https://www.techtarget.com/searchitchannel/news/366624901/Service-providers-pursue-quantum-computing-security-market
IT service companies are launching consulting practices focusing on quantum computing security, pursuing a largely untapped market that's subject to competing cybersecurity priorities and an uncertain timeline for quantum's potential risks to become real.
The lineup includes several well-known professional services firms and global systems integrators, which aim to advise clients on the threat of quantum computers capable of breaking classical encryption algorithms when used by attackers. No such computers are known to exist at this time, and there's no firm forecast for when they'll arrive. However, industry executives argued that businesses should start preparing for the quantum threat, considering the lengthy durations of previous encryption transitions.
In the meantime, the emerging field of post-quantum cryptography (PQC) focuses on developing algorithms that can block attacks driven by quantum computers. The job ahead for government agencies and private enterprises is to find where they are using vulnerable algorithms and replace them with quantum-resistant technology.
Service providers see an opportunity as more organizations investigate the potential quantum threat. DXC Technology, a technology services provider based in Ashburn, Va., is building a quantum practice within its consulting business. While quantum technology could eventually spark application development projects for DXC, its practice currently focuses on post-quantum security.
"That's where we've seen the greatest demand coming through," said Howard Boville, president of DXC's Consulting and Engineering Services business unit.
He noted that only a couple of customers asked about quantum computing security in 2024, but customer inquiries on PQC have become daily occurrences this year.
"It's gone from next to nothing to starting to become a torrent," Boville said. "And I would imagine calendar year 2026 will be a deluge of work."
Other service providers are also entering or expanding into the quantum security market. Unisys in March launched a cryptographic posture assessment offering, the first of several PQC services it plans to roll out. In addition, Accenture's venture capital arm in January invested in QuSecure, a post-quantum security software vendor. The professional services side of Accenture will work with QuSecure, focusing on quantum risk mitigation in the public and private sectors.
For service providers, security consulting offers a way to address customers' more immediate quantum concerns as the broader market for the technology continues to develop.
"While quantum computing has many applications beyond the security use case, this security pain point is quite evident," said Todd Thiemann, a principal analyst at Enterprise Strategy Group, which is part of Informa TechTarget's Omdi market research business.
Quantum security consultants will find a market that has both demand drivers and adoption obstacles.
On the demand side, most organizations have yet to take significant steps toward PQC and might need a helpful nudge to do so, despite broad awareness of the potential security threats. A report published earlier this month by security software vendor DigiCert found that 69% of 1,042 surveyed senior and C-level cybersecurity managers believe quantum computers will break current encryption methods within five years. In addition, a combined total of 57.2% said they felt either very prepared or extremely prepared for quantum threats. However, only 5% of the respondents reported having deployed quantum-safe algorithms.
That deficit, coupled with a lack of in-house skills, creates an opening for service providers. Mike Nelson, vice president of digital trust at DigiCert, said organizations often lack the resources to plan for, execute and deploy PQC. DigiCert, based in Lehi, Utah, offers a digital certificate platform it describes as quantum-ready.
As for obstacles, potential enterprise customers must deal with numerous current cybersecurity concerns on top of quantum risk mitigation.
Post-quantum encryption ranked last on the list of data privacy and protection technologies planned for significant investments this year in Informa TechTarget's 2025 Technology Priorities report: It was selected by only 8% of the 436 business and technology decision-makers who were surveyed on that category. Data loss prevention, email security, and data privacy/identity governance were the top-rated priorities, with 42%, 41%, and 37% of respondents selecting these areas, respectively.
"Security teams, Thiemann said, "have pots boiling over on the front burner and have PQC as a lower priority."
Another stumbling block is the lack of a definitive deadline for deploying PQC. Many organizations feel time is on their side, Nelson said.
"Governments and industry groups are publishing roadmaps, which help create a sense of urgency, but we still don't know exactly when a quantum computer will be capable of breaking today's cryptography," he said. "That uncertainty makes it easy for organizations to kick the can down the road."
Organizations subject to government regulation have less room to maneuver, however.
DXC's Howard noted that governments worldwide play an essential role in driving action on PQC. The U.S. federal government, for example, has issued a number of edicts to encourage post-quantum agility, he said. Post-quantum agility and, more broadly, crypto-agility refer to the ability to quickly swap out algorithms in response to a shifting threat landscape.
U.S. federal directives include the Committee on National Security Systems Policy 15, which governs agencies fielding defense and intelligence systems. The policy sets a January 2027 deadline for new IT or telecommunications acquisitions to use authorized algorithms that provide quantum resistance.
Howard believes such policies will spark demand among customers this year and next. Specifically, he expects interest in advisory services for assessing and prioritizing risks. That foundational work could lead to additional tasks, such as creating remediation plans that focus on the high-risk areas, he said.
The PQC challenge recalls another time-bound exercise in hunting down and fixing vulnerabilities: the Y2K problem.
A quarter century ago, as the year 2000 approached, IT managers and service providers worked together to remediate systems with two-digit year fields that would interpret 00 as 1900 and lead to potential disruptions. The key difference, though, is the lack of a clear deadline with PQC.
"With Y2K, there was a deadline: December 31st, 1999," Howard said. "There isn't a [known] deadline on this."
The absence of a fixed deadline and the widespread use of cryptography in software could make PQC remediation more difficult than fixing the Y2K issue.
Prioritization services will be crucial, considering the time required to replace algorithms in large, complex enterprises.
"The remediation is going to take multiple years," Howard said.
Thiemann cited the SHA-1 to SHA-2 algorithm transition as an example. NIST deprecated SHA-1 in 2011, and the migration to SHA-2 started around 2013. Many enterprises took seven years or longer to fully migrate their systems, he said.
But organizations might not have that long of a remediation runway with PQC. Nelson, also pointing to the time-consuming SHA-1 phaseout, suggested organizations won't be able to get everything done in time. He cited Gartner's timeline that forecasts current cryptography to be insecure by 2029.
"If you have four years left and your last migration took seven, time is not on your side," Nelson said. "Bringing in third-party services and technology to help accelerate those timelines is going to be critical."
Boville, meanwhile, cited IBM CEO Arvind Krishna's projection that a significant breakthrough in quantum computing will occur by 2030. Although the timing question remains tricky in light of the varied estimates, he believes enterprises should start addressing their top vulnerabilities.
"Organizations that are not already preparing for post-mainstream quantum are behind and at risk," he said.
John Moore is a writer for Informa TechTarget covering the CIO role, economic trends and the IT services industry.
28 May 2025