Although quantum computers capable of breaking current encryption are still in the future with an uncertain timeline, preparing for this eventuality is not just a theoretical exercise.

As CISOs, you’re constantly battling on multiple fronts. Understaffing, ever-evolving regulations, and the rapid adoption of AI all demand your immediate attention. So, when someone suggests adding “quantum readiness” to your already overflowing plate – something that often feels like a problem for a distant future – it’s natural to feel overwhelmed. How can we possibly prioritise protecting against a hypothetical threat when today’s urgent issues are already consuming us?

This reaction is completely understandable. In the current cybersecurity environment, it’s hard to get enthusiastic about new cryptography that will only become vulnerable when a future quantum computer becomes available.

However, it’s vital to remember that the quantum threat is no longer a distant theory. The “harvest now, decrypt later” approach is a very real, current problem. And regulators? They’re increasingly expecting concrete progress within months, not years. While acknowledging the urgency of the threat, it’s equally important to focus on the positives. When framed and executed effectively, a quantum readiness program can unlock larger budgets for CISOs and deliver tangible benefits today, long before a cryptographically relevant quantum computer (CRQC) even exists.

Quantum Threat: Closer Than You Think

Problems that we ignore quickly escalate into crises. The quantum threat is becoming critical for organisations that haven’t yet started their quantum readiness programs. Predictions suggest that useful quantum computers could appear as early as 2030. A quantum readiness program in a large enterprise can take 5-10 years. This means many organisations are already behind, and quantum readiness needs urgent attention.

Leading scientists and government agencies now openly warn that quantum attacks may be feasible within 5–7 years. Governments are paying close attention. The EU’s recent roadmap urges all member states to begin post-quantum cryptography (PQC) transitions by 2026 and mandates that critical infrastructure be quantum-safe by the end of 2030. Similarly, various governments require all high-priority systems to adopt post-quantum encryption by 2031. Many other countries have issued similar mandates. In short, regulatory deadlines worldwide are accelerating.

Despite these warnings, most organisations are lagging. The risk isn’t just about preparing for a future “Q-Day.” The threat is already here. Adversaries are actively collecting encrypted data now, intending to decrypt it when quantum capabilities are available. Sensitive customer records, intellectual property, emails – any data stolen today can be stockpiled with the anticipation of future decryption using a CRQC. This tactic means the quantum risk is effectively immediate.

Turning a Burden into Opportunity

Quantum readiness, when approached strategically, can be a significant advantage for CISOs. The crucial point is that it largely depends on the same fundamental cybersecurity practices that have always been necessary. With increasing scrutiny from regulators and governments regarding quantum preparedness, CISOs now have a valuable opportunity to secure dedicated funding to properly address foundational cyber hygiene tasks as part of specifically funded quantum readiness programs. This can potentially free up resources from existing budgets.

Regulations Drive Priority

A primary reason why quantum readiness won’t remain a future concern is the growing regulatory pressure. Compliance requirements, backed by law or high-level policy, reliably influence boardroom spending.

For a CISO, this means organisations dealing with government entities or operating in regulated industries like finance or healthcare should anticipate compliance obligations. Regulators, auditors, insurers, and clients will soon inquire about PQC migration plans, the location of quantum-vulnerable cryptographic systems, and the Cryptographic Bill of Material (CBOM).

As quantum risk transitions from theoretical to practical, CISOs will find more receptive audiences in the boardroom. The argument that investing in quantum resilience directly addresses regulatory requirements resonates with leadership. No organisation wants to be unprepared for new laws or regulatory inquiries. Funding for compliance initiatives, especially those framed as future-proofing critical infrastructure, is often approved even with budget constraints. In essence, quantum readiness is rapidly becoming equivalent to compliance readiness, which secures the necessary executive support and budget.

Funding Asset Discovery

Before addressing cryptographic inventory, a comprehensive understanding of existing assets and their locations is essential. This involves a thorough discovery of all network-connected devices: servers, laptops, IoT sensors, OT systems, cloud VMs, rogue Wi-Fi devices, and shadow IT. This isn’t new; it’s basic cyber hygiene. The rationale is clear: unknown assets cannot be defended or upgraded.

However, many CISOs lack a complete grasp of their asset landscape. Organisations initiate CMDB projects, acquire asset discovery tools, and conduct network scans, but these efforts are often under-budgeted and understaffed, and the asset landscape is constantly evolving. A 2023 survey indicated that while 94% of IT leaders claimed a “live view” of all devices, nearly half still tracked assets using spreadsheets – prone to blind spots. Achieving a truly comprehensive asset inventory has been a persistent challenge.

Quantum readiness can provide the necessary impetus to finally address asset inventory effectively. It offers strong justification to secure budget and resources for this fundamental task under “quantum resilience and compliance.” Unlike previous asset inventory initiatives that relied on standard operating budgets, this time the justification can be framed around a prerequisite for PQC compliance and risk reduction, which gains board-level attention. This can lead to new funding, executive support, and cross-departmental collaboration. Existing budget allocations for asset discovery can potentially be redirected to other priorities. Ultimately, quantum readiness projects enable organisations to achieve both their post-quantum objectives and a complete, up-to-date inventory.

The benefits of a robust asset inventory extend beyond quantum cryptography. Unexpected and potentially vulnerable devices, such as orphaned machines, forgotten IoT devices, and shadow IT databases, are often discovered. Identifying and addressing these blind spots immediately reduces the attack surface. Unknown assets are a well-known source of breaches. A solid inventory enhances all other security functions.

Immediate Wins from PQC Prep

The initial step in any PQC migration involves a comprehensive inventory of cryptographic assets and algorithms. Cryptographic inventory is highlighted as the first step in nearly every recent government guideline, with many mandating completion by 2026.

This requires mapping every system, application, and device that uses encryption or digital signatures, documenting the specific cryptography employed (algorithms, certificates, key lengths, etc.). While potentially tedious, this process provides significant immediate benefits for security posture.

Most organisations have never conducted a thorough cryptographic inventory. Over time, new applications, legacy systems, outsourcing, and acquisitions lead to a proliferation of cryptographic implementations. Cases of mission-critical applications still using 20-year-old encryption libraries or rogue VPN appliances with default credentials are not uncommon. By necessitating a detailed examination of the entire IT landscape, the PQC inventory exercise provides invaluable visibility, similar to a full network and software asset inventory but focused on encryption. Effective security relies on knowing where encryption is used.

This process can be viewed as a comprehensive health check for IT security. It may reveal outdated TLS 1.0 protocols in internal admin tools or weak hashing algorithms for passwords in databases – vulnerabilities attackers could exploit long before quantum computers are a threat. Conducting a PQC-focused inventory now can uncover and facilitate the remediation of such weaknesses.

Undertaking a cryptographic inventory immediately improves security visibility and hygiene, even before the deployment of any new quantum-resistant algorithms.

Cleaning Up “Crypto Debt”

Following the inventory, another short-term benefit emerges: the identification and remediation of existing cryptographic vulnerabilities. Most mature organisations have accumulated some crypto debt – outdated or misconfigured encryption within their technology stack. Common examples include deprecated algorithms like MD5 or SHA-1, RSA keys that are too short, expired or self-signed certificates, unsupported cryptographic libraries, and even hard-coded secrets in legacy applications. These are current security weaknesses.

The findings from a cryptographic inventory can be concerning, but they also present a significant opportunity to enhance cyber hygiene. For instance, the inventory might reveal that a third-party service still relies on an insecure cipher suite for HTTPS connections. Or an internal tool never disabled TLS 1.0. These issues often remain unnoticed. However, PQC preparation brings them to light, enabling immediate remediation.

Essentially, quantum readiness initiatives compel organisations to address existing crypto weaknesses. The process prompts crucial questions, such as why IoT devices still use RSA-1024 certificates or the identification of a partner integration using an outdated VPN. By addressing these vulnerabilities, the attack surface against current threats is reduced, decreasing the likelihood of falling victim to known exploits.

Consider a specific example: an organisation discovered that a critical file-transfer server was operating with an out-of-the-box configuration using outdated algorithms. This server had passed routine IT audits for years. The PQC project brought it under scrutiny, and the team promptly updated configurations, closing a vulnerability that could have been exploited by a moderately skilled hacker without any need for a quantum computer. These are the types of immediate fixes quantum readiness drives.

The rationale is clear: the transition to PQC naturally involves upgrading and patching cryptography, leading to a more secure environment in the present.

Crypto-Agility: Future-Proofing

The term “crypto-agility” represents a critical capability for long-term security. It refers to the ability of systems and processes to quickly replace cryptographic algorithms and protocols without requiring a complete system overhaul. This is like modular encryption: if one component becomes unsafe or non-compliant, it can be readily exchanged.

Crypto-agility’s importance extends beyond the quantum threat. Cryptography isn’t static. Algorithms once considered secure can become obsolete within years (e.g., SHA-1, DES, RC4). New compliance requirements also emerge. Organisations with crypto-agility can adapt to these changes with significantly less disruption.

Preparing for PQC inherently promotes crypto-agility. Systems will be refactored to support new quantum-resistant algorithms. Proactive teams will design their systems for flexibility, potentially by implementing a hybrid crypto approach (initially using both classical and post-quantum algorithms), abstracting cryptographic implementations behind interfaces, and generally avoiding hard-coded cryptographic choices. These practices ensure future algorithm replacements can be implemented quickly.

Leading security agencies underscore this. Some cybersecurity authorities state that “cryptographic agility is a best practice” to maintain system security even if algorithms are compromised, emphasising the importance of maintaining an inventory and interchangeable crypto components. By investing in quantum readiness, organisations are training themselves in agility. They establish processes for updating crypto libraries, managing keys at scale, testing new algorithms, and coordinating changes. These processes will enhance their ability to respond to any future cryptographic challenges.

This also yields compliance benefits. With crypto-agility, future privacy regulations or industry standards necessitating new cryptography become less daunting; compliance can be achieved through configuration adjustments rather than extensive code rewriting. The security infrastructure becomes more resilient to change, a hallmark of mature cybersecurity programs.

While quantum computers capable of breaking current encryption are still a future development with an uncertain timeline, preparing for this eventuality isn’t a theoretical exercise. It’s a practical program offering immediate benefits. Regulatory bodies are driving this shift, leading to increased willingness from boards to allocate funding. This journey necessitates a cataloguing of cryptographic assets and the remediation of long-standing weaknesses, enhancing current security. It fosters agility, enabling adaptation to future cryptographic changes.

This is precisely where CREAPLUS’ cryptography experts and cybersecurity professionals can become your invaluable partner. We understand the unique challenges CISOs face and are ready to help you not just meet, but exceed, these evolving demands. By partnering with CREAPLUS, CISOs can transform the quantum challenge into a strategic opportunity, leading to a more secure, agile, and resilient organisation today and well into the future.