January 16, 2024 By Jai Arun 3 min read

Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.

A future cryptographically relevant quantum computer may be able to break public-key algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic Curve Diffie-Hellman (ECDH) and the Elliptic Curve Digital Signature Algorithm (ECDSA), leaving sensitive information vulnerable to attacks. Even today, data not protected with quantum-safe cryptography is at risk of being stolen and stored until it can be decrypted. These are commonly called “harvest now, decrypt later” attacks.

Standards bodies worldwide have begun guiding the transition to quantum-safe cryptography — encryption algorithms based on math problems considered difficult for even a mature quantum computer to solve. In 2022, after a six-year-long submission and review process, the National Institute of Standards and Technology (NIST) selected four quantum-resistant algorithms for standardization, three of which were contributed by IBM researchers and partners. Recent guidance from NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations create a quantum-readiness roadmap for transitioning to these standards, which NIST expects to publish in 2024.

While every organization, guided by its CISO, should create its own quantum-readiness roadmap, three steps are critical for every organization to undertake to become quantum-safe:

  1. Discover your cryptography
  2. Observe your cryptography
  3. Transform your cryptography.
Watch video 3 Steps to Become Quantum Safe with Crypto-agility

1. Discover your cryptography

The first step in the journey toward quantum-safe security is to gain a deep understanding of the vulnerabilities within the existing cryptographic infrastructure.

Discovery activities should identify at-risk cryptography and determine where the dependencies exist, translating these findings into robust cryptographic inventories. For example, IBM Quantum Safe Explorer scans source code to identify and inventory cryptography usage, formatting this information as a Cryptography Bill of Materials (CBOM) that can be shared with the software supply chain.

Cryptographic discovery should extend beyond applications to include network protocols, systems and assets, especially those that create and validate digital signatures. For third-party products, CISOs should work with their technology procurement specialists to gather information about embedded cryptography from vendors. After a thorough discovery process, CISOs might be surprised to learn how wide their quantum risk exposure is, given broad dependencies on public-key cryptography embedded within applications, networks and systems.

2. Observe your cryptography

Once security leaders have discovered the weaknesses in their cryptographic infrastructure, the next step is to observe the potential impact and identify the necessary steps to mitigate these risks.

With a dynamic perspective of their enterprise-wide cryptographic usage, CISOs can begin the work of cybersecurity risk assessments. This step involves working with cybersecurity and privacy managers to prioritize sensitive and critical data sets most at risk from “harvest now, decrypt later” attacks and with the highest business value and impact. To translate these insights into a quantum-safe strategy, security leaders should evaluate the business relevance in relation to the complexity of mitigation for specific assets so that they can plan their quantum-safe transition in a way that optimizes performance, compatibility and ease of integration.

3. Transform your cryptography

The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography.

Before deploying quantum-safe solutions to their stack, security leaders should equip their teams with the tools and education to test the new cryptographic protocols and evaluate the potential impact on systems and performance. Quantum-safe solutions that can be updated without having to overhaul their cybersecurity infrastructure will help CISOs establish crypto-agility and ensure they can proactively and seamlessly address potential quantum vulnerabilities. Security leaders should engage vendors to determine their timeline for migrating to quantum-safe cryptography for processes, services and systems secured with quantum-vulnerable cryptography embedded in third-party products.

By following the three steps of discover, observe and transform, CISOs can assess the vulnerabilities in their cybersecurity landscape and begin implementing quantum-resistant cryptography to safeguard their organization’s data for the coming quantum computing era. The time to embark on the journey to quantum-safe security is now.

More from Risk Management

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today