For most CISOs who think about quantum technologies at all, it is a vague consideration for a day far in the future. It is hard to prioritize it when we have so many concerns we need to deal with today. Investing resources in quantum technology now seems like a long game we simply cannot afford to play. However, while quantum computing may still be in early stages of development, there are several other quantum technologies already in use that are relevant for CISOs in financial services. We ignore them at our peril.
Success in financial services is based on our aptitude for prediction, risk modelling, and optimization. For security teams, this includes functions like fraud and intrusion detection. All of these use algorithms based on linear algebra to crunch data and spit out answers. But because of the limitations of compute power, we must include assumptions in our models that limit their accuracy in order for the computer to actually be able to do the calculations. Quantum computing promises no such limits, which means more accurate models that arrive at answers exponentially faster than the most powerful classical computers in existence. What financial firm wouldn’t want that?
Of course, quantum computers come with new risks, the most obvious one being their potential ability to break cryptography. It is not correct to say that information security people secure assets. What we actually do is put off access to assets for such a long time period that the data will no longer be relevant to potential threat actors, i.e. a million years. Current cryptography relies on the assumption that cracking the code is computationally difficult. But that assumption falls apart with quantum computers.
Beyond cryptography’s use in standard information security, cryptocurrencies like bitcoin are (currently) built upon the premise of mining – using computing power to find the correct random numbers that solve a complex equation. Solving these puzzles is what adds new blocks of data to the ledger of bitcoin transactions (i.e. the blockchain). A large enough quantum computer could speed up mining exponentially and potentially break the cryptographic keys of bitcoin wallets. With digital assets becoming part of the mainstream financial ecosystem, security teams will need to understand how to protect them in a world where threat actors have access to quantum computers.
Here is how CISOs can start preparing for the quantum age now:
1. Familiarize yourself with the spectrum of quantum technologies now in use, and by the time quantum computing is real, you will not be taken by surprise.
2. Leverage quantum in your own security measures. Prioritize crypto agility and include quantum from now on in all lifecycle management decisions and procurement procedures. Many software providers are already doing it – so you may be implementing quantum-safe solutions without even knowing it. This will become even more urgent as digital assets and cryptocurrencies, which rest on the premise of secure cryptography, gain wide adoption across financial services.
3. Learn how to protect quantum technology, because your business will use it and you will be asked to secure it. Consider questions like how to ensure integrity of quantum assets.
4. Get access to quantum talent If you cannot hire quantum expertise directly, partner with universities or tech companies to make sure your technology and security infrastructure keep up with quantum advances.
As always, your adversaries will use the tech sooner than your business. Also be realistic: quantum technology will be part of every CISO’s roadmap; this holds for many technologies. So quantum technology should not be your only strategy.
We have seen over and over that technological development is itself a stronger driver than the economic, political, and social implications of the technology. If we can develop it, we will, simply because it is possible. Quantum brings with it the potential for a wholesale change in how we do business, but for now, that change is slow. That gives us time to think strategically about its implications and plan accordingly. But that time will be up before we know it. We must act now.
Just because the arrival of general purpose quantum computing is still several years away, CISOs ignore quantum technologies at their peril. Several relevant quantum technologies, such as communications, sensing, and random generators, are already in use. CISOs should familiarize themselves with current quantum tech, start including quantum safe solutions in their lifecycle management, focus on improving crypto agility, and prepare for the implications of infinitely more powerful computers today.
© 2023 FS-ISAC, Inc. All rights reserved.
Dr. Martijn Dekker was appointed Chief Information Security Officer (CISO) of ABN AMRO in early 2014. In his role as CISO, Martijn is responsible for defining, overseeing and implementing the information security...Read More
strategy, including identity & access management, security operations and e-fraud prevention within the ABN AMRO group. Martijn joined ABN AMRO in 1997 after completing his Ph.D. in mathematics at the University of Amsterdam. Next to his role in ABN AMRO, he is a member of the supervisory board and chair of the audit committee of Stater N.V. He is also a member of the advisory board of the NCSC and of the advisory board and chair of the ICT subcommittee of CBS (Statistics Netherlands). Since early 2020 he is part-time visiting professor of Information Security at the University of Amsterdam. Dr. Martijn Dekker werd benoemd tot Chief Information Security Officer (CISO) bij ABN AMRO in 2014. Als CISO is hij verantwoordelijk voor het definieren, implementeren en bewaken van de informatie beveiligings-strategie van de ABN AMRO bank wereldwijd. Dit omvat identity & access management, security operations en e-fraud prevention. Martijn begon in 1997 bij ABN AMRO, na afronding van zijn promotie in de zuivere wiskunde aan de Universiteit van Amsterdam. Naast zijn rol bij ABN AMRO is hij lid van de raad van commissarissen en voorzitter van de audit commissie van Stater N.V. Ook is hij lid van de adviesraad van het NCSC en van de adviesraad en voorzitter van de ICT subcommissie van CBS. Sinds begin 2010 is hij deeltijds gast professor information security aan de Universiteit van Amsterdam.