Is Cryptography the Ohm’s Law of Cyber Security?

For some reason, cryptography seems to be the weakest area of understanding in the Cyber Security profession. I’ve lost count of the number of times I’ve debated with a cyber security professional that public key encryption is not actually used to encrypt things, and it’s only used to sign for identity and in key exchange. No-one actually needs to know a great deal about the actual mechanics of cryptography, but everyone in the industry should know how it all fits together, and where the weaknesses are.

Few people, though, could actually tell you how RSA or Elliptic Curve actually work, but they are now fundamental parts of the security of most organisations. It is like a car mechanic knowing an engine from its specification, but not actually knowing how each of the component parts work. When it breaks, the knowledge of its specification is not going to help that much. Unfortunately, too, the professional certification in the area — including the premium CISSP — hardly scratches the surface, and many of those that study it, do not get past the basics.

From a business point-of-view, business leaders also seem to have a poor grasp of its importance within an organisation. Today, we see company after company announce that they did not encrypt sensitive data on data breaches, and where CEOs tell the world that they had no idea if data had…