{"id":3469,"date":"2025-06-06T06:00:00","date_gmt":"2025-06-06T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3469"},"modified":"2025-06-06T06:00:00","modified_gmt":"2025-06-06T06:00:00","slug":"cisos-urged-to-push-vendors-for-roadmaps-on-post-quantum-cryptography-readiness","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3469","title":{"rendered":"CISOs urged to push vendors for roadmaps on post-quantum cryptography readiness"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

CISOs have been urged to demand clear post-quantum cryptography<\/a> (PQC) readiness roadmaps from vendors and partners to combat the looming threat of cryptographically relevant quantum computers.<\/p>\n

Quantum computers capable of large-scale cryptographic attacks are yet to be developed but recent advances<\/a> mean the threat is moving from theoretical to near-term reality, possibly within five years.<\/p>\n

During a panel at this week\u2019s Infosecurity Europe conference, experts urged security professionals to begin transitioning to PQC sooner rather than later, alongside calls to focus on supply chain readiness.<\/p>\n

Sufficiently powerful quantum computers would be capable of breaking current asymmetric encryption, undermining the security protections underpinning the security of financial transactions, sensitive data, and secure communications. Even in advance of the arrival of sufficiently capable quantum computer (an event sometimes described as Q-Day), adversaries could carry out harvest now, decrypt later attacks<\/a>.<\/p>\n

Preparing for Q-Day<\/h2>\n

Organizations, especially those handling long-duration secrets, and sectors such as finance, critical infrastructure, healthcare, and telecommunications are most at risk, the Infosecurity Europe panel agreed.<\/p>\n

Karl Holmqvist, founder and chief executive of Lastwall, a provider of quantum-resilient cybersecurity products, told delegates that Q-Day will not be announced and businesses need to take action now<\/a> in the face of a growing threat.<\/p>\n

\u201cAn orderly transition will cost less than emergency planning,\u201d Holmqvist said. \u201cIt\u2019s like Y2K but without an actual date.\u201d<\/p>\n

Encryption methods such as RSA and ECC are considered unbreakable by classical computers because breaking them relies on factoring the products of large prime numbers or comparable tasks. Based on a fundamentally different computing architecture than classical computers, quantum computers, however, are capable of solving problems intractable to even the most powerful supercomputers, such as breaking widely used encryption methods.<\/p>\n

The threat has driven the development of quantum-resistant cryptography algorithms. The US National Institute of Standards and Technology (NIST) approved three post-quantum cryptography (PQC) standards<\/a> last year for applications including digital signatures and key exchange.<\/p>\n

Organizations need to update their cryptographic systems, libraries, and hardware (such as hardware security modules) to support the new standards.<\/p>\n

The UK\u2019s National Cyber Security Centre (NCSC) has published guidance for phased migration to quantum-secure systems by 2035<\/a>.<\/p>\n

Examples of early adoption include Google\u2019s quantum-safe digital signatures in Cloud KMS (key management services)<\/a> and Cloudflare\u2019s commitment to integrate the new PQC standards<\/a> into their services, but much remains a work in progress.<\/p>\n

The IETF is working on revising and standardizing key internet protocols \u2014 such as TLS, SSH, and VPNs \u2014 to support PQC algorithms, which generally have longer key sizes and tougher performance characteristics.<\/p>\n

Some vendors are introducing hybrid PKI solutions to ensure backward compatibility and smooth migration to PQC.<\/p>\n

\u201cCISOs need to start asking vendors if they are PQC-ready,\u201d Holmqvist advised.<\/p>\n

Daniel Cuthbert, global head of cybersecurity research at Santander, argued quantum advancements are forcing organizations to ask critical questions about where and how cryptography is used, an often overlooked task.<\/p>\n

Quantum can be used as the stick that will allow security professionals to get approval to carry out a cryptographic inventory at their organization, alongside projects that will allow them to improve their cryptographic agility more generally, Cuthbert advised.<\/p>\n

As a first step organizations can prepare a cryptographic bill of materials to audit the use of encryption technologies by their organization.<\/p>\n

No \u2018forklift upgrade\u2019 needed<\/h2>\n

There is a misconception that change is difficult but the task of modernizing systems to make them PQC-ready can be broken down into chunks, advised Anne Leslie, cloud risk and controls leader for EMEA at IBM.<\/p>\n

\u201cBusinesses can only go as fast as partners and suppliers,\u201d Leslie cautioned.<\/p>\n

Madelein van der Hout, senior analyst at Forrester, who was not on the panel, told CSO that organizations should start to prepare for post-quantum cryptography over a five-year horizon.<\/p>\n

Van der Hout acknowledged that businesses have many priorities to balance so the speed of adoption should be aligned to their risk tolerance, internal business goals, and wider strategy.<\/p>\n

For a look at how to get started, see \u201cThe CISO\u2019s guide to establishing quantum resilience<\/a>.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

CISOs have been urged to demand clear post-quantum cryptography (PQC) readiness roadmaps from vendors and partners to combat the looming threat of cryptographically relevant quantum computers. Quantum computers capable of large-scale cryptographic attacks are yet to be developed but recent advances mean the threat is moving from theoretical to near-term reality, possibly within five years. […]<\/p>\n","protected":false},"author":0,"featured_media":3470,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3469","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3469"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3469"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3469\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3470"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}