Encryption & Key Management
,
Security Operations
Forrester’s Sandy Carielli Discusses Preparing for Quantum Security Migrations
The advent of quantum computing poses an imminent threat to current cryptographic standards, prompting technology leaders to initiate preparations for quantum security migrations. These migrations are expansive, cross-functional projects that extend across products, infrastructure, and supply chains, required to remain secure against the potential vulnerabilities introduced by quantum capabilities.
See Also: Securing Patient Data: Shared Responsibility in Action
Despite the extensive scope of transitioning to quantum-resistant cryptography, Sandy Carielli, Vice President and Principal Analyst at Forrester, asserts that CIOs can implement several actionable steps to streamline the process. “A structured approach is essential for organizations to navigate this transition effectively,” she stated, emphasizing the phases of discovery, prioritization, remediation, and the introduction of cryptographic agility.
Carielli highlights a common misconception among CIOs regarding readiness for quantum-resistant security, noting, “Some believe that you need a quantum computer to achieve quantum security. In reality, the goal is protection, not possession of quantum hardware.” The urgency surrounding these migrations stems from regulatory demands and the accelerating pace of technological advancement, issues that CIOs must communicate clearly to stakeholders.
The National Institute of Standards and Technology (NIST) has set clear deadlines on the horizon, mandating that quantum-vulnerable public-key cryptography be phased out by 2030 and ultimately prohibited by 2035. The Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to act immediately, given the long duration and complexity of the transition, which should encompass governance, budgeting, and vendor management.
During the initial phase of discovery, organizations should catalog their cryptographic assets across various dimensions, such as applications, data, identities, networks, IoT devices, cloud platforms, and codebases. This process could reveal vulnerabilities caused by existing technical debt. Smaller organizations may manage this solely through spreadsheets, whereas larger entities should explore partnerships with vendors for effective discovery management. Continuous monitoring tools could also prove beneficial.
Notably, the ease of inventorying varies by technology. Cloud service providers often communicate their migration strategies clearly, reducing customer workload. Conversely, proprietary systems with legacy software can present significant risks, as can IoT devices with outdated firmware and data center hardware.
One initial step recommended by Carielli is to involve procurement teams early in the migration process and adjust RFP and SLA language to mitigate risks from third-party products. It is also crucial for organizations to scrutinize the migration plans and timelines of existing vendors.
CIOs should prioritize safeguarding data with long-term value, such as healthcare or banking information, on the assumption that data compromised now could be accessible in the future. Digital signatures represent a high-stakes area as well; the loss of assurance for digitally signed contracts could represent a substantial risk, making it imperative for CIOs to address potential vulnerabilities actively.
Finally, remediation strategies must involve manageable steps that collaborate with procurement and finance departments to align upgrade cycles with quantum readiness. Creating agile cryptographic systems would enable organizations to adapt to future algorithm changes through configuration updates, rather than necessitating complete re-architecture, thereby reducing the time required for adaptation from years to mere weeks.
The increasing regulatory pressure surrounding quantum migration adds urgency to these initiatives, offering CIOs a clearer rationale for prioritizing this transition alongside other pressing technological investments, such as AI and legacy modernization. “In a rapidly evolving landscape, protecting customer data and ensuring employee safety must remain paramount,” concluded Carielli, underscoring the critical nature of proactive cybersecurity measures in the face of impending quantum threats.
