Data Protection Beyond the Perimeter: A C-Suite Imperative in the Post-Quantum Era

The End of the Perimeter – And Why It Matters

Simon began by dismantling a common misconception: that a strong network perimeter is sufficient for data protection. He argued that the traditional “perimeter-centric approach” is “no longer fit for purpose” in a world where data travels far beyond the organization’s controlled environment. This is due to several factors:

• Cloud Transformation: The widespread adoption of cloud services means data is often stored and processed outside of the organization’s direct control.
• SaaS Revolution: Software-as-a-Service (SaaS) applications, while offering numerous benefits, also introduce new security challenges, as data is dispersed across multiple third-party providers.
• Emerging Technologies: The rise of AI, IoT, and other emerging technologies further expands the attack surface and creates new vulnerabilities.
• Data Proliferation: Organizations are often unaware of where their data is going.

The legal ramifications are significant. Simon emphasized that the data owner (the business) remains legally responsible for protecting data regardless of where it resides. This responsibility extends to data processed by third-party vendors, cloud providers, and even data shared with partners.

Cybersecurity: A Business Risk, Not Just an IT Problem

Simon stressed that cybersecurity is no longer solely the domain of the IT department; it’s a fundamental business risk. He pointed out that regulations and compliance requirements are increasingly holding CEOs, CIOs, CFOs, and other C-suite executives personally liable for data breaches and security failures.

He cited the example of a Finnish psychotherapy organization, Vastaamo, where the CEO received a suspended jail sentence for criminal negligence following a data breach. This case, along with the growing number of data breaches reported daily, underscores the potential for severe financial, reputational, and even criminal consequences for inadequate data protection.

Post-Quantum Cryptography: A Looming Challenge

A significant portion of the discussion focused on the emerging threat of quantum computing. Simon explained that many of the encryption technologies organizations rely on today (TLS, PKI, RSA) will become “completely useless” in a post-quantum world. This necessitates a proactive shift towards post-quantum cryptography (PQC) solutions. He noted that Certes Networks, ironically, already uses algorithms standardized by NIST as post-quantum solutions. He emphasised that it is a challenge companies need to start thinking about now.

Data Protection as a Solution, not a Barrier:

Simon also referenced recent comments by a senior member of the UK’s Information Commissioner’s Office (ICO), who stated that a focus should be placed on protecting data, and rendering it useless in the event of a breach, rather than simply relying on perimeter security. By focusing on data centric security, organizations can improve not only their overall posture, but reduce their risk, even becoming exempt from breach reporting.