The PKI Guy talks quantum computing with Roger A. Grimes

Q&A with Roger A. Grimes, IDG/CSOOnline security columnist and Data-Driven Defense Evangelist for KnowBe4, Inc.

TPG: What’s the worst malware you’ve seen lately?

RG: Ransomware in general. You’ve got tons of companies going down for days to weeks. Ten percent of small businesses never recover and go out of business. Most companies are paying the ransom because they have no other choice. Their backups are not nearly as good as they think. Some forms of ransomware steal your data and want to be paid or else they’ll release your company’s most secret information into the public realm. A backup is not going to help you there.

TPG: Tell us about the premise of your newest book, Cryptography Apocalypse: Preparing for the Day When Quantum Computing Breaks Today’s Crypto. Do you really think quantum computing spells doom and gloom?

RG: Not doom and gloom. More like a really big Y2K problem that if not addressed can mean your secrets get revealed. There are probably nation-states and corporate adversaries saving your encrypted protected data today, waiting for the quantum crypto break to happen so they can read your secrets a few years from now. How many secrets do you have that you would want revealed in a few years? If you don’t want those secrets revealed in a few years, keep them off your network and VPNs today. That’s what the book is about: Here’s the problem and here’s how you can start preparing for it today. It’s a wake-up call. On a good note, quantum computers are going to bring us many wonderful things. I think all those wonderful things will be as wonderful or more wonderful than what the Internet, iPods, and smartphones brought us. It’s the first time we will be able to fundamentally model how all nature works, and that is HUGE!

TPG: Tell us more about KnowBe4. What’s your role there?

RG: I’m the Data-Driven Defense Evangelist. It’s really just a title I gave myself when hired named after my most important book (I’m working on my 12th), Data-Driven Computer Security Defense. It’s my seminal opus. I love all of my books…but that book means the most to me. If you’re in computer security you should read that book. It will change your working life. Seriously! But what a data-driven defense evangelist does is to help people put the right defenses in the right places in the right amounts against the right things, because 99.9% of the world does not do that. Practically, for KnowBe4, I write and present mostly. It’s a marketing and PR-type role, but what I really want to do is help the world be a much safer place to compute. If I don’t do that, then my professional life will have been a waste. And KnowBe4 gets it and allows me to do as much as I can do in that goal. It’s been the best place I have ever worked and I’m 54 years old. I’ve worked in a lot of great places.

TPG: What is your most unique computer certification?

RG: I’ve got many dozens of them. Some people don’t believe it, but I worked for two years at a boot camp training camp where I taught two-week MSCE classes and I had a lot of time to study for and take tests. I’m not sure the unique ones are the best ones, but I was a Certified License Manager which was created by the “software police”…SPA, Software Publisher’s Association. They used to go around suing companies for not having enough legal licenses. And if you had a CLM on staff, the organization unofficially promised not to sue the company. So, for the company I was working for at the time, it was a nice insurance policy just in case.

TPG: What are the scariest hacks of 2019?

RG: Ransomware. It’s hard to overstate how bad things are. Each year I think cybersecurity attacks can’t get worse and each year they do. I don’t see how things can be worse than ransomware…I really can’t. But it will.

TPG: What do you think 2020 will bring in terms of cybersecurity headlines?

RG: I think we will learn that the NSA has already used quantum computers to crack encryption and didn’t tell us. But it leaks out. And China isn’t far behind.

TPG: When it comes to cybersecurity, what do you think enterprises need to be most concerned about?

RG: Same two things they have needed to be concerned about the most for the last three decades…it hasn’t changed…social engineering and unpatched software. Together they account for 99% of risk in most environments.

TPG: Let’s talk about the 10 risk factors that no one talks about.

RG: See https://www.csoonline.com/article/3446019/10-risk-factors-no-one-talks-about.html

TPG: Do you think ransomware will still be such a big thing in 2020?

RG: Yes of course. Possibly worse. It always just gets worse.

TPG: Do you think companies are prioritizing security training enough?

RG: No, most aren’t. A few are. If you aren’t training your company in how to avoid social engineering tricks at least once a month and testing them with simulated phishing attacks…you aren’t doing what you should be doing.