ISACA Highlights Critical Lack of Quantum Threat Mitigation Strategies

Posted on by

Most organizations have no defined strategy to defend against quantum-enabled threats, according to a new survey by ISACA.

Just 5% of IT professionals said such a strategy is currently in place at their organization, while only 3% believe it is a high business priority for the near future.

More than half (59%) of respondents admitted that no steps have been taken to prepare for quantum computing.

Experts have warned that quantum computers will be capable of breaking all current encryption protocols, such as RSA and AES. This will require computing power of 10,000 qubits or more.

Such a scenario will leave data, connections and components used by all organizations exposed.

Speaking during a press briefing, Ramses Gallego, ISACA Barcelona Chapter President, warned: “We are talking about a world with no secrets, a world with no barriers or borders.”

Read now: Brian Cox to Discuss Quantum Computing’s Impact at Infosecurity Europe

Quantum Set to Impact Cybersecurity

Despite the lack of preparedness around tackling future quantum-enabled attacks, the respondents recognized that the technology is set to have a significant impact on cybersecurity.

For example, 56% of IT professionals are worried about “harvest now, decrypt later” attacks – in which threat actors stockpile encrypted data today in anticipation of accessing it in the future using a quantum computer.

Around two-thirds (62%) expressed concern that quantum computing will break today’s internet encryption, while 57% believe it will create new business risks.

Additionally, 52% expect quantum computing to change the skills needs of the business.

A third (33%) of European respondents said they have a good understanding of quantum computing’s capabilities, a level that Gallego said he “celebrates.”

Poor Understanding of NIST’s Quantum Standards

Only 7% of global IT professionals have a strong understanding of the US National Institute of Standards & Technology (NIST)’s post quantum cryptographic standards, which were formalized in August 2024.

This understanding was particularly poor among European IT professionals, at 5%.

Worryingly, 44% of global respondents have not heard of the NIST standards.

The NIST post-quantum standards encompass three post-quantum cryptographic algorithms that provide quantum-resistant solutions for different types of systems and use cases.

These include digital signatures to authenticate identities and key-encapsulation mechanisms to establish a shared secret key over a public channel.

The standards are expected to provide the global foundation for securing systems and data against future quantum threats.

Jamie Norton, ISACA board director, said that organizations should already be planning how their operations might look in a post-quantum world.

“Many organizations underestimate the rapid advancement of quantum computing and its potential to break existing encryption. They need to start examining whether they have the expertise to implement post-quantum cryptography solutions now, to ensure they are able to effectively mitigate its impacts,” he warned.

ISACA advised security leaders develop the following roadmap for transitioning to quantum-safe encryption:

  • Educate stakeholders about quantum computing’s risks and the urgent need for quantum-resistant encryption
  • Assess and identify where encrypted data is stored and determine vulnerabilities
  • Begin transitioning critical data and systems to quantum-resistant encryption
  • Upgrade digital infrastructure, ensure all internet-connected systems are secure

Read now: NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration

Timeline for the Quantum Threat

Despite the major risks around quantum, Gallego noted that quantum computers are “still in their infancy,” and are currently both difficult to operate and expensive.

A key challenge around quantum computers is that they must be stored at a temperature of 15 millikelvin – 180 times cooler than outer space.

As a result, Gallego believes that most companies will not be able to own their own quantum computers.

Instead, he envisions the development of a “quantum-as-a-service” ecosystem provided by big tech companies who have the resources and expertise to develop and manage powerful quantum computers.

Gallego predicted that the technology will mature to a stage of being able to break current encryption in a timeframe of seven to 15 years.

This corresponds with the ISACA survey, in which 61% of European respondents predict a timeline of six to 15 years for this scenario to occur.

ISACA’s Quantum Computing Pulse Poll took insights from 2685 global IT professionals, including 529 respondents from Europe.