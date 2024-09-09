BY Kevin Weiss4 minute read

As the clock struck midnight on December 31, 1999, the world held its breath fearing the Y2K crisis, also known as the millennium bug. This potential catastrophe threatened global chaos. Yet, as the new millennium dawned, disaster was averted not due to the non-existence of the threat, but because of meticulous planning and diligent preparation by forward-thinking business leaders who framed it as a risk issue rather than merely a technological glitch.

The threat of the Y2K bug arose from a simple oversight: Computer systems abbreviated four-digit years into two digits for the sake of convenience. As many systems transitioned from ’99 to ’00, crashes loomed unless they were patched and updated. Financial institutions, utilities, and even nuclear infrastructure faced potential havoc. Today, a similar challenge looms without a specific countdown date. THE LOOMING 90-DAY APOCALYPSE

Subscribe to the Compass newsletter. Fast Company's trending stories delivered to you daily Privacy Policy | Fast Company Newsletters

Enter the looming 90-day mandate from Google, requiring SSL/TLS certificates—the foundation of web security—to be renewed quarterly. While enhancing security, this mandate poses operational challenges akin to Y2K: ensuring timely updates and patches. Failure to update could lead to dire consequences—websites listed as insecure, system outages, network vulnerabilities, and breaches across critical services like banking, cybersecurity, and utilities. In fact, we don’t have to imagine too hard—we have already seen some of the biggest services in the world like Microsoft Outlook, Google Voice, and Starlink all suffer outages due to out-of-date certificates, and this is before the timeframe to update certificates was truncated to 90 days.

With digital certificates proliferating everywhere, organizations of every size must now ensure their certificate renewal processes are fail-proof to avoid service interruptions. MORE CHALLENGES ON THE HORIZON Why the condensed timeframe? The impending arrival of Quantum computing, which promises a leap in performance that will render current cryptography obsolete.

If an organization isn’t ready for the 90-day certificate lifecycle and eventually even shorter time frames, it will suffer outages impacting its websites, networks, and infrastructure. Depending on what stops working during these outages, it risks being even more vulnerable to cybercriminals, who are able to steal sensitive data that they can use immediately or stow away until they have access to quantum computers. HOW LEADERS CAN RESPOND All of this may sound pretty bleak, but similar to the situation with Y2K, there is a clear path to addressing the problem: organization, specifically by establishing a cryptographic center of excellence (CCoE). And just as business leaders were the heroes of Y2K, today’s leaders must drive these initiatives to ensure top-down security management decisions are made effectively.

A cryptographic center of excellence is an organizational hub that focuses on the strategic implementation of cryptography within an enterprise. This centralized hub ensures compliance, security, and agility in cryptographic practices, critical amid rapid technological shifts. Automation is essential; reliance on spreadsheets won’t suffice. Here are the steps to establish a CCoE at your organization: 1. Assess the current state of your cryptographic practices.

Start with a comprehensive audit of all cryptographic tools, certificates, and protocols in your organization. Evaluate whether these practices meet regulatory and industry standards and use automated tools to identify any gaps, such as unmanaged or expired certificates. 2. Involve the necessary leaders. Engaging key stakeholders during and after the assessment is critical to first getting a complete view of your organization’s cryptographic health and then to ensuring alignment with existing systems and security policies, not to mention legal and compliance requirements.

advertisement

Leaders in IT, cybersecurity, compliance, legal and even HR should be included to make sure everyone is on the same page and that solutions are rolled out with all the necessary boxes checked. 3. Define a clear vision. Once you know where your organization sits and your leaders are all on board, define a clear vision and goal. This will be slightly different for every organization, but nearly all of them will include things like enhancing security and enabling digital transformation.

Another common one is ensuring regulatory compliance. The vision should include measurable objectives that are focused on cryptographic agility, reducing risks, and automating processes. 4. Sort out the budget. Establishing and maintaining a CCoE requires a substantial budget to cover both initial setup and ongoing operational costs. However, the cost of not doing so will almost certainly be much higher.

Personnel resources will need to include a team of skilled cryptographic experts, cybersecurity professionals, and dedicated staff for administration and support functions. Additionally, budget will need to incorporate regular training programs to keep staff updated on emerging cryptographic techniques. On the technology side, an investment in updated hardware and software that can support cryptographic operations is also needed. 5. Buy the right tools. A variety of tools are needed. These include:

Advanced cryptographic management systems that handle key generation, distribution, and lifecycle management with high security

Hardware security modules (HSMs) for secure key storage and cryptographic operations

A robust public key infrastructure (PKI) solution to manage digital certificates and facilitate secure communications

Automation tools for cryptographic operations, such as those integrated with identity and access management (IAM) systems to streamline tasks like encryption, decryption, and compliance reporting. 6. Set KPIs. To measure the success of a CCoE, key performance indicators should include metrics such as the effectiveness of cryptographic solutions in mitigating security incidents, which can be tracked through the number of vulnerabilities discovered and addressed. Another important KPI is the compliance rate with relevant security standards and regulations, reflecting how well the CCoE adheres to required practices. The efficiency of key management processes should be measured by evaluating the time taken for key generation, distribution, and rotation.

Additionally, the CCoE’s ability to support and enhance your business operations can be gauged through user satisfaction and the successful integration of cryptographic solutions with existing systems. Lastly, tracking the frequency and impact of cryptographic training sessions, and their contribution to staff expertise, is crucial for assessing the ongoing development and effectiveness of any CCoE. SECURING THE FUTURE