CISO Guide for Quantum Computing: Risks and Opportunities (Part II)

While the specter of quantum computing as a new source of threats usually dominates the discussion, it is imperative to note that while quantum computing might present new challenges, it also presents numerous new possibilities for strengthening cybersecurity. 

Quantum computing is a technology that represents both a challenge and an opportunity for cybersecurity. Rather than being solely a threat, quantum computers can be harnessed to enhance security, improve threat detection, and be used to produce more robust cryptographic solutions. Exploring those opportunities may convince people that tomorrow’s cybersecurity will be about defending against the quantum threat and leveraging the quantum for our security.

For example, some of these technologies exploit the laws of quantum physics to create quantum key distribution (QKD). This communication channel will alert any party to attempted intrusions, ensuring that sensitive communications stay private. 

Soon, quantum computers’ unprecedented speeds could enable new and improved ways of detecting threats. Machine learning algorithms, for example, which are used in many areas of modern cyber defense and can be trained by vast amounts of data, could, in turn, be trained and executed much more quickly, allowing much greater speed in the detection of cyber attacks and a better ability to respond to them.

Additionally, post-quantum cryptography (PQC) is actively developed in concert with the progress of quantum computers since it will soon withstand quantum attacks, facilitating the safe storage of encrypted data. Quantum Computing-based approaches can also be used to detect fraud and optimize compliance. 

Enhancing Risk Management with Quantum Computing: Simultaneous Simulation of Multiple Risk Factors

Just as we build computation engines to quantify risks in our economic processes, Quantum Computing systems can be utilized in scenario analysis, enabling a better approach to risk management where multiple risk factors can be simulated simultaneously.

Better Security Measures: However, we should not only perceive the threat posed by quantum computing. Instead, the technology is also opening up possibilities that can boost security. Quantum key distribution (or QKD) exploits the laws of quantum physics to allow the creation of secret communication channels. Any attempt to intercept the keys alters their state and amplifies their visibility, causing the communicating parties to become aware that a breach has happened. QKD can be used to secure sensitive communications.

Advanced Threat Detection: By improving processing speeds, quantum computing will drastically enhance threat-detection capabilities, mainly because machine learning (ML) algorithms, which are increasingly used in cyber defense for threat detection based on anomaly detection, can be trained faster and can be executed accordingly more efficiently on quantum computers – which means that cyber attacks can be identified quicker, the probability of correctly predicting attack vectors can be increased, and incident responses will be improved.​​​​ 

Better Cryptographic Algorithms: Although quantum computing is poised to break much of our existing cryptography, it will also inspire the creation of new, cryptographically sound algorithms. These new quantum-safe algorithms, now commonly called post-quantum cryptography, or PQC for short (short for ‘post-quantum cryptography’), are designed to resist all known quantum attacks. The establishment of PQC algorithms is already well underway, thanks to the current standardization effort by the National Institute of Standards and Technology. CISOs should follow these developments closely and prepare to migrate their organizations to quantum-safe cryptography.

Fraud Detection: Quantum computing efficiently leverages the diverse computational power of user-defined qubits, enabling the parallel processing of large datasets, which is needed for the early detection of anomaly patterns for fraud detection algorithms. Quantum algorithms that can quickly process transaction information to locate real-time issues will enhance fraud detection’s accuracy and responsiveness. It plays a vital role in financial protection and organizational reputation maintenance, allowing enterprises to anticipate potential risks, forecast potential defense actions, and effectively protect organizational assets.

Compliance Optimisation: Quantum Computing can use complex regulatory frameworks to better monitor compliance by quantum computers. CISOs would find value in researching how quantum algorithms can be applied to identify compliant exercises. Accurate and adherent compliance monitoring can be achieved; ‘false-positive’ or ‘false-negative’ areas for compliance can be mitigated and reduced. Quantum systems with additional computational power can help optimize compliance frameworks and curtail the risk of falls from compliance.

Quantum-Ready Encryption: Quantum Computing can break classic encryption but also allows for more reliable encryption. Strong CISOs will explore the possibilities of Quantum-Ready Encryption to strengthen data defense and protection. (Although some CISOs can be dismissive of such ideas, I’ve had people tell me face to face that ‘quantum cannot be commercial’ or ‘quantum is not real.’) Quantum Computing will allow attackers to break current encryption systems, so CISOs need to explore quantum-safe techniques. This is becoming a real challenge for CISOs as some countries are issuing national post-quantum cryptography standard calls for action. It is still too early, but there will soon be post-quantum cryptographic algorithms to substitute for those currently used to protect data. As companies hold vast data stores, sensitive industries such as healthcare and finance should adopt quantum-safe encryption techniques first.

Scenario Analysis: Quantum Computing can be uniquely helpful in developing resilient contingency plans. Quantum computing can offer a portfolio analysis of risk scenarios and models by running simulations simultaneously on multiple risk variables. This can help in risk management because one can model variations in risk factors across a portfolio of possible outcomes and plan accordingly.​​​​ For example, for an airline, quantum computing in this context can simulate many possible events where something might go wrong and generate a more holistic approach to identifying risk-mitigation strategies to pilot flights safely and efficiently. With early warning of various risk scenarios, one can reduce the risk of last-minute disasters.

Strategic Recommendations for CISOs

CISOs will need to incorporate quantum resilience into their cybersecurity strategies as the era of quantum computing begins. This section advises CISOs on preparing organizations to navigate an evolving cybersecurity landscape. Here are some specific recommendations for staying on top of quantum developments, conducting ‘quantum resilience risk assessments’, developing ‘quantum-safe roadmaps,’ and making quantum-relevant investments, such as channeling more corporate resources into quantum research. 

We also discuss ways CISOs can encourage investment in the quantum-safe supply chain and suggest constructive approaches to building a security culture for the quantum-ready future while minimizing business disruption. In this part of the article, we walk through some actionable steps to help CISOs prepare for their organizations’ quantum future.

1. Stay Informed and Educated

One major future factor that CISOs must keep in mind is the continuing development of Quantum Computing and how this may affect the field of cybersecurity. In this case, they must stay on top of the latest developments in quantum technology, the progress of cryptographic research, and industry standards. It’s good practice for CISOs to attend conferences, maintain links with professional networks, and spend time collaborating with academic institutions.

2. Conduct Risk Assessments

Not only is it essential to comprehend the specific threats posed by quantum computing, but risk assessments are imperative to determine what must be protected from quantum threats within your organization. Designate what needs to be protected by specifying the lifetime of your data: “How long will it remain sensitive? What is its longevity?”

3. Develop a Quantum-Safe Roadmap

Preparation for the quantum era will require a step-by-step plan. Create a quantum-safe roadmap detailing your organization’s transition to quantum-resistant encryption. The contents of your roadmap should include the following:

• Assessment Step: Identify sensitive systems and data and assess damage that quantum threats could cause. 
• The planning phase: Planning for the migration to quantum-resistant algorithms, including timelines, funds, and milestones, must start now. 
• Implementation Phase: Start migrating to quantum-safe encryption. Focus on the most critical systems and data first and inform partners and vendors.

4. Invest in Quantum Research and Development

By investing in quantum R.D. sooner rather than later, your organization can get ahead of the competition. Look to quantum computing firms and research departments of knowledge universities to create partnerships. You will also develop an essential understanding of quantum risk and opportunity that can be used to make smarter decisions.

5. Enhance Supply Chain Security

Make sure that your processes for importing quantum technology are strict. Vet any supplier of a quantum component or software carefully. Ensure your vendors deliver robust guarantees about your supply chain’s security. You should also consider asking prospective vendors for regular security audits to ensure their practices are up to scratch. 

6. Foster a Culture of Security

The quantum-safe transformation is cultural, so a culture shift is needed. Cultivate a security-conscious organizational culture by promoting awareness and knowledge of quantum risks and opportunities among your entire workforce. Increase quantum literacy among staff by providing training and learning resources to spot quantum risk.

Future Predictions and Insights

Changing to quantum-safe encryption is not going to happen suddenly. The most straightforward scenario is a dual-track process with at least two distinct phases. In the first phase, post-quantum cryptographic (PQC) algorithms will be introduced as a core part of IT safety systems. 

Later, with quantum computers’ eventual cracking of systems around us, all will have to move to the mature version of the process, embracing a full-scale implementation of quantum-resistant approaches. Older systems first and most precious data later, or the other way round. Whatever the order, such a gradual and incremental process will have to be guided by the CISOs. First, risk assessments of the top-priority data will be carried out, and later on – a multi-year plan of transition will have to be drawn up.

Given the seriousness of the quantum threat, it is a foregone conclusion that regulators will sooner or later accelerate the rate at which they mandate QRA for their organizations. CISOs will have to keep up with the regulators and manage their organizations’ compliance with the new requirements that are bound to gain traction over time. 

Because anything that might prove vulnerable to a quantum attack is fundamentally global, there is a need for a mutually supportive approach to defense. Given their roles, CISOs must work more with industry consortia and, ultimately, with national governments and international bodies to pool knowledge and resources. Stronger protections will emerge from combining public—and private-sector expertise and innovation.

And, inevitably, quantum adversaries will discover cutting-edge exploits to attack a given quantum vulnerability (QV). In an industry commonly plagued with a lack of human and capital resources, monitoring QRTs could overwhelm security teams as they must evolve their threat intelligence capabilities to keep up with new attacks.

It’s high time that security leaders started planning for a radically new workforce and threat models that consider both quantum-safe technology’s negative and positive effects, intending to build a robust defensive posture before consumer uptake.

The commercialization of Quantum Computing will drive this innovation. CISOs’ perspectives on quantum technology shouldn’t be limited to a threat vector but also encompass an opportunity to upgrade their systems securely and efficiently. By welcoming quantum innovations, our systems could become more secure, resilient, and efficient.

So, the CISO and CSO should view quantum computing as a dual-edged sword: both a new risk and opportunity. The CISO’s role is to strike a balance between those two aspects. Both might be disruptive for security teams, but they don’t have to be destructive. 

First, they can inform themselves. Second, they can conduct a quantum risk assessment. Third, they can create a quantum-safe roadmap. Fourth, they can invest in quantum research and funding. Fifth, they should encourage staff to acquire quantum awareness. Sixth, they should become a security culture catalyst. If you act now, you can be prepared for the quantum onslaught. So, next time you hear the sober news about the risks of quantum computing, you can relax! 

Quantum security, as a concept, is not meant to be demotivating. Moreover, quantum technology holds great promise and can be leveraged to improve defenses, protect information and data, and ultimately help organizations operate more resiliently than what QCT alone will allow. As CISOs, we can strive to turn the quantum nightmare into a quantum dream.