Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.

A future cryptographically relevant quantum computer may be able to break public-key algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic Curve Diffie-Hellman (ECDH) and the Elliptic Curve Digital Signature Algorithm (ECDSA), leaving sensitive information vulnerable to attacks. Even today, data not protected with quantum-safe cryptography is at risk of being stolen and stored until it can be decrypted. These are commonly called “harvest now, decrypt later” attacks.

Standards bodies worldwide have begun guiding the transition to quantum-safe cryptography — encryption algorithms based on math problems considered difficult for even a mature quantum computer to solve. In 2022, after a six-year-long submission and review process, the National Institute of Standards and Technology (NIST) selected four quantum-resistant algorithms for standardization, three of which were contributed by IBM researchers and partners. Recent guidance from NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations create a quantum-readiness roadmap for transitioning to these standards, which NIST expects to publish in 2024.

While every organization, guided by its CISO, should create its own quantum-readiness roadmap, three steps are critical for every organization to undertake to become quantum-safe:

1. Discover your cryptography
2. Observe your cryptography
3. Transform your cryptography.

1. Discover your cryptography

The first step in the journey toward quantum-safe security is to gain a deep understanding of the vulnerabilities within the existing cryptographic infrastructure.

Discovery activities should identify at-risk cryptography and determine where the dependencies exist, translating these findings into robust cryptographic inventories. For example, IBM Quantum Safe Explorer scans source code to identify and inventory cryptography usage, formatting this information as a Cryptography Bill of Materials (CBOM) that can be shared with the software supply chain.

Cryptographic discovery should extend beyond applications to include network protocols, systems and assets, especially those that create and validate digital signatures. For third-party products, CISOs should work with their technology procurement specialists to gather information about embedded cryptography from vendors. After a thorough discovery process, CISOs might be surprised to learn how wide their quantum risk exposure is, given broad dependencies on public-key cryptography embedded within applications, networks and systems.

2. Observe your cryptography

Once security leaders have discovered the weaknesses in their cryptographic infrastructure, the next step is to observe the potential impact and identify the necessary steps to mitigate these risks.

With a dynamic perspective of their enterprise-wide cryptographic usage, CISOs can begin the work of cybersecurity risk assessments. This step involves working with cybersecurity and privacy managers to prioritize sensitive and critical data sets most at risk from “harvest now, decrypt later” attacks and with the highest business value and impact. To translate these insights into a quantum-safe strategy, security leaders should evaluate the business relevance in relation to the complexity of mitigation for specific assets so that they can plan their quantum-safe transition in a way that optimizes performance, compatibility and ease of integration.

3. Transform your cryptography

The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography.

Before deploying quantum-safe solutions to their stack, security leaders should equip their teams with the tools and education to test the new cryptographic protocols and evaluate the potential impact on systems and performance. Quantum-safe solutions that can be updated without having to overhaul their cybersecurity infrastructure will help CISOs establish crypto-agility and ensure they can proactively and seamlessly address potential quantum vulnerabilities. Security leaders should engage vendors to determine their timeline for migrating to quantum-safe cryptography for processes, services and systems secured with quantum-vulnerable cryptography embedded in third-party products.

By following the three steps of discover, observe and transform, CISOs can assess the vulnerabilities in their cybersecurity landscape and begin implementing quantum-resistant cryptography to safeguard their organization’s data for the coming quantum computing era. The time to embark on the journey to quantum-safe security is now.