By Byron V. Acohido
Quantum computing’s ability to break today’s encryption may still be years away—but security leaders can’t afford to wait. Forrester’s The Future of Quantum Security makes it clear: the transition to quantum-safe cryptography must start now.
Related: Quantum standards come of age
The real threat isn’t just the eventual arrival of quantum decryption—it’s that nation-state actors are already stockpiling encrypted data in “harvest now, decrypt later” attacks. Meanwhile, new regulations are beginning to mandate cryptoagility—the ability to swap encryption algorithms before they’re broken.
Tech giants like Amazon, Google, and IBM are moving fast to integrate post-quantum cryptography, but for most organizations, this shift is a massive, years-long process. Inventorying cryptographic dependencies, upgrading key management, and retrofitting security infrastructure take time—and the clock is ticking.
So where should security leaders focus? To answer that, Last Watchdog engaged Forrester Principal Analysts Sandy Carielli and Heidi Shey, co-authors of the report, for a deep dive into the most pressing quantum security challenges—and what organizations must do to get ahead.
LW: Many organizations still see quantum security as a future concern. Why is that a dangerous mindset?
Shey: It’s dangerous because we won’t necessarily know when exactly that future concern becomes an immediate one, or if it is already too late when we find out. A quantum computer powerful enough to break today’s existing asymmetric cryptography algorithms may already exist.
Commercial viability is different from nation-state viability, and if a nation-state has developed such a quantum computer, they’re not going to issue a press release. It’s a question of how much risk your organization is willing to take, based on the data you must protect and its long-term value. This is where the concern of “harvest now, decrypt later” attacks apply.
We recommend using Dr. Michele Mosca’s theorem of quantum risk against an optimistic vs. pessimistic probability analysis. There is a nearly a 1 in 10 probability of quantum attack against RSA-2048 in 5 years, and this estimate increases to 33% in 10 years. So the time to start taking action is now.
Shey
This impacts the underlying plumbing of your security tech stack; encryption algorithms are ubiquitous across all security domains. It can realistically take three to five years for cryptographic migration, to update the encryption methods in your in-house and commercial solutions, and make them more manageable going forward. There’s planning, piloting, testing, and third-party dependencies involved.
LW: The first post-quantum cryptographic standards are here. What should organizations be doing right now?
Shey: Reach out to key vendors in your tech stack to ask about their PQC migration plans. Your ability and timeline to migrate is also dependent on their progress.
There are two sides to this: 1) assessing a technology vendor’s cryptoagility efforts in your RFPs as a part of determining third-party tech supplier risk, 2) assessing a technology vendor’s capability to help you in your PQC migration as technology functionality you can use.
Security domains where we anticipate the strongest impact, and ones where the technology vendors can be key partners for you in your migration efforts include certificate and key management, data encryption and digital signature, networking infrastructure, and authentication.
In RFPs for new technology investments, at a minimum ask about how they are monitoring developments in PQC and their roadmap and timeline to upgrade their product to be quantum safe. We’ve found that some vendors have architected their solution for cryptoagility, and can use PQC as an option today.
LW: Cryptoagility is being framed as essential for security resilience. What does that actually mean in practice?
Carielli: In practice, cryptoagility means that organizations can easily adapt to changes in algorithm standards without having to rip and replace systems or code. In general, this means avoiding hardcoding particular algorithms and favoring libraries and systems that simplify migrating between algorithms.
Some organizations will work with a cryptographic agility provider that wraps existing systems in proxies and conducts the cryptographic functions at the proxy level – this eliminates the need to make updates at the code or system level
Cryptoagility initiatives will have quirks: two partners conducting secure communications, where one has upgraded to a particular public key algorithm, and the other has not; development teams that are a few versions behind on a particular cryptographic library.
Treat cryptoagility as an aspirational goal but expect that there will be pockets of your environment where migrating between algorithms will take a little more time, and manage the risks appropriately.
LW: What industries face the biggest quantum security risks, and what’s driving urgency in those sectors?
Carielli
Carielli: The industries acting with the most urgency are the financial services and government sectors – these are the industries that have issued guidance or regulations and are furthest along in piloting and implementing quantum safe solutions. When you consider the types of data that these industries handle and protect, the urgency makes sense.
Governments are concerned about protecting citizen information that passes over the Internet and about protecting classified information that moves within its network. Financial services firms have to protect sensitive data like customers’ bank account information.
Most of Forrester’s client inquiries around quantum security come from those two sectors. That said, any industry that passes sensitive data over the Internet is at risk today and will need to consider their quantum security strategy.
LW: If an organization hasn’t started preparing, what’s the most important first step they should take today?
Carielli: The first step is to take a cryptographic inventory to understand what cryptographic algorithms are in use in your environment. The inventory must look at homegrown developed software and its components, purchased software, devices, and supporting infrastructure.
Once you have the basis of an inventory, you can begin to prioritize your own migration to quantum safe solutions and ask your vendors and partners to provide their plans and timelines.
Acohido
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
