Vince Berk is the Chief Strategist at Quantum Xchange, a post-quantum crypto-agility provider. Ph.D. in AI/ML, founder of FlowTraq.
For most of my professional career, I have been a big fan of and successfully used John Kotter’s change management process and its eight stages to deliberately drive and effectuate change in larger organizations.
As security professionals are eying a large cryptographic migration, there are some important lessons to be learned from Kotter’s process and valuable observations that can help you drive this process forward in your organization.
Cryptography is under siege from many sides, but this realization is not universal. The first step in any change management process is creating an awareness of the problem with a critical mass of individuals. The value of information and the risk in its disclosure is often seen as a long-tail risk, which is a mistake.
Bugs in software, leaked certificates, poor passwords, and even esoteric risks in weak entropy and the quantum computer all contribute to a breakdown in confidentiality. When cryptography breaks, credentials can be stolen and information can be harvested. In fact, data may be harvested today in encrypted form to be cracked and decrypted later.
All these risks apply to the enterprise and are much underestimated as loss of confidentiality is a “silent killer.” Espionage does not announce itself loudly, unlike ransomware.
If critical mass starts to form, executives who see the problem will come forward, and these are great candidates for a “guiding coalition” that will drive the changes necessary. This is the second step, and a few key players are recommended for this vanguard position.
For instance, the head of information technology such as a CIO and/or a CTO in a product organization are great potential leaders, as are the CISO or chief risk officer if the organization has these.
The third step is to build a change of vision.
This will differ from organization to organization, but my recommendation is to move to a place where “control over cryptography” is the central theme. Generally, cryptography is baked into software applications, which does not bode well as software bugs and weakened algorithms continue to dominate. With baked-in cryptography, one cannot be “agile.”
Changing encryption is next to impossible in such a world. The change vision must include a set of levers that executives can use to change the basic fundamentals of the cryptography used throughout the organization, such as algorithms used, key sizes, rotation schedules and redundancies.
With these three things in place, the stage has been set for crypto migration.
The next steps focus on mobilizing change—most specifically, communicating the changes, how they will affect people and how each person can be an active part of managing the changes.
Avoid the fear/uncertainty/doubt angle. Cryptography will change, but the day-to-day operational impact on employees will be minimal to non-existent. Instead, cast change in terms of empowerment: Ensuring communications and private information are kept secure (now and well into the future) provides a level of certainty.
Those that will carry the largest workload for the crypto migration should be in the roles supporting the executives in the guiding coalition. Software, information infrastructure and cloud resources are all subject to change as the crypto migration is implemented.
New processes will need to be created for changing and adapting cryptographic algorithms, and operationally, new monitoring and visibility will need to be implemented to spot where “as implemented” does not line up with the “as designed” vision.
Product organizations have an additional set of empowered workers who build the product and will need to implement the changes in the products shipped.
That control infrastructure may actually be complex, which is why the next stage of “small wins” is very important. Create momentum by ensuring small victories are announced.
Recognize that change is a process, not a switch that is flipped. As parts of infrastructure are made “crypto agile,” this creates momentum in itself, which in turn ensures the crypto migration can be completed successfully.
The final two stages focus on making it stick.
As individual parts of applications and infrastructure become part of the new cryptographic vision, control levers and monitoring start to function uniformly. New processes become commonplace supported by learnings from the migration, and these lessons learned are applied to areas that still need to change. This is important because cryptographic diversity and agility need to become part of the culture.
The ultimate victory is achieved as assessing cryptographic risk and remediation become a regular part of the business.
Change is never easy, especially within large organizations and the underlying technologies that support them. But a vision of crypto security backed with a structured approach to the migration will lead to a genuine, long-lasting change in the implementation of the technologies and the business processes necessary to give executives control over these risks and ways to minimize them.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here