Moving From Awareness To Action: The Board's Role In Organizational Resilience

This is not a technology risk. This is absolutely not a technology risk. The part that belongs to the board is the risk to operational resilience and the systemic risks and the risks to fiduciary duty. Welcome to Shielded, the last line of cyber defense by PQ Shield, the podcast where we are moving the conversation around post Quantum Cryptography from the why to the how. Hi, I'm Joe Lindson, your host and I'm here to guide you through the challenges, innovations and solutions that will help your organization stay secure in the quantum era. Let's future proof your defenses together. Welcome to Shielded. I'm your host Joe Linson and today we're joined by Luis Davy, president of LDIQ and a seasoned expert on quantum readiness, post quantum cryptography and AI governance. Luis works directly with board level executives to help them understand and act on emerging quantum risks while also identifying the opportunities quantum technologies can create. Luis is the author of Quantum How, a practical guide designed to help leaders move from awareness to action in preparing for the quantum era. Luis, welcome to Shielded. Thank you. Thank you, Johann. I'm really, I'm thrilled to be here. It's great to have you. Thank you. So Louise, to kick things off, I believe you started your career in nuclear physics, specifically working on ion trap research, which obviously also is one of the technologies used to develop quantum computers today. So I'm curious what drew you from that scientific background and scientific world into the more business oriented quantum field that you're active in today? Yeah, thanks Johanna. I love that question. And it's actually quite fun for me these days because as you mentioned, you know, I did start my career, at least my educational path in, in experimental nuclear physics and with the ion traps. And I'm just thrilled to be bookending my career, so to speak, as I go into this last chapter of IT again, you know, being able to reconnect back with the physics world. So I'm really happy about that. The 35 years in between are a bit of an aberration because I often describe myself as an accidental business person. I mean, there was nothing in the lead up to, you know, through my educational path or, you know, interests that would have taken me into business. But we were the early 90s when I did make the move. 92, 93. And to be quite frank, I was seduced by the money. I was called into the IT field because of the great potential that it had for me to, you know, to build some wealth and help my family. But really I still, because of the excitement and the challenge that it afforded me I was spending a lot of time in a basement laboratory under an auto route in Montreal. And here I was being able to get out and interact with people and fight the good fight every day through the business field. So that's what kept me. And given that you've been in the field for quite some time, you've seen a transition or two play out in the organizations that you've supported over time. Thinking back 30 years, there's this little thing called Internet that happened, certainly something that I'm sure you've had the pleasure of helping organizations transition to and then likely something about cloud migration maybe in your past as well. So comparing sort of those transitions to what we're tackling today, what would your take be on that? Scale wise and challenges wise. What's similar? What's different? Yeah. So really wave after wave, I was lucky to be there early on and participate in many of them, including the activation and deployment of the Internet. I also participated in some early EKI rollouts in the 90s and I mean even back then also like software wasn't available off the shelf. So I got to participate in solution architecture for ERPs. HRIs. Erm. I really got to learn and understand the business by building the applications that would support it and I think even more than that by understanding and studying the data that underlies it. And that and the series of waves that came after really allowed me to hone my ability to understand what makes a large organization work. I mean, you can't forget the fact that I am a physicist and I was kind of trapped inside this construct for 35 years and I spent a lot of time studying it to try and understand what would make a particular initiative fail or succeed. Right. What would drive an organization to make a change or not and you know, what would make them successful or fail. So I really have like a, a large body of knowledge around this. I'm. I'm secretly writing another book. It's called A Physicist Guide to Organizational Dynamics. That sounds like an interesting book for sure. So sort of building on that. I mean obviously as we discuss the M relation to quantum safe systems and post quantum cryptography in particular, a lot of the talks are around the technological challenges and the challenges that the keys are longer and the signatures are slower and whatnot. Obviously given your background and your expertise, you do look at the challenge as more of an organizational shift that needs to happen in more of an organizational systemic challenge. And as such you also pretty much address more board level, executive folks, C suite and above. So maybe you can explain why you think that is such an important angle to address this? Yeah, absolutely. Well, I started out by saying that it's not one challenge, right? Any large transformation is just that it's a transformation and it will go through many stages from inception to being able to build up awareness and get buy in and then build the machine and the motor that's going to drive it. And there's importance to each one of those phases. I think my principal argument is that we have gone through a series of phases already through the scientific question of quantum computers and then we had the mathematical problems of cryptography and then we went through the phase of standards. And all of this body of work stands behind us, including some pretty clear directives about where we need to go with it. I would say that today's problem is one of governance and transformation. Because we now have an understanding, or at least some people have an understanding of this problem. And these people tend to be, you know, the technical practitioners. And what we need to do is we need to carry this problem to the top of the organization. Because quite simply what got you here won't get you there. All of this great deep technical discussion and back and forth about keys and performance and complexity and so on, it's all very fun, but it's going to stop there. If we don't get the executive buy in, if we don't get the multimillion dollar budgets that are necessary to drive this and sustain it through the long term that is required to be successful. It's very interesting. So building on those phases that we've already went through, awareness certainly mentioned by you, how then do you successfully translate those technological risks into something that you know is more of a business risk? That is something that a board level person would understand and could take into account. As you said, as those budgets are being prepared and those programs multi year, typically 5 to 10 year programs get put together. Well, I think that we really have to change the conversation. We really have to stop talking about quantum and PQC the way that we are talking about it. You know, in terms of qubits, in terms of capacity, in terms of different algorithms and so on. Like no board wants to hear that. You walk into a boardroom and if you're talking technology, if you use a single, an acronym, you're going to lose them. So that's why I would say the discussion really needs to change from technological to business and 100% business. So what I explained to my audience is what is quantum computing and what is risks and you know, what are the imperatives for PQC migration. I have one slide on quantum computing and I explained to them in a very sort of like high level analogy what it is. And then after that it just motors a hundred percent in the language of business, which is what's at stake, what are the risks, what are the impacts, what's the cost of an action? And the other one that I bring in now is, you know, at what one point do we constitute this as a failure of fiduciary duty? Because I think that that's a really serious question that needs to be asked. And I know you've addressed it on the show here. I know you had Darren Bender on and he's really got great and strong discourse on this. Absolutely. And I think it's worthwhile to drill down a little bit on those points that you mentioned. Right. So what's at stake? Sort of looking at the business risk behind it, what's the cost? Like, how can you cost, how can you gauge the cost of inaction? Is there any sort of rough guidance idea that you can give on that point in particular? Yeah, sure. I like to say I'm a physicist, that means I can measure anything. And what's also a really important part of the discourse, you can't go into the board or, you know, expect to convince an executive suite with a narrative. You really have to go in, you have to be fact based, you have to have measures in terms of what is the scale of the risk. And you really have to be able to articulate that risk effectively. Right. This is not a technology risk. This is absolutely not a technology risk. The definition of a technology risk is extremely narrow. You know, it has to do with interoperability and obsolescence. And that part belongs as part of it, but that part doesn't belong to the board. That's not the part that belongs to the board. The part that belongs to the board is the risk to operational resilience and the systemic risks and the risks to fiduciary duty and the risks to regulations and non compliance with privacy laws and so on. Those are the risks that belong to the board and those are the ones that have to be carried forward. And then in terms of the cost. Well, really what you need to do is you need to just simply build out a dimension matrix. Right. What are the things that are important to this organization? Depending on its industry, the weights will be different, but essentially the same. You know, there's reputation, right? There's compliance, there's market positioning and there's stakeholder value and operational performance for Instance, and you can design measures around each one of those, and you can be really concrete about how ineffective protection against a quantum threat will affect those. Now, a lot of those sound like what we've been used to, gauging cybersecurity risk in general for decades. So it sounds like a lot of it is similar to gauging and understanding the quantum risk for my particular organization. Are there also any differences to it? Like, is there a big overlap, but then also a lot of fringe cases that are quite different? Sure, absolutely. And what you're talking about really is the risk management framework, which is pretty much consistent between one organization and the other. Where they differ between organizations will come in terms of the risk taxonomy, so how they frame each risk. It'll also differ between organizations in terms of their maturity and their ability to articulate a risk. You know, a risk is a concept that has a cause, that has an event, that has impact. And the quality of the framework that the organization uses to describe those is material because it's a measure of their maturity. So I see glaring differences. Well, actually, the differences have been growing, the discrepancies have been growing between how organizations currently identify and monitor their risks and the reality that we are living these incoherences have been growing for about 20 years now. If you think about the construct of corporate governance, this has not moved. Okay? This has not moved in 50 years. Right? The concept of the board, the board, the committees of the board and the officers and policies and compliance and so on, this has stayed steady. Meanwhile, the entire terrain beneath us has shifted, has gone from static to dynamic. The way that corporate governance was built and the way that really the risk models were built is based on a static operating model, based on the concept of physical assets and based on the idea of ownership that can be attributed to physical asset. And this has not been true for a long time. Okay? The basic idea of data ownership, this just makes no sense whatsoever. And constantly trying to make the new paradigm fit the old structure is causing it to break. So actually, very specifically, to get back to your question, like, how is this different? So there's a couple of differences. The first one that's really noticeable is the timing offset. So typical risk management practices are based on the assumption that risk is present, and the impact of that risk couldn't be incurred in a very near timeframe to the action, which is not the case for the quantum risk, where we know there's a big discrepancy between, you know, harvest now, decrypt later, or trust now. So there's that timing offset. No other risk really has that. And there's a big problem with that because people who are responsible for the risk today might not be in the organization when the risk actually manifests itself. And there's nothing to motivate those individuals to turn their attention to fixing this today because it's not built into their compensation package and it's not built into their dashboard. So that's the first one. Ownership also is, goes out the window. Ownership is tied to assets and processes. And we're talking here about the underlying infrastructure of digital trust. You have to ask the question who owns that owns our capability to interface with the digital world? And so that's another breakage. That's the challenge that it is so fundamental. That's what you're alluding to here. Yeah, and there's ways around that, which I'll share with you in a minute, but it also breaks remediation because this is not a single vulnerability. It's not a single action of a single actor. This is the entire infrastructure is at cause. So those are like the three kind of big ones. On top of that, the risk is to resilience. The risk is systemic. Right. Again, that's different from individual cyber type incidents that may come in and paralyze the organization temporarily or whatnot. I think the real kicker here though, which not everybody fully comprehends, is the idea that quantum, it's, it's not a new attack vector. Quantum is not a single vulnerability. Quantum will come and it will invalidate the digital trust assumptions. This concept that I can identify people, this concept that I can detect intrusion, this concept that I can respond to individual incidents. Right. This all gets invalidated if your cryptographic infrastructure is invalidated. Basically just opened the doors to the organization and the strongest cyber team in the world can't defend that. So you can see I think about this a lot. So I see we have the three main ones, the timing offset, the ownership paradox, the remediation challenge, and then of course what you just said. Right. It's the fundamental digital trust that is eroded or is at risk of being eroded with that Q day happening. As much as I dislike the term, but that's basically what we're talking about here. And then I mean you've talked about governance earlier and how this challenge is as much or even more a governance issue as it is a technical one. I'm curious, do you have a recent example of organizations that you work with? And obviously you won't name any names, but where governance or the lack of it became either the bottleneck or enabled the secure transformation within their systems. Yeah, sure. I do have a recent example. Working with a large organization on a major transformation on the scale of $500 million. And this transformation was undertaken in an organization that had never done this before, which is often the case, right. It's kind of rare that you undertake that scale of a transformation. And the board had not been prepared, the board had not been educated, the board had not been enabled. The board didn't know what questions to ask management. And management as much as they wanted and tried, had no idea how to talk to the board. Like what type of decisions were meant to go to the board, even to understand the own governance framework. And this isn't a mature organization, right. So if you take that to a less mature or smaller organization, it only gets worse. And so, you know, the natural things that start to happen, happen is the transformation starts to fail, is deadlines get missed, budgets get overrun and nobody knows who to trust anymore. Right. In terms of where am I going to get the answers that I need? Everybody's just uncomfortable. So that's the case where I'll help the board, where I'll go in and I'll explain to the board. No, this is your accountability, right? And this very specifically what you are accountable for. And these are the questions that you need to be asking. And this is how you need to challenge the information that you're getting back. And the idea is by educating the board and getting the board to ask the right questions, this is not to annoy management like far from it. This is to help train management to be able to provide the information that's necessary for the board. And that information is not trivial. If they are able to provide that information, it's a demonstration that they know what they're doing. It's a demonstration that they understand where they're going, what they're doing. They're making the right measurements, they're making the right interpretations and so on. So increasing board maturity and increasing board engagement is really the number one way to accelerate a transformation and to improve its credibility and its rigor and its direction and trust. Now oftentimes it's been mentioned that this transformation programs are a cross functional exercise. So how important is it then in sort of this top down aspect that boards understand which function in the organization is responsible for which part of the transformation and how to sort of bridge those almost different languages and different challenges within the organization by orchestrating that. So the number one mistake, and I'll say this is probably like 70% of why transformations fail is this perception is that it owns the transformation. It is one who is accountable for making this happen. And I think that's the number one thing that I do when I work with boards is I say I set that straight. You know, it is an enabler, it is executing the business owned strategy. It has very little decision making power. It really has small constraints to work with. And really, you know, a transformation needs to be business enabled. And it's the same thing for the PQC transition. This needs to be business driven. It can be the vehicle who can operate this in the background, but it should not be making the decisions, it should not be setting the priorities, it should not be going to get the budget for this. Right. It should be in execution mode and it should become excellent at executing. It should largely be protected from all of the political brouhaha and all of the long slog of defending the program and getting it done. This really should be business driven. Like business needs to understand that the viability of their organization is at stakeholders. This is not optional. Migration to PQC is not optional. This is an imperative. And we're in a condition where the time required to mitigate the risk is less than the time until that risk becomes very material. So if it doesn't own it, who does? Yeah, well, it's business owned. So what you need to do is whenever you have something that is transversal like this is, is it has to ultimately be committee led. So you need to put in place some ownership at the top. Using the term in French all the time, which is a committee director, which is like, I don't know what you call that in English, director, committee, or something that needs to be presided by an individual. Okay? So that individual from the business that presides over that committee, that person is accountable, right? Is accountable for operating that committee. And then all of the people who sit around that committee, then you can start picking apart the various levels of accountability and decision making rights based on the different roles that you have. And then it reports to that committee. So it brings information, brings facts and helps formulate the decisions. But ultimately that committee needs to make the decisions. And ultimately the people around that committee and the person who's leading that committee needs to be accountable. And I would say there's probably very few people in the organizations today that can actually do that. That's part of the problem that we have, right? Cause this whole notion of digital trust, this is an entirely new discourse. It's entirely, entirely new concept. It is so great, so wide so vast, so deep that there's probably very few people who can do it. That's why I would think, and this is the job that I do, and you know, pardon the perception of self promotion, but these people really need to be counseled. It's highly unlikely that they will be effectively counseled from within their organization unless they have people who have been thinking about this problem for a long time. Well, and you've implicitly touched on the question that I was going to ask anyways. And that is the question about talent. Right. I mean, do we even have these type of people that are capable and skilled and trained enough to wear that hat within an organization? And that picture might likely look very different depending on are you looking at a large financial, global financial institution versus a mid sized, know, credit union or something like that? So certainly to know and understand that a lot of this information is out there and there are people like you in this environment that can help with that. And I believe the book that we mentioned in the beginning, Quantum How, I believe that is available as a download on your website. So whoever wants to start reading up on it, I think is probably a good starting point. Absolutely. And your point is? Right, there's actually very few people who can effectively do this. That's where what we really need to do is we need to build an educational construct like an educational machine. And my intention is not to lead a single large scale PQC migration. My intention is to educate as many boards and executive teams as I possibly can and to equip them with the, the tools and the information that they need to get started. Right. And then people like me again can be available to come in and help them and participate in key touch points and things like that. I think that's the way we're going to do it because we need to scale incredibly fast to be effective at this. And I think one of the terms that comes to mind that is also being used a lot in industry gatherings is the term of collaboration. And I think one recent event that we were both at, you were moderating one of the panels and I was in the audience with the PQC Palooza during RSA conference, where a lot of those conversations, to me the collaboration effort was really the key point of most of those conversations. I'm curious to hear your feedback on what you've heard, the conversations that you've had in the room, and what maybe new insights you gathered and new topics that you picked up on in those conversations. Yeah, sure. And maybe just to start on the idea of the collaboration, I'm seeing extreme collaboration. I am seeing collaboration on a scale I have never seen before. And you know, we're probably following some of the same people on LinkedIn, people who are genuine experts in this area, who are coming out with thought leadership, with frameworks, with books. And this is all being published, much like my own book, which is published to the public and available free of charge. And all of this is being published to just to create that body of knowledge and to make sure that collectively we all get off on the right step. So that's really the first part about the collaboration. And I love it and I enjoy it. I describe myself as a consummate collaborator and I feel really, really at home in this environment in terms of the organizations. Because as you're right, I animated a panel and it was the client panel. So what it was was it was a selection of clients who are in the financial sector and they represented different banks, from small, medium to large sized banks. And these. So let's, let's put this into context. This is the financial sector and we know or we think that the financial sector is leading this initiative should be the furthest along, which is the case to some extent. And the people that were up on stage are among the leading firms who are doing this. So here we were really best in class. So I heard some hopeful things. So I don't remember, but I started the panel with rank yourself on 1 to 5. Between being embarrassed about where you are today to feeling like you have the whole organization supporting you and this is a strategic priority. And I mean nicely and happily, each one of them answered between a four and a five. So that was really good. At the same time. Yeah, it was very encouraging. This is the best of the best. At the same time. None of them are where they want to be. None of them are as far along as they want to be. Right. Most of them are still in the discovery phase and they're just hitting the wall of the complexity of inventorying and trying to make sense of it and negotiate with third parties. I mean, you heard there was a real Akita car, like a real kind of an emotional kind of a call to the audience where all the vendors were sitting was like, please help us out. So even the best are struggling. Well, and I think, if I remember correctly speaking to you, is that part of the motivation for you to put together the book was your own frustration in trying to gather that information some year and a half ago in preparing an event. And it was just hard to find relevant information to really Start talking about the migration in a way that you're talking about it in a less technical, technologically driven way. Yeah, you're right. And the other thing I want to frame is I'm not painted pqc. It was really never my intention to go into the quantum field and, you know, participate in this transformation purely from a PQC perspective. I do really have my eyes open and I'm very much engaged. And also, you know, much of the benefits that can come from quantum computing. However, my own profession forces me to, to spend most of my time in the pqc because this is where the urgency is, right? This is where we absolutely need mobilization. And then when I talk to the board, I think that's also an important differentiator. When I talk to the boards, I don't just go in and talk about the flames of hell. I also talk about really, you know, all of the beautiful things and the scientific discovery and this is going to bring us and you know, all of the advantages and the differentiators that quantum can bring to their industry. And I think also. I'll just finish on that. I think the other thing is the risks aren't only cryptographic, right. Like through quantum enabled capabilities, there are major risks to different business assumptions. You know, you take for instance, like the insurance industry and there's a huge asymmetry, right. So the first movers in there are going to gain so much advantage in terms of their ability to do pricing and risk models and so on, and they'll lock down all of the quantum available capacity and expertise for them. They'll shut out their competitors, but it also changes all of their assumptions and calculations on their policies to date. Because the quantum risk, the cryptographic risk will come in and change asset value and liabilities and hopefully not, but potentially even accidents can happen and so on. So I like to paint the entire picture, but then, yes, I do zoom in on pqc. Yeah, I think it's a good point that you frame there as a first mover advantage. If you take on the challenge of either using quantum technology per se or being the first to provide something that is quantum safe, this can really give you that advantage in both cases and protect your business going forward. Now, talking about urgency, if there was one thing that you would say, this is the most urgent action for any board member that is listening today, what is the one thing that they should be doing today to get started on that journey, taking that first step? Yeah, well, it is what I am seeing some boards do. Okay already. So I'm really pleased with that. You know, I published my book in December and I'm really pleased to say that by the end of January, I had already lined up with three organizations where the boards read this. They realized something and they wanted to do something about it. So that is absolutely the first move, which is to secure expert advisory. Okay? Secure expert advisory. Train your board and your senior executive teams so that everybody has the same portrait of what this is and what it means. So I would say that that's really the first step. And then immediately after that, I would say a very quick and high level risk and opportunity assessment for Quantum. And this again is going to be quantified and measurable in terms of benefits and risks and costs that would be associated with it. So then your starting point, if you improve your starting point in that way, you will already be so much more directionally correct than any other organization that is just kind of trying to figure this out on your own. Where this thing could stumble for weeks, for months were bad attempts to engage the board. You know, quarter after quarter fail. So I think I would say that single most important thing to do. And I will add to that really, after again, 35 years trapped inside the complex corporate machine, I can tell you one thing. Nothing moves an organization faster than an engaged and inquiring board. Like, everybody's accountable to the board, the CEO, everybody's accountable to the board. And when a board asks for something, this gets recorded, right? Everything gets into the minutes. This is a legal process. And I've seen just droplets of questions that come down from the board. And I've seen entire organizations shift like, this is our highest priority. Let's go, let's get this done. So the board needs to understand the incredible power and authority that it has and to be trained to use it effectively. And in this case, this is a crying case where the board needs to know what's up. Fantastic. I mean, all of those are very actionable advice. So appreciate you sharing that today. Louise, any final thoughts? Anything that we haven't spoken about that you would definitely make sure that our listeners hear? I do. I have. And this is maybe something that's. It's hard for me to say and I think it's probably going to be hard for maybe some of your listeners to hear. And I want to bring it back to the adage that what got you here won't get you there. And I think this is a problem that I am seeing in organizations. The organizations where I'm engaging directly with the board, things are flying. The organizations where I'm engaging at the CISO level, the CIO level. I mean, they're fighting me. I'm fighting. You know, there's this sense that they kind of want to hold on to the baby, that they've been working so hard and they have, and they've been doing great work and they've been fighting the good fight. But there's this lack of recognition, recognition that a transition has to take place. And this now has to go to the board. This is a board owned risk, resilience, systematic risk with no easily identifiable owner. This sits with the board and the longer you hang onto it, you're doing a disservice to your organization to yourselves. And to some extent, it is to some extent fiduciary failure if this does not get brought to the board board in the right way soon. Fantastic. Well, thanks for raising that clear call to action here. Appreciate you taking the time. Louise, thanks so much for your expertise and sharing it with our listeners. Much appreciated. And to our listeners, as always, thanks for dialing in. Don't forget to like, share and subscribe so you won't miss a future episode. In the meantime, stay safe, stay vigilant, and stay shielded. Thanks. The quantum era is already here. With the right tools, the right knowledge and the right mindset, together we can face it head on. To find out more about PQ Shield and how our cutting edge solutions can help you secure your data against the Quantum threat, visit pqshield.com make sure to search for shielded the last line of cyber defense in Apple podcasts, Spotify or anywhere else you get your podcasts. Don't forget to click click subscribe so you never miss an episode. On behalf of the team here at PQ Shield, thanks for listening.