Organizations face various challenges as they transition to quantum computing, which is overshadowed by its vulnerabilities to data security. Only a fraction of organizations feel adequately prepared to counter the growing sophistication and severity of cyberattacks. This sense of unpreparedness is further heightened by the belief that organizations have less than five years to equip themselves against the potential pitfalls of quantum computing.
DigiCert recently conducted a study, in partnership with the Ponemon Institute, to gauge how organizations are preparing for the threats posed by post-quantum computing (PQC). They surveyed 1,426 IT experts across the U.S., Europe, the Middle East and Africa (EMEA), and Asia-Pacific. The research revealed that 61 percent of organizations are highly concerned about being unprepared for PQC security risks, but only 23 percent have a plan in place.
This urgency hasn’t translated into actionable measures for many. A mere 30 percent of organizations have set aside a budget for quantum readiness. Roughly half of the surveyed IT experts expressed uncertainty about the ramifications of quantum computing, and many reported that their leadership is either only somewhat aware or entirely uninformed about the imminent security implications.
The DigiCert study uncovered the fact that the path to PQC readiness has many hurdles. Let’s dive deeper into the findings to investigate what those hurdles are and how organizations can address them:
The transition towards PQC readiness comes amid the increasing threat of cyberattacks. Half of the surveyed professionals said their organizations aren’t effectively mitigating these risks. In fact, 46 percent have faced at least one cyberattack in the past year, with ransomware and credential theft topping the list of attacks. Furthermore, 56 percent observed that the cyberattacks were more targeted, and 54 percent saw an increase in severity, making it challenging to investigate and contain them promptly.
The necessity to gear up for PQC is real, with 41 percent of respondents saying their organizations must be ready for PQC in less than five years. On the other hand, only 21 percent feel they have 8 to 10 years or more for preparation. Lack of funds makes this more problematic, with only 30 percent of organizations setting a budget for PQC readiness and 22 percent not planning to fund it at all.
Just 23 percent of the surveyed professionals indicated that their organization has a strategy for PQC readiness. Most will not have a strategy for another six months to a year, while the rest are navigating without any plans.
Cryptography, as noted in the study, is the practice of encoding information to maintain its confidentiality, integrity, nonrepudiation, and authentication in various communications and transactions. However, the centralized management of cryptographic strategies remains a significant challenge for many organizations. According to the findings, 61 percent of organizations either lack a comprehensive cryptographic management approach or only apply such strategies in specific scenarios. Effective crypto-management should encompass a variety of practices, such as inventorying cryptographic keys, understanding their features, addressing weak cryptography, adhering to best practices, and ongoing surveillance.
Many organizations cannot update cryptographic algorithms without a cohesive cryptographic management strategy. Merely 29 percent of respondents consider their organizations proficient in updating cryptographic elements in a timely fashion. About a quarter feel confident in their organization’s preparedness against threats.
The deployment of cryptographic keys and digital certificates is increasing operational demands for many organizations. However, 58 percent of respondents admitted that their organizations are unaware of the exact number of keys and certificates they manage. Less than half (43 percent) of respondents said their organization can recruit and retain personnel proficient in public key infrastructure (PKI) and cryptography or ensure the security of every certificate or key.
DevOps/DevSecOps, software supply chain security, and compliance requirements are primary drivers for deploying PKI, keys, and certificates. Securing skilled personnel is also a top strategic priority for digital security, with 55 percent of respondents viewing the recruitment and retention of qualified staff as paramount.
The study found regional disparities in PQC preparedness and cryptographic management across the U.S., EMEA, and Asia-Pacific. U.S. respondents exhibited a heightened sense of urgency, with 44 percent feeling the need to be ready for PQC in under five years. Additionally, U.S. respondents showed higher apprehension regarding PQC’s security implications, with 63 percent expressing significant concerns, compared to 58 percent in Asia-Pacific.
When it comes to proactive measures, 60 percent of U.S. organizations said they’re in the process of formulating a strategy to address quantum computing risks. Alternatively, EMEA notably lags in cryptographic management, with only 32 percent of respondents indicating a centralized, enterprise-wide approach.
High-performing organizations are those that self-reported efficiency in mitigating cybersecurity risks, vulnerabilities, and attacks. The organizations demonstrate a clear sense of urgency and readiness for the upcoming challenges of PQC. They’re also considerably proactive, with 69 percent having a strategy in place.
On the other hand, only 39 percent of less-prepared organizations can say the same. Major challenges for these organizations include the scarcity of resources, the lack of skilled personnel, and the absence of clear ownership.
Interestingly, even among the high-performing organizations, 48 percent acknowledged that misconfiguration of keys and certificates is a growing concern, echoing a sentiment shared by their less-prepared counterparts. Regardless of their preparedness, both groups pointed out flaws in their cryptography management, indicating room for improvement.
For a secure quantum future, the study recommends following best practices established by high-performing organizations in cybersecurity. A key lesson to take away is the significance of urgency. Leading organizations recognize the importance of immediate action, with many predicting a time frame of less than five years to establish PQC readiness. Organizations should adopt a similar sense of urgency, regardless of their current preparedness levels.
Investing in continuous training and cutting-edge technology is also crucial. Such investments provide organizations with the tools to update cryptographic methods and safeguard against quantum threats. Organizations should have a clearly defined strategy addressing quantum computing’s security challenges.
Whether leading or lagging, organizations across the board have pinpointed gaps in their cryptographic management. Many struggle with monitoring and configuring keys and certificates, so organizations need to invest in tools that refine these areas.
The key takeaway from the study: Blending proactive strategies with regular self-checks and cryptographic improvements is the way forward in the quantum era.
Zeus Kerravala is the founder and principal analyst with ZK Research.
Read his other Network Computing articles here.
Related articles:
NetOps teams, like Spider Man, have great powers and great responsibilities. Increasingly, they are adopting a Zero Trust approach to network operations to help fight their battles.
Senior stakeholders who want to hold on to their CISOs must ensure that they have sufficient incentives and, more importantly, support to cope with the burden of risk that they are carrying.
The most alarming takeaway from Cisco’s new Cybersecurity Readiness Index report is that even after decades of having the importance of cybersecurity driven home, cyber threats are still taken too lightly.
