This interview with Stefan Auerbach, CEO of Utimaco, was conducted by IDC, and was first published in the IDC Executive Brief: Cybersecurity in Germany, Austria, and Switzerland 2022.
Cybersecurity as a business value: insights from Stefan Auerbach, CEO at Utimaco
IDC: Decision makers are currently tasked with successfully striking a balance between the increasing number of cyber threats, slim budgets, and the high technological demands of customers, employees, and partners. What advice do you have?
Stefan Auerbach: The aftershocks of the pandemic, as well as the menace of cyber warfare, are very real threats today — not only for enterprises with critical infrastructure.
In addition to that, fears of inflation and worries about economic growth do not exactly foster a willingness to invest in cybersecurity. Yet there could be no better time than now to make urgently required investments in cybersecurity. The financial crisis has only hindered but not stopped digital transformation, which means that anyone investing now has a chance of coming out of the crisis stronger.
Successful digital transformation hinges on data and data security strategy, because only secure and trustworthy data brings added value to your enterprise in the long term.
My advice is to opt for a holistic encryption strategy, basically encrypt everything. Start today by always including data security in the equation when implementing your data strategy, for no matter where it is created, processed or stored, this data can only be protected from misuse by suitable means of encryption. The highest security standards can only be fulfilled by hardware-based security encryption solutions that generate and store the cryptographic key material in hardware security modules (HSMs). It is the only way to protect the keys from loss, unauthorized access, and manipulation.
IDC: Digital sovereignty is becoming increasingly important and brings new challenges, also especially for cybersecurity and security providers. What measures do you adopt in response?
Auerbach: Digital self-sovereignty is a thrilling subject, at a geopolitical economic area level, at a corporate level, and at an individual level. In an age of globalization and integrated supply chains, EU and national politicians, enterprises, public authorities, and ultimately all of us as citizens and customers are faced with the same question: whom do I trust with my identity and my data? The crucial aspect is not whether the identities of natural/legal persons are concerned, or of machinery, cars, or other connected IoT endpoints, but solely that of our trust in the identity of the other party in a transaction.
In the case of weak identities, no basis for trust exists at all, and if trust is misused, the transaction does not take place. In order to ensure trust in transactions, national or specific industrial regulations and certifications have already been introduced for certain use cases. Digital identities of people, things and services follow a clearly defined life cycle. The identity is created and assigned to its bearer, it is checked during use and authenticates the bearer vis-à-vis third parties or authorizes the bearer to conduct specific actions. Depending on the longevity of the identity bearer, the identity must be managed throughout the entire life cycle and renewed if necessary before it is returned at the end of the life cycle.
IDC: Cloud and edge computing are increasingly blurring boundaries. IT infrastructure, identities, and data are becoming increasingly widespread and call for new security approaches and better integration. How can vendors support their customers in this area?
Auerbach: The work culture in the digital age is becoming increasingly collaborative. A growing number of employees in every industry use cloud-based services or applications to hike their productivity and keep their information up-to-date.
While cloud service providers offer excellent security for customer data in the cloud, demand is growing for additional security to protect sensitive data. Depending on the geographical location of the cloud service provider, sensitive data must be encrypted in accordance with the data privacy regulations and legal requirements of the country in which the enterprise storing the data is engaged.
Double-key encryption solutions such as Utimaco’s DKE Anchor enable enterprises to use cloud services without having to disclose their cryptographic keys. They can then also adhere to compliance standards that require enterprises to remain key owners without this compromising the scalability of key provision. These solutions thus satisfy the requirements of two-stage security for highly sensitive data in the Azure cloud, for instance, and enable key life cycle management and cloud enablement to be combined in a single package.
IDC: IDC regards cybersecurity as a key enabler in promoting the digital trust displayed by customers, employees, partners, and the public to an enterprise. What do you do to secure digital trust both within your organization and between your customers and their customers?
Auerbach: Cloudification, IoT, X-as-a-service, supply chain security and digital business models – ultimately, all of our futures hinge on digital data. It is the basis of successful digital transformation and therefore securing this data and the underpinning digital identities of enterprises, individuals, and connected devices has never been more crucial than now.
“Creating Trust in the Digital Society“ is far more than a tag line at Utimaco — it is part of our DNA. Our technologies protect our customers’ most important assets and for their customers, citizens, and staff. For 40 years now, Utimaco has been protecting individuals and devices and their digital identities from terrorism and cyber criminality, as well as transactions — financial and otherwise — data and ideas from theft, misuse, and manipulation. At Utimaco too we are seeing a rise in demand for solutions as a service and in response we are therefore transforming our role of product manufacturer into that of service provider. We focus on our global innovative power to combine maximum security with the user friendliness of our products and services.
IDC: Looking into the future, IT landscapes, attacks and cybersecurity are set to become even more complex. What technologies and measures should organizations include in their road maps now that from your point of view will be vital in the future?
Auerbach: My wish list is topped by post-quantum agility. Computers that use quantum technology can supply answers to unsolved problems in various areas such as finance, transportation, pharmacy, and climate science. However, given their unprecedented computing performance, they do pose a serious threat to traditional encryption methods. Quantum computing threatens current encryption technologies because in the very near future, quantum computers may well be able to calculate private keys. That would unlock the possibility of cracking established asymmetric encryption algorithms within seconds and thus paralyzing whole sectors of the economy.
Researchers posit that current cryptography with public keys will already be compromised by quantum computers in around six to eight years and symmetric algorithms will be significantly dented.
The risks are obvious. Data leaks, using false names, identity fraud, and forged transactions are just the tip of the iceberg. The threat situation depends on the longevity of the relevant product portfolio. The average lifetime of a car is around eight years, for instance. Add on two to three years’ development time and a car developed today will still be in circulation in 10 years’ time. All the data created and processed in the car would be potentially exposed to attack by quantum computers. Enterprises must take action now and get set to migrate their cybersecurity infrastructure to quantum-proof algorithms if they want to be well prepared for the post-quantum age.