The Threat of Quantum Computing: Why Businesses Must Act Now
Imagine a future where encrypted data suddenly becomes vulnerable to the power of quantum computers. While this significant leap in technology isn’t set in stone, ongoing advancements suggest it could become a reality within the next couple of decades. No one wants to be caught off guard or left behind as these machines evolve. Today, quantum computers already exist, but they do not yet possess enough qubits or the stability required to qualify as Cryptographically Relevant Quantum Computers (CRQCs). However, this situation might change within 10 to 20 years, enabling such machines to potentially break current encryption methods. Consequently, it is more critical than ever for organizations to start preparing for this transition now.
The US National Security Agency (NSA) has already set a target date of 2035 to secure national defense systems against quantum threats by adopting algorithms resistant to quantum attacks. This clearly signals the renewed importance of the subject for businesses across sectors. Similarly, Europe is actively involved; in November 2024, the French National Agency for Information Systems Security (ANSSI), Germany’s Federal Office for Information Security (BSI), along with Dutch counterparts and fifteen other European Union member states, issued a joint declaration emphasizing the transition to post-quantum cryptography.
It is therefore essential for organizations to prioritize deploying post-quantum cryptography today—even if the threat isn’t imminent. Procrastination could prove costly, given how rapidly the landscape is evolving.
The Rise of Quantum Threats: Preparing Today Is Key
In 2024, ANSSI highlighted the urgent need to anticipate and adapt to post-quantum cryptography in its initial assessment of interoperability solutions in France. While these new technologies are still under development, that doesn’t justify inaction. On the contrary, organizations should implement certain transitional measures immediately, while gradually deploying more comprehensive solutions over the coming years.
With the so-called “Quantum Day” (whose exact date remains uncertain), businesses must maintain a clear understanding of the risks posed to their data and set priorities accordingly, adopting a measured, strategic approach. The level of threat depends heavily on the nature of the data involved. Organizations can start by assessing which assets are particularly vulnerable to quantum decryption: information that might be stored now and decrypted later by a sophisticated adversary, data requiring decades of confidentiality, or cryptographically signed artifacts that need long-term verification.
Any data that relies on public key cryptography is vulnerable to Shor’s algorithm, which can factor large integers efficiently on a quantum computer. Using ephemeral keys for each session can limit exposure, which also constitutes a best security practice. For assets susceptible to Grover’s algorithm—such as those protected by AES encryption—key lengths should be increased to at least 128 bits to mitigate the risks of future quantum attacks.
Fundamentally, a practical initial step involves conducting a simple audit: identify the most critical assets, evaluate their vulnerability, and prioritize their protection based on the potential security, compliance, or operational impacts of compromise. Additionally, organizations must factor in the timeline—what data or assets could be decommissioned or rendered obsolete before quantum decryption becomes a real threat? In most cases, companies won’t need to migrate all their existing assets immediately, especially those nearing the end of their lifecycle.
Redefining the Role of the CISO: A Longer-Term Mandate?
Many organizations consider that to defend against quantum threats, they need a Chief Information Security Officer (CISO) with specific expertise in quantum cryptography or post-quantum planning. However, such specialized profiles are rare or currently nonexistent. Moreover, this approach can often be unnecessarily complicated.
For most CISOs, preparing for quantum resilience doesn’t require advanced knowledge of quantum mechanics. As previously mentioned, they can start formulating a plan by following straightforward guidelines and adopting best practices. Nonetheless, one critical factor that has received insufficient attention is the tenure of the CISO itself. Preparing for quantum security demands a long-term vision. Industry estimates suggest that developing and implementing a comprehensive quantum readiness program could take anywhere from five to ten years. Given that the average tenure of a CISO is only about 18 months, there is a significant risk that multiple leadership changes will occur during this period.
This constant rotation means each new CISO might pursue different priorities or approaches, potentially disrupting continuity. To address this, some organizations are already exploring ways to embed quantum considerations into their security governance—extending CISO mandates, hiring external specialists, or delegating strategic responsibility to board-level committees or specialized bodies with longer-term mandates.
Ultimately, organizations need to think proactively about who should oversee their quantum security strategy. Whether by prolonging CISO terms, elevating responsibilities to top management, or establishing dedicated committees, swift action is necessary. Delay could leave companies exposed when quantum threats materialize.
Kirsty Paine is Field CTO & Strategic Advisor at Splunk
