Sectigo Executives Share 2020 Predictions

This week, I moderated a roundtable of sorts to gather several of our executives’ predictions for the coming year. Following are highlights of that discussion with

• Bill Holtz, CEO
• Alan Grau, VP of IoT/Embedded Solutions
• Tim Callan, Senior Fellow

Moderator: I want to start with something that Sectigo has talked about a fair amount this year. Tim, I know you and Jason [Soroko, Sectigo CTO of PKI] have discussed the implications of quantum computing on your podcast, Root Causes. And Bill, you recently wrote an article about quantum-resistant cryptography for Forbes Technology Council about the same topic.

Would you talk a little bit about how you see quantum computing evolving in the new year?

Tim Callan (Senior Fellow): Absolutely. It’s an important topic that is only going to become more important as quantum computers advance. As they continue to improve, enterprises and the general public are going to be increasingly aware of the threat quantum computers pose to the cryptographic systems that underpin digital security across the globe.

We are going to see a greater focus on crypto agility—the ability to update cryptographic algorithms, keys and certificates quickly—in response to the advances in cracking techniques and processing speed that come with more effective quantum computing. More enterprises than ever are going to need to explore automation as a critical element for future-proofing security if they want to prepare for these inevitable cryptographic updates.

Bill Holtz (CEO): That’s a great point, and it underscores the fact that certificate automation is becoming more and more important across the board. Automation is only going to become more critical for businesses when it comes to securing websites, connected devices, applications, and the digital identities that help prevent crippling and costly attacks.

These attacks have taken on a lot of different forms. Ransomware attacks, data breaches, and email impersonation all continue to increase as cybercriminals become more sophisticated. This has made it harder to eliminate the potential for human error in cybersecurity operations. Many of the functions of cybersecurity that require human intervention are laborious and error prone—so replacing them with technologies that automate the protection of security elements at scale can provide a huge benefit to users. A lot of these features were viewed as “nice-to-have” in the past, but today’s enterprises are beginning to understand that they play an essential role in compliance and establishing safe internet practices.

Moderator: Speaking of safe internet practices, this seems like a good time to jump into the regulatory realm. California in particular has recently passed legislation mandating stronger protections—especially for IoT devices—and there are more in the legislative pipeline. Can you talk about what that means for the future?

Alan Grau (VP of IoT/Embedded Solutions): We’re going to be seeing a lot more legislation, I think. As you said, the new legislation being passed requires greater levels of security for IoT devices. OEMs [Original Equipment Manufacturers] of IoT and embedded devices are going to greater lengths to protect their devices from attacks today, and vendors are adopting TPM chips and other hardware secure elements (HSEs) to provide those devices with an identity and hardware based secure key storage.

These advancements pave the way for the use of certificates and PKI to replace static credentials. In 2020, we’ll see higher level security for IoT networks, helping them protect against IoT botnets that exploit static credentials.

Moderator: Would you talk a little more about that improved device security?

Grau: Sure. IoT and embedded device OEMs are starting to recognize they can’t just rely on air-gapped networks, password-based logins, or other security measures that have proven inadequate. NIST [National Institute of Standards and Technology], the FDA, NHTSA [National Highway Traffic Safety Administration], ISCI [ISA Security Compliance Institute, and other industry consortiums have provided security recommendations for IoT, industrial IoT, and embedded devices—and they outline the case for a security framework that provides secure boot, secure firmware updates, embedded firewalls, hardware-based secure key storage, and the elimination of static credentials.

OEMs are doing a better job of leveraging PKI for device identity, and they’re beginning to build multiple layers of security into their devices to harden them against cyberattacks. These are all positive developments when it comes to device protection, and hopefully it’s a trend that will continue to gain momentum in the future.

Moderator: Let’s circle back to data privacy. Obviously, the need for stronger data protection is one of the motivations behind the sort of legislation mandating these IoT improvements, but I wonder if one of you can speak to it in broader terms.

Callan: I’ll jump in here with CCPA [the California Consumer Privacy Act] as an important point of reference. CCPA technically only applies to California consumers, but the law is going to have a much bigger footprint than that; it gives California residents the right to know what data is being collected, to view it, and, if they want, to have it deleted. We expect that most companies doing business in the U.S. will decide that it’s easier to honor the California legislation than to try to identify which consumers live in California and which do not, and then apply different standards to them. This will effectively make the CCPA protections into a de facto standard for most U.S. residents—and that’s without considering the fact that other states are expected to follow in California’s footsteps with provisions of their own.

Moderator: Great. Thank you, Tim, and thank you Bill and Alan for taking the time to talk 2020 cybersecurity predictions today. Between watching new legislation and listening to customers’ enterprise security needs around the world, Sectigo is working to address some of greatest challenges that network administrators, operations, and security teams face today and in the future.