BY Elizabeth Green4 minute read

The world’s data is facing a mounting security risk. The White House has predicted that the government will need to budget more than $7 billion to remediate encryption standards over 10 years in preparation for the security risks posed by quantum computers. NIST has just released an initial set of new encryption standards, and both government and commercial organizations are sounding the alarm: start the upgrade process now.

For board members, entrusted with the stewardship of your organization, ensuring robust data security is paramount. The advent of quantum computing poses a significant threat to current encryption methods, making it essential to proactively address these risks. The potential for quantum computers to break widely used cryptographic algorithms and the time it will take to remediate the entire world’s encryption demands urgent attention and action. Here are three crucial questions board members should be asking to safeguard your organizations in a post-quantum world: 1. ARE YOUR SENIOR LEADERS AWARE OF THE QUANTUM THREAT?

Subscribe to the Compass newsletter. Fast Company's trending stories delivered to you daily Privacy Policy | Fast Company Newsletters

Awareness at the senior leadership level is the first step toward effectively mitigating the risks associated with quantum computing. Quantum computers, unlike classical computers, leverage the principles of quantum mechanics to perform complex calculations at unprecedented speeds. This capability threatens to render traditional encryption methods, such as RSA, obsolete, potentially exposing sensitive data to decryption by malicious actors. Senior leaders, including the CEO, CFO, CIO, and CISO, need to understand the quantum threat to make informed decisions about investments in cybersecurity. Awareness translates into prioritization, ensuring that quantum threats are not overlooked amid other pressing business concerns. Surprisingly, in my experience, very few CISOs are focused on, or even aware of, this issue, despite warnings from the U.S. government, major consultancies like Gartner and Accenture and industry organizations like FS/ISAC to act now. WHAT TO LOOK FOR

Educational Initiatives: Make ongoing efforts to educate senior leaders about quantum computing and its implications for data security. This could include workshops, seminars, and/or briefings by post-quantum computing (PQC) cybersecurity experts. Regular Updates: Verify that quantum threats are a regular topic in cybersecurity updates and risk assessments presented to senior leaders. Consider incorporating them into existing cyber security projects such as Zero Trust and PKI. Engagement In Industry Forums: Encourage participation in industry forums and collaborations focused on quantum computing and cybersecurity, so leadership stays abreast of the latest developments and best practices.

2. HAS YOUR ORGANIZATION APPOINTED A RISK ASSESSMENT TEAM? Having a dedicated team to assess and address the risks posed by quantum computing is essential for a proactive cybersecurity strategy. This team should be responsible for evaluating the potential impact of quantum computing on the organization’s data security, identifying vulnerabilities, and developing mitigation strategies. Quantum risk assessment requires specialized knowledge and a focused approach. Without a dedicated team, your organization may lack the depth of understanding and coordinated effort needed to effectively manage these risks. You may also be missing out on ways to proactively address current encryption management like Crypto Agility, which uses the advent of quantum computing as a catalyst to fix the foundation of data security infrastructure. Crypto Agility can help solve for future quantum security concerns as well as allow for better cryptography management now, addressing threats like Steal Now Decrypt Later (SNDL) attacks and regulations like DORA in the EU.

WHAT TO LOOK FOR Task Force: Establish a task force or working group comprising members from IT, cybersecurity, risk management, and relevant business units. Clear Mandate: This team should have a clear mandate to assess quantum risks, prioritize actions, and report findings to the board regularly. Prioritize mitigating the highest risks first, such as those that are subject to regulatory concerns, data and applications under development that will still be valuable five years from now, and data that is a competitive advantage for your organization.

advertisement

Expertise And Resources: Make sure the team has access to the expertise and resources needed to conduct thorough risk assessments, including country-specific regulations, external consultants, and cutting-edge research from government and industry organizations. 3. HAS YOUR ORGANIZATION DEFINED A POST-QUANTUM STRATEGY? To navigate the transition to quantum-resistant encryption methods, you need a well-defined strategy that outlines the steps your organization will take to protect its data and maintain secure operations in a quantum-enabled future.

The transition to quantum-resistant encryption will not not be simple or quick, but there are ways to make adoption easier. A clear strategy ensures that your organization is prepared to act swiftly and effectively to be agile near-term while also being well-prepared as quantum computing capabilities evolve. WHAT TO LOOK FOR Strategic Roadmap: Develop a strategic roadmap detailing the transition to quantum-resistant encryption for your organization. This roadmap should include timelines, milestones, and key actions.

Vendor And Technology Assessment: Ensure that the strategy includes an assessment of current vendors and technologies to determine their readiness for quantum-resistant solutions. Collaborate with vendors who are leading the charge in developing quantum-safe technologies. Learn how emerging security technologies like Crypto-Agility, Continuous Cryptographic Inventory (CCI), and Cryptographic Orchestration (CO) can help. Resource Allocation: Confirm that sufficient resources—financial, technological, and human—are allocated to implement a post-quantum strategy. This includes investments in new technologies, training for IT and cybersecurity staff, and potential partnerships with quantum technology providers. (Full disclosure: My company is one such provider, but you have many options in this space.) Regulatory And Compliance Considerations: Your organization’s strategy should address regulatory requirements and compliance standards related to quantum-resistant encryption. Engage with regulators and industry bodies to stay informed about emerging guidelines and best practices.