The quantum threat: preparing your business for the future of cybersecurity

Show Notes

Quantum computing promises to be one of the most disruptive technologies of our time. But it also brings the risk of unparalleled cybersecurity threats. 

In this episode of The Catalyst by Softchoice, we delve into the world of quantum computing and its implications for cybersecurity. Dr. Vito Nozza, Principal of Security at Softchoice Design Studio and a PhD in cybersecurity, joins us to discuss the exciting potential of quantum computing while highlighting the significant cybersecurity risks it presents. 

We explore practical steps to enhance data protection strategies and address the potential risks associated with emerging technologies like quantum computing and AI. Learn how to proactively safeguard your organization’s data in the face of these threats. 

Featuring: Dr. Vito Nozza, Principal of Security at Softchoice Design Studio 

The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology. 

Transcript

Heather Haskin: You're listening to The Catalyst by Soft Choice, a podcast about unleashing the full potential in people and technology. I'm your host, Heather Haskin. 

Quantum computing has the potential to unlock profound scientific discoveries and revolutionize industries. But as the Spider Man proverb goes, with great power comes great responsibility. Alongside its promise of being one of the most fascinating and potentially disruptive technologies of our time, quantum Quantum computing also brings the risk of unparalleled cybersecurity threats capable of dismantling the very encryption systems that protect our digital world today. 

That is exactly what we're going to explore in today's episode. Joining me is Dr. Vito Za, our principle of security at Softchoice Design Studio, who also happens to hold a PhD in cybersecurity. We're going to discuss why quantum computing while exciting, could also be a major cybersecurity [00:01:00] risk. Dr. Nozza will shed light on what companies need to know to stay secure in this new frontier. 

So I haven't had the opportunity of meeting you before, given the fact that we both work at Soft Choice. I'm really excited about this opportunity, Dr. Vito, to be able to meet you and talk with you about this. And this has actually been a concern of many I've heard just in the world as we're talking about AI episode after episode. 

Uh, but Aaron actually brought it up in our one-on-one episode that we did kind of going over the season. So I'm excited to get an opportunity to discuss that with you a little bit more today. I'd love to hear about your journey into cybersecurity and your road to obtaining your PhD as well.  

Dr. Vito: Wow. How long do we have? 

I am currently in, in Phoenix, Arizona in the U. S. I've been here about 12, 13 years, but I'm originally from Toronto, Canada. Born and raised. Went to Ryerson University and fell into technology by accident. I was going to go for accounting, believe it or not. And after the first six months, I'm [00:02:00] like, yeah, let me, let me see what this IT thing is all about, this local area networking. 

And I fell in love with technology. And from there, working with the TD Bank in IT, I went into the security department and started to work with a lot of third party risk management, which was awesome. Working with a lot of our partners to ensure that their data was, in fact, secure coming in and out. and kept private and protected. 

About three years of auditing, assessing outside of TD, I went to a consulting company. I assessed a lot of different entities like retail companies, healthcare, of course financial, and building programs for them. I was a forensic investigator, which was pretty cool at some point. You know, I was actually in court two or three times to be an expert witness, which is a pretty cool experience. 

10 years at Rogers as their principal architect, which was fun, but I got a great opportunity to go to Hawaii to become a director, senior director for their solution engineering team, which creating a lot of security measures around regulatory, legislative entities of that nature in Hawaii, helping out there. 

And you know, funny Heather, through the years, we're in a certified environment. Everything we do, we need to be certified, either it's vendor or non vendor. My wife calls me certifiable. She goes, you have so many certificates. I'm like, well, in this industry, you need to. About seven years ago, I turned my wife and say, you know, I might just go for my master's. 

I'm doing all this training, all this learning. And she goes, we'll go for it. And luckily I, in one year I did my master's in information assurance, cybersecurity, specializing in healthcare. Because of all my certs that I received, it was fast tracked. And then after that, of course, I'm a glutton for punishment. 

And she goes, so what's next? I go, well, I don't know. Maybe. Maybe I'll do my doctorate. And three years later, a successful dissertation experimentation in artificial intelligence and real time threat analytics with one of the fastest growing emerging technologies out there, which is IOT sensors. And it was successful. 

And I'm working with a company now to get a patent on my, my idea wrapped around that. So never stopped learning, just always new technologies popping up. If you get into security and you think that's going to be a sedative, forget it. Then you're wrong. And you might want to get into something a little more stable. 

Heather Haskin: I always want to ask folks that go to Hawaii. How did you leave?  

Dr. Vito: Absolutely. So being in Toronto, you're I think one of the fourth biggest cities in North America and you have everything at your fingertips. And all of a sudden I moved to an island in the middle of the Pacific, literally the furthest point from any landmass. 

I started to talk with a lot of different clients out there, myself and other individual. We actually created an MSSP for these clients based around the need, the requirement, because unfortunately they're not bleeding edge and not leading edge. They just want to make sure that they are up to spec and their baseline of security is sound. 

After five years, six years though, Heather, honestly, I felt I needed to [00:05:00] expand and get out back to the mainland. And yeah, it was time. It was time.  

Heather Haskin: Pick things back up where you left off. I'd love to hear, you have a lot of passion for cybersecurity. What is your purpose statement?  

Dr. Vito: Oh, well, you know, in Canada and also, especially in the U.S., We have some heavily attacked critical infrastructure, healthcare, finance, retail manufacturing, and a lot of these rogue nations out there, they want to do harm. They want to stop us from advancing our continuance on any of it. And for me, it's all about helping clients to see where some of their risks and threats are and helping them to mitigate those. 

And, you know, one company at a time. And hopefully it can help as many as. That's possible in not being open to outside threats. It's really about the country, you know, not only Canada, but the U. S., our privacy and protection.  

Heather Haskin: That's very important. And threats is what we're here to talk about, specifically the quantum threat. 

So with all of this incredible generative AI technology, now we've got to start looking at security at the quantum level. And that includes encryption and other things. So given the multitude of threats, of emerging and evolving cyber security threats. Why is quantum computing currently at the forefront of cyber security discussions? 

Dr. Vito: Wow. So, so quantum computing, again, like any other emerging technology, has its pros and its cons. Here's the thing. Quantum computing is still, you know, a little bit out there for us. You still need specialized hardware to operate. You almost need no atmospheric pressure, like a temperature close to absolute zero, and insulated from the Earth's magnetic field. 

This is the kind of equipment that is being used to formulate the qubits, right? The quantum computing. And what they do is, in technology you have zeros and ones. And what happens is, they are spinning so quickly, almost like super composition, right? That the ones and zeros almost merge, kind of thing. And from there, it's really about linking together both technology, data, everything that comes together, almost like an entanglement. 

And at the end of the day, that's where the qubit depends on the state of the other, 0 and 1, It's going so quickly. It's very difficult to try and formulate unless you have the proper equipment.  

Heather Haskin: That's almost impossible to comprehend, the idea of a zero and a one becoming the same thing. It makes me feel like we're watching a Marvel movie at the quantum level. 

Dr. Vito: Absolutely. Think about it. It's science, physics, and math that all come together. That's, that's quantum physics, quantum computing. People are working with it. They're trying to establish it. You know, in talking with Intel, They are trying to increase the processing speeds of their chips to try and adapt to some kind of quantum computing remnants, right? 

Heather Haskin: I'd like to focus on a little bit more specifically, predictive analysis and predictive analytics. How would we see that role evolving as we face more complex threats?  

Dr. Vito: Well, here's the thing. With quantum computing, what kind of problems is it going to solve, right? Remember, every emerging technology, I call it a double edged sword. 

We can use it for good, and others can use it for bad. Right? So you can solve machine learning, right? Computers can solve linear algebraic equations within machine learning, right? Then you have optimization. You can choose the best range of options. It gives you like, it's almost like doing the job for the actual process. 

And then, of course, simulation simulates physical systems, such as maybe chemical systems, manufacturing systems to give you some kind of simulation. AI is more of a prediction, right? Predictability based on all the information that it's collecting where quantum computing will solve problems for you, which is why, you know, we're looking at quantum encryption, which, you know, again, good because it's going to encrypt data. 

That's at a speed that we've ever seen, but at the same time, it can also be used to decrypt, you know, 256 bit encryption from AES that we have right now. It can most likely decrypt that information quite rapidly. And unfortunately, that's a big threat.  

Heather Haskin: That seems to be a massive threat. What do we do? What is the answer? 

Dr. Vito: I mean, ultimately, artificial intelligence is there to help us as well. I was doing experimentation on real time threat analytics. And what AI can do is it can set profiles, set baselines, understand the traffic that it's supposed to receive. And it looks at deviations. And if something happens there, of course, it'll probably stop that if it's told to, based on the policy. 

Heather Haskin: So it sounds like we're looking to get far in front of the point where quantum computing has access to de encrypt our data.  

Dr. Vito: Oh yeah. I mean, it needs to be governed. Like everything needs some kind of oversight. The problem is that rogue entities will use it for their own reasons and their own expectations and requirements. Right.  

Heather Haskin: So I'd love to go back a little bit to the fact that you work here at Soft Choice, and I'd love to hear your passion and your purpose as you're in your role here and what you're looking to do for the company and with our customers.  

Dr. Vito: I've done so many different roles. For me, it's about putting everything together and helping to Clients to achieve their overall business outcomes. 

I mean, everybody goes, Oh, why, what's security all about? Well, security helps companies to ensure that their business strategy is successful. That's all it is. When you're talking to executive leaders, when you're talking to board members, it's all about how can security help me to ensure that my business is successful. 

That's really it. So at soft choice, as a true principal security advisor, It's about talking with different clients, having them understand their industry, some of the external drivers, some of the internal drivers they should be looking at that can alter and impede the success of their strategy. And that's where security comes in. 

Heather Haskin: So I always love storytelling when I'm thinking about something new. If we were to pick an industry and create like an example scenario of something that we could imagine how you're helping customers. Do you have an example industry where you're seeing threats all the time and you're helping customers on a regular basis? 

Dr. Vito: Sure. So, living in Arizona, some previous roles, and I would continue this with Soft Choice, uh, was working with casinos in Las Vegas. And casinos, as you can imagine, it was almost like they print money. So of course they're prime targets, right? This is what really got me into real time threat data visibility. 

Cause if you don't know how the data moves within your environment, how can you protect it? There was a hotel, a casino in Las Vegas that was breached, but the way they were breached was interesting. It goes back to the IOT sensors. [00:12:00] They had a bunch of fish tanks throughout the lobby and the hotel, you know, just for ambience and things of that nature. 

And what happened with these fish tanks is they have sensors to make sure that the water stays within a certain range for temperature purposes. What happened here is that what cyber criminals do, they're very smart. They use something called the cyber kill chain. And the first step is reconnaissance. They try to understand their adversary. And they found these IoT devices, and they were not secure. Which, inherently, IoT sensors, they don't have the processing power to be secure. So you need some kind of security, I guess, like a compensating control. 

To make sure that we have some kind of oversight into it. So they've got into these sensors. They did some, you know, discovery, they found servers that housed and they call them whales in casinos, the individuals that come in on the weekend, drop millions and then leave. All that information, they got that information and they siphoned it out the same sensor. 

Now, think about this, if that sensor is only telling the monitoring crew, yeah, temperature is good, the data is very small. But that data that was being exfiltrated was at 1 to 300 meg per second. Which, of course, if you had the proper Even an artificial intelligence sim looking at that data, it would say, well, something's wrong here. 

I'm going to shut it down and let you know why I did it. That's artificial intelligence. The problem is that Casino did not have that and they lost quite a bit of data on that. So for me, it's about helping clients understand their environment, where their data is being housed. Because nowadays, it's not just on the perimeter, it's in the cloud. 

Right now, we're working from home, right? Data could be on our laptops. Our third parties, which is some of the biggest risk. We need to ensure that data, the attack surface, we have the proper protect surface to ensure that it's not compromised. 

Heather Haskin: I love what you said. 

If you don't know what your data is doing, how can you protect it? That's really amazing and profound, but so simple at the same time.  

Dr. Vito: Well, Heather, I teach a part time a couple of universities and I tell my students all the time. I said, you know, here's the thing. If you don't know how your data moves, how can you protect it? 

If you don't know where it is, how can you possibly protect it? I remember, uh, second year university, eight o'clock in the morning, I had a class business analytics and I'm like, Oh, okay. What's this all about? For five weeks, we talked about data flow diagrams. And I'm like, when am I ever going to use this? 

Sure enough, I use it every day. So yeah, it's funny. That's why I tell all my students, you might not think it might be worthwhile, but believe me, listen to what we're saying. You're going to need it later on in life.  

Heather Haskin: That's the funniest thing to say about school is, Oh, why do I ever need this? And you'll realize much later as an adult, Oh, I think I've used everything that I learned in school in some way or another. 

Dr. Vito: Absolutely.  

Heather Haskin: With artificial intelligence playing an increasing role in both cyber security defense and attacks, how important would you say it is to have proper data collection and protection in shaping those AI driven security solutions?  

Dr. Vito: Yeah, so it's all about data privacy. We're creating more data privacy programs to ensure we know where the data is being housed, how it's being used, how it's being processed, who's accessing it, what are they doing when they access it. 

So even though you and I might have authorization to access a certain folder or file, What are we doing to that file when we have access to it? Are we changing something, thereby altering the integrity of the actual artifact? From there, we need to make sure that artificial intelligence, as I mentioned, has an insight in understanding the anomalies that occur within your environment so that you can rectify them before they get worse. 

Heather Haskin: So you're giving AI all this access and now my question would be what risks do you see if this data isn't properly safeguarded?  

Dr. Vito: Absolutely. And you know, this is a program that we have actually where we do a risk assessment based on the AI application or the AI process that you're bringing into your ecosystem. 

Remember, anytime you add something into your environment. There's a chance of a risk or vulnerability because it's something new, right? So you need to assess it when you assess AI, you have to understand what data is it collecting? Where's it from? Is it private data? Is it your client's data that it should not be utilizing to make decisions, especially in healthcare? 

You want to be so vigilant to ensure that the proper data is being collected and used to make decisions And it's not being leaked out into a public domain.  

Heather Haskin: I'm really glad you mentioned industry because that's a really important aspect of this discussion. And given you gave the example of healthcare, you know, we have compliancy right there when we talk about healthcare. 

So how can quantum computing and some of these complex threats, how can we get in front of that?  

Dr. Vito: With healthcare itself, I mean, in the U. S. we have something called HIPAA, right? And it's both security rule, privacy rule. So what you're doing is. You're mapping a lot of the different requirements from HIPAA to an actual regulated framework like the NIST CSF. 

From there, you're understanding, is my governance being done properly? Do I have the proper identification of my assets of possible risks? Do I have the right protection mechanisms in place? Once you understand your environment, then you can start to look at AI or quantum when it does become available. 

Well, let's be honest, quantum right now is still. Uh, one of those Steven Spielberg movies. It's not out there yet, but our artificial intelligence is, and there's a lot of platforms that are utilizing that, and once your policy is in place on your critical, your high, medium, low data, and what's heavily regulated, that A. 

I. Can then again, put certain profiles around that data to make sure that's not being used or utilized in erroneous ways.  

Heather Haskin: Have you experienced anything out of the ordinary lately that you've been working on?  

Dr. Vito: Oh wow, it's just helping clients in protecting their data. A lot of platforms out there, I call it the sea of products. I have clients say, how about this product? How about this product? I say, how's that going to help you? 

It's not helping you in your strategy. Is it because someone told you is the best thing since sliced bread? Do you want to put it into your environment? It's not going to help you. Let's look at your environment. What kind of data do you have? Where's it being, where's it being used? Who are your partners? 

Who are your users? Who are your clients? From there, we can make a sound decision based on a proper data compliance and data governance program.  

Heather Haskin: That's got a lot of moving pieces in it. It almost feels like, where do we begin?  

Dr. Vito: It does. And it's funny when a vendor says, I have a solution for that. Well, it's not a solution. 

It's a program. And a program is so vast, you need to create frameworks wrapped around that program. You need to create policies and then put in a solution. If I'm a client which I have been in the past. I'm making sure that whatever is added into my infrastructure, my ecosystem. Has a value to protecting the data that I need for my business strategy. 

Heather Haskin: And that's very important. I keep thinking back to your casino example, and I'm imagining like, it sounds like whoever threatened that environment had an understanding of the environment to the level that they were there and they kind of knew the environment from the end user's perspective or from. 

Maybe even the internal casinos perspective. And then you also mentioned quantum computing and how that decryption and encryption, if it's so great at encrypting, then you have to worry about the opposite side. So it sounds like when you're looking at your environment, you have to look at it backwards and forwards from your end user's perspective and also internally to build all of those programs. 

Dr. Vito: I'll tell you why cyber criminals. It's a business, right? I mean, we've all heard of the MGM attack that happened back in October. In six days, they lost a hundred million dollars. Why? Because these cybercriminals, and they were Scattered Spider and Black Cat, they kind of merged, they worked together in a partnership, to not only infiltrate and get into the environment and understand that there was a vulnerability with some of the identity access management platform, But then from there, they went in and they started to exfiltrate because black cat was very good at ransomware and exfiltrating data. 

So it's a business and you need to be as smart as them. And again, go back to my students. You need to have that offensive mindset. You need to ensure that you know who is going to attack you, what their motive is, they call it TTP tactics, techniques, and procedures. Why are they attacking you? What kind of industry are you? 

Are you healthcare? Are you finance? Are you casinos? What would they want from you? And of course the technique is how will they be doing it? And of course the procedures, the step by step that they will take. To infiltrate your environment. There are a lot of good sites out there, like the MITRE group. 

They actually provide you information on that on possibly your industry and who's attacking and how. So there's a lot of information. It's just ensuring that you can correlate it all.  

Heather Haskin: An unending amount of information. And it causes me to think, what is the next big security threat? So as we look ahead to 2025, what other cybersecurity threats beyond quantum computing, perhaps, do you foresee emerging?  

Dr. Vito: Well, third party risks is huge. Look at SolarWinds. They were breached, and then what did they do? They spread out their updates to all their clients, and now their clients are breached. And I thought that whole thought process was pretty smart. 

Supply chain attacks, so they state that 45 percent increase is expected to have a supply chain software attack going forward. So that's huge. I mean, you have to trust your third parties, but then you have to trust your partners of your third parties. You're only as strong as the weakest link, and who's the weakest link? 

So we can help our clients in ensuring that their security posture is very strong, but then we have to look at who their partners are and what their posture looks like. It has to be at least where you are. If it is below, then obviously they might have some vulnerability that could affect you. 

Ransomware is expected to go up 75%, which I mean, can we even afford that? It's already three or fourfold since 2020. IOT devices. The hacking of IOT devices, unless you have proper controls to ensure that you can see that data. My watch, Alexa. Manufacturing companies are using IOT devices like sensors to increase profitability of that device or that machine. 

So those sensors could be an entry point for attack. Cloud based attacks are [00:23:00] on the rise because of all the new applications people are using. And then the number one, which will never go away is insider threats. We as humans are the number one threat. Why? Because we love to click things. 

We're a clicky society, right? We need to really enforce that human firewall. And it doesn't matter if it's now three years from now, five years from now, we will always be the number one threat, the insider threat, whether it's malicious or it's by accident. It's always the human factor.  

Heather Haskin: So as we think about companies and getting quantum ready, essentially, or just really taking a good look at their cybersecurity policies, it sounds like we're seeing this compelling event as they come to you after they've been hurt and we want to avoid that. So, how can leaders better prepare for these emerging threats in advance?  

Dr. Vito: I want to go back to what you mentioned about they come to you after. We're such creatures, not just creatures of habit, we're creatures of experience. Something has to happen before we actually do something about it, right? And unfortunately, we've had some occasions in the U.S. and in Canada that have opened our eyes to what we need to do. Risk assessments, compromise assessments. I've had clients come and say, you know, Vito, I think There might be something going on within my environment. All right, let's do a compromise assessment. Let's look at putting sensors in your environment. 

Let's collect data and let's see if there are anomalies before it gets worse. So it's always about being proactive. And putting in devices in your environment that are predictive, like AI, Sims, perhaps, that will look at your environment and say, Yeah, you know what? Everything's smooth. And all of a sudden, something changes. 

But they don't just tell you about it, they actually act on it. So it's all about understanding your environment. Doing proper risk assessments, gap assessments, like what's missing, just, you know, being vigilant, having basic cybersecurity hygiene. I still see that password use is being thrown by the wayside. 

Some companies still don't have a multi factor authentication or even segmentation of their environment. That's huge. Cause if I get into your environment and there isn't any segmentation, then, you know, I have the keys to the kingdom at that point. So it's just basic cybersecurity hygiene that love to just talk to clients and say, okay, what are you doing with this data? 

How are you ensuring that you know what your governance and compliance measures are, are you doing the right thing by your shareholders, right? You have key performance indicators, key risk indicators. Do they exist? There's a lot of different things you could talk to clients about to ensure that, but it all starts with where are we, where we need to be and how we can fill those gaps. 

Heather Haskin: Well, I'm sure that our listeners would love to learn more about defining those key risk indicators and such. So where can our listeners go to learn more and get started?  

Dr. Vito: You know, we have a lot of great information on our websites at soft choice, but there's so many different blogs out there myself. 

I've created a few. I love CSA. If you're in the cloud security. The CSA, the Cloud Security Alliance, is fantastic. It's great information from them. I mentioned the MITRE, but NIST, National Institute of Standards and Technology, has so much information on zero trust, on business continuity, disaster recovery, incident response plans, and you can read up on it and say, oh, I might need this. 

I'm missing this. Contact some of the advisors at design studio at soft choice. We can help. Yeah, not a problem at all. As you can tell, I can talk about security till the cows come home. I've been doing this for quite some time and I love this industry I'm in because it's the ever changing industry. It never stays. 

And here's the thing about assessments, which I want to go back to as well. It's never a set it and forget it. If I do an assessment on day one and something new comes into my environment, like perhaps merger and acquisition of another company, a new application, a new cloud processor platform,  you have to do another assessment based on what just changed, because if not, that's a new vulnerability, and you might have controls in place that just don't do the job, really. 

Heather Haskin: Wonderful. Thank you so much for explaining that, Dr. Vito. I really appreciate it. The quantum era is fast approaching and businesses need to act now to secure their data. I really enjoyed listening to you and hearing more about your perspective on quantum computing and The threats and cybersecurity threats that come from it. 

My biggest takeaway, I would say was make sure that, you know, how your data is moving the example of the casino with the internet of things and the sensors on the fish tank, make sure you know how your data is moving, who's accessing it, where it's being segmented, what your compliancy rules are. You can't protect it unless you know those things and to learn more and connect with Dr.Vito, please feel free to reach out to him on LinkedIn as well as go to our website at softchoice.com. A huge thank you to Dr. Vito Nozza for sharing his insights and thank you for tuning in. If you liked this episode, consider leaving us a review wherever you listen to your podcasts and we'll be back in two weeks. 

Dr. Vito: Thank you, Heather.  

Heather Haskin: Thank you. The Catalyst is brought to you by Softchoice, a leading North American technology solutions provider. Learn It is written and produced by Angela Cope, Filipe Demas, and Brayden Banks in partnership with Pilgrim Content Marketing.