I’ve been around long enough to remember encryption products from the earliest commercial offerings. The first systems helped us secure our communications, and as communications systems and protocols evolved, so did the encryption products. The second set of commercial offerings helped us encrypt information in storage. Some solutions encrypted the media while others encrypted at a higher level of files, or rows within a database, etc. Here again we saw an evolution of products, often driven by the adoption of stronger algorithms and new forms of media.
This has been the state of play for decades; we can protect information while we move it, and we can protect information while we store it.
Do you notice a problem here?
Ever since the beginning of time, the one place we could not use encryption to protect our information was while it was being processed.
After decades of status quo, we are now seeing an emergence of a new class of cryptography-enabled tools called Privacy Enhancing Technologies (PETs) designed to allow us to protect information even while it is being processed.
The emergence of these capabilities in conjunction with the digital transformation underway in our businesses and the transition to an ever-more-so information-based economy is creating a unique business opportunity that needs to be seized.
But as with anything new, as a CISO, you need to be wary of traveling merchants selling snake oil. There are great use-cases for PETs, but they are not a magic bullet and they’re not a generic solution for all information / data protection challenges.
As a CISO, when I first was introduced to PETs my reaction was, “this is great … this is the missing link…it’s what I’ve been waiting for.”
Then I thought to myself, “This is really nice, but there’s no regulator asking me to do this, there’s nothing in any of the standard control frameworks requiring this, and I have SO much other work I have to do. Can I afford to care about this today?”
But that is such an old-fashioned perspective. While all good CISOs today are making sure all of the necessary controls are in place, the best of CISOs are not stopping there. The best CISOs are more than just risk & control people, they are true business enablers.
PETs are indeed a great security tool, in that information is cryptographically protected in more places. But what makes PETs truly exciting is their value as a business enabler.
The revolutionary capabilities provided by PETs create opportunities to unlock the value of sensitive information that we have always treated as off-limits and facilitate levels of collaboration we’ve never imagined. Some simple examples are:
- A collection of banks collaborates in near real-time on a money laundering or fraud investigation without disclosing PII or tipping
- A group of biotech competitors “share” research data to advance the study of a new virus without having to disclose any of their specific, especially proprietary or regulated data, to each other
- An e-commerce marketplace finds a new way to monetize the value of its customer data by allowing sellers / manufacturers to build better consumer behavior models without ever having to disclose PII
- A multi-national company wants to leverage sensitive data without concerns for cross-border data transfer legalities
So, if you’re a CISO and you want to be a business enabler, you really need to be looking into PETs, and if you are looking into a PET, you have to figure out where to start.
You start with a use-case.
The opportunities will be vast, the possibilities will be unique to every different business, the data each business cares about will be different, and the data to which they have access will be unique.
Think about places in your business where there’s a need either for collaboration or machine-learning model-building based on confidential or sensitive data. If some level of collaboration already exists that needs a boost, that could also be a great place to start.
Once you know your use cases you can consider the best PET for you, because different PETs are better suited for different use cases. Today, there are 6 basic classes of PETs which I won’t even begin to try and explain here. They are:
- Zero-Knowledge Proofs
- Secure Enclave / Trusted Execution Environments
- Federated Learning
- Differential Privacy
- Multiparty Computation
- Homomorphic Encryption
Of all the classes of PETs, the one that as a CISO today requires your immediate attention is Homomorphic Encryption (HE) because it is the most malleable / flexible thus providing coverage for the most varied / critical of your potential use cases.
Just as important as picking the right class of PET, you also want to pick a strong PET. That starts with understanding the key characteristics of the underlying encryption methods being used. As with any solution based on cryptography there are good and bad implementations. What types of algorithms are being used? OpenSource? Peer Reviewed? Standardized? Supported by Industry?
Specifically, the best implementations of HE will be based on some variation of Lattice cryptography algorithms (don’t ask ☺) such as those NIST is looking at as they create the next-generation standard for post-quantum cryptography. No matter what kind of PET you chose, you want something that is “quantum-proof”.
So, the next frontier is here, and that’s true at multiple levels.
On one level it’s pushing forward on the idea that the CISO is more than just a risk & controls person, they must be a business-person … even more… that the CISO must be a business enabler.
On the second level it’s the opportunity provided by a revolutionary class of encryption products called PETs that will not only allow us to improve how we protect information but more critically will allow our businesses to unlock the true value of their information in a way that will dramatically impact the company’s bottom line through enabling the analysis and use of even the most sensitive – and valuable – data.
The opportunity to reach that next level is in front of every CISO. Grab it. Learn about PETs. Understand the business’s information and envision the opportunities. Sit down and talk to your business partners. Be their hero. Change their world. They don’t have to know that it will also make their world more secure.
We recently interviewed Charles about his thoughts re: the role of the CISO in-depth. Watch the full interview below.