Getty Images

Feature

How CISOs can prepare for the quantum cybersecurity threat

CISOs should begin preparing now for quantum computing's impact on cybersecurity. Start with assessments and planning before migrating to post-quantum cryptography standards.

Kyle Johnson
By
Published: 14 Jul 2025

Quantum computing will mark a revolutionary change in modern computing, as well as a pivotal shift in cybersecurity. As these powerful machines make their way from theory to reality, they threaten to unravel the encryption algorithms that organizations have relied on for years to protect their data and communications systems.

Industry experts and government agencies, such as NIST, the U.S. Department of Homeland Security and the U.K.'s National Cyber Security Centre, have all sounded the alarm: CISOs, the time to start preparing for quantum computing is now.

Let's look at how quantum computing threatens cybersecurity and how CISOs should start their post-quantum migration.

How quantum computing disrupts traditional cybersecurity

While quantum computers won't replace classical computers, per se, they will complement them and excel at certain tasks. For example, due to a fundamental principle of quantum mechanics called superposition, qubits -- unlike classic bits -- can be both 1 and 0 at the same time or anything in between until measured. This enables quantum computers to solve complex mathematical problems much faster than classical computers.

Currently, however, qubits are fragile and error-prone because they are vulnerable to heat, vibrations and even cosmic radiation. However, scientists are on their way to developing more resilient and capable quantum computers. While the exact date is unknown, experts estimate it to be between 2030 and 2050.

The benefits of quantum computing's speed and power come at a price: security.

Long-relied-upon cryptographic algorithms that have kept business-critical and personal data safe for decades will soon be broken. A cryptographically relevant quantum computer -- one capable of cracking cryptographic algorithms -- can compromise asymmetric cryptography, also known as public key encryption. Specifically, using Shor's algorithm -- a quantum algorithm that finds the prime factor of an integer -- will make it possible to break this type of encryption in a matter of hours or even minutes if the quantum computer is large enough.

With asymmetric algorithms, such as the commonly used Rivest-Shamir-Adleman (RSA) and Elliptic Curve Cryptography (ECC), becoming vulnerable, organizations face the following threats:

  • Weakened secure communications. Secure communications that use asymmetric encryption, such as TLS, HTTPS and VPNs, will become vulnerable to eavesdropping and interception.
  • Increased difficulty securing IoT devices. Many IoT and embedded devices don't have the memory or compute power to accommodate post-quantum cryptography (PQC) algorithms, leaving them vulnerable to attack.
  • Impersonated digital signatures. Digital signatures that rely on asymmetric cryptography can be forged, enabling malicious actors to create fraudulent documents and transactions.

Another threat presented by quantum computing is harvest now, decrypt later attacks. These involve malicious actors exfiltrating encrypted data now with the intent of decrypting it when quantum computers are more readily available.

Global quantum computing initiatives

  • U.S. quantum computing law. President Biden signed the Quantum Computing Cybersecurity Preparedness Act into law in 2022. It requires federal agencies to plan for PQC migration.
  • U.K. proposed response to quantum technology. The U.K. announced in 2024 that its Department for Science, Innovation and Technology would create regulatory framework for quantum innovation and use.
  • Canada requires agencies to adopt PQC. The government of Canada outlined a PQC roadmap and said departments must submit migration plans by 2026, migrate critical systems by 2031 and complete the migration by 2035.
  • EU calls for member states to migrate by 2030. The EU's Network and Information Security group set a timeline in June 2025 for member states to complete quantum-safe migration by 2030.
  • China launches quantum-resistant algorithm program. The country's Institute of Commercial Cryptography Standards is currently accepting quantum encryption proposals.
  • Australia sets timeline to migrate by 2030. The Australian Signals Directorate published guidance on migrating to NIST-approved PQC algorithms.
  • South Korea to migrate to PQC by 2035. The National Intelligence Service announced South Korea will create its own PQC algorithms and finish migration efforts by 2035.
  • Singapore advises organizations to begin a PQC migration. The Monetary Authority of Singapore released an advisory on how financial services organizations should develop a migration plan.
  • Israel requires financial services organizations to begin planning. There are no set timelines, but Israel announced that financial services firms need to conduct risk assessments and plan for quantum cyber-risks.

CISO action plan: A post-quantum computing roadmap

Quantum preparedness isn't achieved overnight. Ideally, CISOs should start the process now and roll it out in three key phases.

Short-term: Preparation

Over the next one to three years, CISOs should assess their current IT systems and cryptographic use. This involves the following steps:

  • Create a migration team. Build a team and appoint a team leader to manage the PQC migration. Include relevant stakeholders from business units beyond cybersecurity. This team is responsible for ensuring the migration remains on time and within budget.
  • Inventory and classify data. Conduct an inventory of all data held by the organization. Classify data based on how it is currently encrypted and whether it requires encryption in the future. Not all data requires quantum-safe encryption. Consider which data needs to remain protected in five to 10-plus years, i.e., the data susceptible to harvest now, decrypt later attacks.
  • Determine cryptographic use. Review where and what types of cryptographic algorithms are in use. Create a cryptographic bill of materials (CBOM) to inventory cryptographic algorithms within hardware, firmware and software components.
  • Understand potential future exposure. Use the CBOM to identify the assets using asymmetric cryptographic algorithms that will be exposed. Analyze the following:
    • How PQC will affect current systems.
    • Which legacy tools and systems aren't capable of switching to PQC algorithms.
    • Whether new tools need to be adopted.
    • Which existing software needs to be deprecated.

Perform a risk assessment to discern which data, systems, controls and policies to prioritize and protect first during the transition. This risk assessment also affects which PQC algorithms to choose.

  • Select and test PQC algorithms. Research and select the most suitable PQC algorithms based on the inventory and assessments. NIST has vetted and approved the following PQC algorithms:
    1. ML-KEM. Module-Lattice-Based Key-Encapsulation Mechanism is a lattice-based algorithm based on the CRYSTALS-Kyber algorithm.
    2. ML-DSA. Module-Lattice-Based Digital Signature Algorithm is a lattice-based algorithm for securing digital signatures based on CRYSTALS-Dilithium.
    3. SLH-DSA. Stateless Hash-Based Digital Signature Algorithm, based on the Sphincs+ stateless hash-based signature scheme, is intended as a backup for ML-DSA.
    4. FALCON. Fast Fourier Lattice-Based Compact Signatures Over NTRU is a lattice-based algorithm for digital signatures.
    5. HQC. Hamming Quasi-Cyclic, which has not been finalized, is a code-based algorithm for key exchange for both classical and quantum computers that is intended to be a backup for ML-KEM.
  • Finalize budget and tool needs. CISOs should estimate PQC migration costs and determine a realistic budget. Allocate resources to secure the most at-risk data first, with the longer-term goal of migrating all systems.
  • Educate users organization-wide. With initial efforts for a post-quantum journey complete, educate employees on quantum computing's impact on cybersecurity. Cover how corporate policies and procedures will be updated to mitigate quantum computing threats and outline changes to expect over the coming decade.

Mid-term: Planning and execution

Where the short-term phase focused on inventorying data and encryption use, the mid-term phase covers the start of implementation. In the next three to five years, CISOs should do the following:

  1. Assess vendor PQC capabilities. Vet the quantum computing security efforts of current and potential vendors. Evaluate how they currently protect data and what their roadmap is for the next five to 10-plus years. Many vendors are already rolling out quantum-safe tools and systems.
  2. Determine supply chain risk. Evaluate how third parties with access to the organization's data are preparing for PQC to determine future needs and relationships. For example, consider cutting ties with third parties that are not conducting post-quantum migration efforts.
  3. Update security policies and plans. Create or update policies and procedures to account for PQC needs. These might include data security policies, incident response plans and disaster recovery plans.
  4. Update infrastructure based on risk. Begin migrating to the chosen PQC algorithms and secure data according to the quantum risk assessment. Consider a layered strategy that uses PQC algorithms and quantum-safe systems and tools alongside existing cryptographic standards.

Other key quantum computing security strategies to research include the following:

  • Quantum key distribution. QKD enables the exchange of encryption keys for secure communications. It uses quantum mechanics to protect keys from interception and eavesdropping.
  • Quantum random number generators. QRNGs use quantum mechanics to create unpredictable encryption keys. They enhance the security of communications, transactions and data.

Crypto-agility. Becoming crypto-agile involves systems and infrastructure dynamically shifting between PQC algorithms. It enables systems to switch PQC algorithms in the event one becomes compromised.

Long-term: Monitoring and evaluation

At this point, the most critical data and cryptography systems should be updated. Now it's time for CISOs to implement a multiyear quantum-safe infrastructure strategy across the entire organization.

PQC migrations are complex and time-consuming. They will be a long-term focus for organizations. The goal is to adopt quantum-safe tools and infrastructure across all systems -- something that might take more than 10 years to complete.

Long term, plan for the following:

  • Migrate low-risk systems. Continue the migration process for all systems, data and processes.
  • Assess migration efforts. The migration team should monitor and measure the effectiveness of the migration. Is everything going according to the planning stages? Or does the team need to adjust something?
  • Update inventories and CBOMs. Continue to update the data inventory and CBOMs as new systems and tools are migrated or adopted.
  • Monitor security threats. Stay apprised of emerging quantum computing threats and create mitigation plans.
  • Maintain compliance. Review relevant standards and regulations for PQC requirements to meet compliance mandates.

Kyle Johnson is technology editor for Informa TechTarget's SearchSecurity site.

Dig Deeper on Data security and privacy