January 16, 2024 By Jai Arun 3 min read

Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.

A future cryptographically relevant quantum computer may be able to break public-key algorithms such as Rivest-Shamir-Adleman (RSA), Elliptic Curve Diffie-Hellman (ECDH) and the Elliptic Curve Digital Signature Algorithm (ECDSA), leaving sensitive information vulnerable to attacks. Even today, data not protected with quantum-safe cryptography is at risk of being stolen and stored until it can be decrypted. These are commonly called “harvest now, decrypt later” attacks.

Standards bodies worldwide have begun guiding the transition to quantum-safe cryptography — encryption algorithms based on math problems considered difficult for even a mature quantum computer to solve. In 2022, after a six-year-long submission and review process, the National Institute of Standards and Technology (NIST) selected four quantum-resistant algorithms for standardization, three of which were contributed by IBM researchers and partners. Recent guidance from NIST, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) recommends that organizations create a quantum-readiness roadmap for transitioning to these standards, which NIST expects to publish in 2024.

While every organization, guided by its CISO, should create its own quantum-readiness roadmap, three steps are critical for every organization to undertake to become quantum-safe:

  1. Discover your cryptography
  2. Observe your cryptography
  3. Transform your cryptography.
Watch video 3 Steps to Become Quantum Safe with Crypto-agility

1. Discover your cryptography

The first step in the journey toward quantum-safe security is to gain a deep understanding of the vulnerabilities within the existing cryptographic infrastructure.

Discovery activities should identify at-risk cryptography and determine where the dependencies exist, translating these findings into robust cryptographic inventories. For example, IBM Quantum Safe Explorer scans source code to identify and inventory cryptography usage, formatting this information as a Cryptography Bill of Materials (CBOM) that can be shared with the software supply chain.

Cryptographic discovery should extend beyond applications to include network protocols, systems and assets, especially those that create and validate digital signatures. For third-party products, CISOs should work with their technology procurement specialists to gather information about embedded cryptography from vendors. After a thorough discovery process, CISOs might be surprised to learn how wide their quantum risk exposure is, given broad dependencies on public-key cryptography embedded within applications, networks and systems.

2. Observe your cryptography

Once security leaders have discovered the weaknesses in their cryptographic infrastructure, the next step is to observe the potential impact and identify the necessary steps to mitigate these risks.

With a dynamic perspective of their enterprise-wide cryptographic usage, CISOs can begin the work of cybersecurity risk assessments. This step involves working with cybersecurity and privacy managers to prioritize sensitive and critical data sets most at risk from “harvest now, decrypt later” attacks and with the highest business value and impact. To translate these insights into a quantum-safe strategy, security leaders should evaluate the business relevance in relation to the complexity of mitigation for specific assets so that they can plan their quantum-safe transition in a way that optimizes performance, compatibility and ease of integration.

3. Transform your cryptography

The final step in the journey to quantum-safe security is the transformation of cryptographic infrastructure to incorporate quantum-resistant cryptography.

Before deploying quantum-safe solutions to their stack, security leaders should equip their teams with the tools and education to test the new cryptographic protocols and evaluate the potential impact on systems and performance. Quantum-safe solutions that can be updated without having to overhaul their cybersecurity infrastructure will help CISOs establish crypto-agility and ensure they can proactively and seamlessly address potential quantum vulnerabilities. Security leaders should engage vendors to determine their timeline for migrating to quantum-safe cryptography for processes, services and systems secured with quantum-vulnerable cryptography embedded in third-party products.

By following the three steps of discover, observe and transform, CISOs can assess the vulnerabilities in their cybersecurity landscape and begin implementing quantum-resistant cryptography to safeguard their organization’s data for the coming quantum computing era. The time to embark on the journey to quantum-safe security is now.

More from Risk Management

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Roundup: The top ransomware stories of 2024

2 min read - The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate.Here are the biggest ransomware stories of 2024.Ransomware payments reach record highRansomware payments surged to record highs in 2024. In the first half of the year, victims…

83% of organizations reported insider attacks in 2024

4 min read - According to Cybersecurity Insiders' recent 2024 Insider Threat Report, 83% of organizations reported at least one insider attack in the last year. Even more surprising than this statistic is that organizations that experienced 11-20 insider attacks saw an increase of five times the amount of attacks they did in 2023 — moving from just 4% to 21% in the last 12 months.With insider threats on the rise, it’s critical for businesses to recognize the real dangers that originate from inside…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today