Insider Brief:
- ISACA’s global Quantum Computing Pulse Poll found that while 62 percent of technology and cybersecurity professionals are concerned about quantum computing developments, only 5 percent say it is a high priority for near-term planning.
- Respondents anticipate quantum computing will increase cybersecurity risks, create new business risks, change workforce skill needs, and present regulatory challenges, yet 41 percent report no current plans to address these concerns.
- Despite NIST post-quantum cryptography standards, only 7 percent of professionals report strong familiarity with them, and 44 percent have never heard of them.
- Experts urge organizations to begin assessing encrypted data, plan transitions to post-quantum cryptography, and upskill their workforce, saying that waiting until quantum computing matures will be too late to mitigate risks.
PRESS RELEASE — Quantum computing’s rapid rise is a risk to cybersecurity and business stability, but enterprises are unprepared, according to new research from ISACA’s global Quantum Computing Pulse Poll. While 62 percent of technology and cybersecurity professionals are worried that quantum computing will break today’s internet encryption, only 5 percent say it’s a high priority for the near future, and just 5 percent say their organizations have a defined quantum computing strategy.
More than 2,600 global professionals in digital trust, cybersecurity, IT audit, governance and risk were surveyed in this inaugural ISACA poll on the perceptions and preparations around quantum computing—which is believed will revolutionize global industry with its immense computational power and, more specifically, break the algorithms that secure nearly all online transactions, including digital signatures, web sites, utilities and medical records.
Potential for both transformation and risk
Quantum computing has revolutionary potential; however, there are also clear concerns about the risks it presents. Nearly half (48 percent) are very or somewhat optimistic about quantum computing’s impact in their sector/industry, 63 percent believe it will speed up computational tasks or data analysis significantly, and 46 percent say it will create revolutionary innovations.
However, many anticipated outcomes of quantum require significant preparation:
- 63 percent say quantum will increase or shift cybersecurity risks
- 57 percent say it will create new business risks
- 52 percent say it will change the skills needs of businesses
- 50 percent say it will present regulatory and compliance challenges
Poll respondents (62 percent) are worried about quantum computing breaking today’s internet encryption before browsers and websites fully implement the new post quantum cryptography algorithms approved by NIST. They are also focused on the potential for cybercriminals to start collecting encrypted data now and decrypt it once quantum computing becomes viable—with 56 percent citing the practice, known as “harvest now, decrypt later,” as a concern.
“Many organizations underestimate the rapid advancement of quantum computing and its potential to break existing encryption,” says Jamie Norton, ISACA board director and partner, McGrathNicol. “They need to start examining whether they have the expertise to implement post-quantum cryptography solutions now, to ensure they are able to effectively mitigate its impacts.”
Despite expected impacts, planning continues at a slow pace
Despite concerns about its potential impacts, it appears many organizations have not yet mobilized to prepare for these coming changes. Forty percent are not aware of their company’s plans, and 41 percent say they do not plan to address quantum computing at this time—even though 25 percent believe that the transformative potential of quantum computing will be realized on an industry-wide scale within the next five years, and 39 percent feel it will happen in six to 10 years.
When asked about how their organization views quantum computing within its current technology or innovation strategy:
- 5 percent consider it a high priority for near-term planning
- 15 percent say it is on their long-term roadmap but not a near-term priority
- 19 percent say they have discussed it but not made any formal plans
- 37 percent have not discussed quantum computing at all
- 24 percent don’t know
Additionally, only 7 percent of the poll respondents say they have a strong understanding of the new National Institute of Standards and Technology (NIST) standards, even though NIST has been working on them for more than 10 years. Forty-four percent admit they have never heard of them.
Taking action, prioritizing quantum skills
More than half (55 percent) of enterprises have not taken steps to prepare for quantum computing, but among the organizations that have, they are focused on:
- Assessing regulatory or compliance implications of quantum (46 percent)
- Exploring quantum-safe cryptography (38 percent)
- Investing in research and development or proof-of-concepts (27 percent)
- Collaborating with quantum hardware/software providers or consortia (28 percent)
- Providing staff training and upskilling on quantum computing (27 percent)
A third of global cyber and IT professionals (30 percent) do not have a good understanding of the capabilities of quantum computing, indicating there is work to do to upskill and educate those working in the IT sector to understand the implications of quantum’s capabilities, and to have a skilled workforce ready for the advent of quantum.
Rob Clyde, chairman, Crypto Quantique, and past ISACA board chair, notes that digital trust professionals should educate stakeholders about quantum computing risks and the urgent need for post-quantum solutions. “Start by 1) identifying where encrypted data are stored and devices that use encryption, 2) developing a plan to transition to post-quantum cryptography prioritizing critical data and systems, and 3) continuously monitoring for updated software and firmware with post-quantum cryptography,” said Clyde, who is presenting on this topic at the ISACA North America Conference in May. “Waiting until quantum computing is here is too late, especially given today’s harvest-now, decrypt-later threat.”
SOURCE: ISACA
