually the hardest part about getting this ball rolling?

Janeczek: I think the hardest part is — you know, I've heard many different things like, ‘we gotta move, we gotta move, we gotta move.’ I've heard some CISOs say, ‘It's not coming. We don't need to.’ Coming up with arguments why [quantum computing] is probably never going to come to fruition. 

But you don't know. And are you preparing too early? Or are you going to be preparing too late? So it's getting that sweet spot. And we don't know what that sweet spot is because we don't know when it's going to be here. I think the hardest part is that we're going to have some organizations preparing, and we're going to have some that are not. And as a financial sector, we're kind of in a team game here. I think getting that balance across the sector and getting the awareness across the sector, that is what the biggest challenge is going to be. 

Heathfield: FS-ISAC has a post quantum cryptography working group, very active, very prolific, putting out papers left and right, because we realize that this is more than even a sector-level challenge — but it’s certainly a sector-level challenge. My question is, what is the balance between what an individual firm needs to do and the education that they need to have, and this sector-level effort? How do you think firms should best utilize what is happening on the sector level to get things going within their individual firm? 

Janeczek: I think we have to [find the balance]. It’s a new skill set. A lot of people don't have the skill set — the vendors don't have the skill set — so we're kind of learning and preparing to get there together. We have to use the research institutes that are already doing heavy research, and do our own research, pulling from different research bodies, universities, working with them. A lot of them have test labs where they're running their own tests on quantum and then post-quantum cryptography, actively testing the new algorithms that came out from NIST. Getting involved in that, if your company can, getting involved with the vendors to do testing — I think that is probably the best area to start pulling in that skill set. 

It's going to be hard to hire for it. How do you find the skill set? You're going to have to make sure that you have some dedicated folks who are researching and getting spun up on that to get that skill set where we need it to be. [The skill set needs to] go over to developers, who are going to be implementing the new algorithms. They're going to have to learn and get spun up. We have to make sure they're prepared on the knowledge they're going to need to roll out new post-quantum cryptography. 

Heathfield: What are the consequences of not getting this right? 

Janeczek: Yeah, I think those could be significantly very, very large. 

So if you think of PII, if there is a breach and your PII [personally identifiable information] is impacted, you have customer trust [loss]. If you think of where your crown jewels are in your protected production area, if those are not protected and you're in the news and you're behind the power curve on having the new algorithms rolled out, how do you then catch up after you've been impacted? If it's a small company, is that recoverable? 

Heathfield: What else do you think that your fellow CISOs and security teams need to understand about this now? To try to make it happen and get people on board? 

Janeczek: I think one of the things is, it's not a Y2K. It's not a one-and-done. It is going to be continuous. And I think that we need to collaborate as an industry to tell the same story across companies. So when senior leadership talk, and they do, they're all getting the same information so they all know how critical and important it is. I think that's the best thing we can do as a partner. And we're doing that with FS-ISAC and the working groups. I know there are several different financial institutions that are involved in that and using their expertise to help share that information out to the sector. I think we continue that. And the CISOs need to be aware and support their teams in doing that as they're driving this knowledge within the company.