• United States




Why quantum computing is a board level security risk

Dec 13, 20175 mins
Data and Information SecurityData BreachTechnology Industry

The quantum threat is a board-level issue. Boards need to begin considering the quantum threat within their cybersecurity strategy and planning for it now.

board ceo executives table
Credit: Thinkstock

In recent years, there has been an undisputed increase in enterprise data breaches across the globe. At first, this was only a concern for IT, CISO’s and CIO’s. However, with growing fiduciary responsibility, cybersecurity is gaining attention at board-level decisions. This is an important shift, as the emerging quantum threat will require organizations to carefully review their long-term data protection requirements to ensure compliance in the quantum age.

For decades now, organizations have been collecting data; combing through our search results, social media posts, and online transactions to gain strategic insights into their customers. And this effort wasn’t in vain; organizations have learned how to personalize our customer experience, target advertisements, and even help mitigate cyber fraud. The uses of customer information are so vast that even after all these years of collection new avenues to utilize big data are still being discovered. The fact is, data is a powerful tool. However, with this power comes great responsibility, or at least certain stipulations.

As customers, we constantly make decisions around how we share our personal information, often trying to create a balance between security and convenience.  When we choose to make private information such as credit cards, emails, patient records or contact information available to our service providers, we also implicitly trust that there will be a high standard of protection afforded this data.  This expectation goes beyond the ethical duty companies have towards their customers and crosses into compliance at a legislative level. Whether it is adhering to the General Data Protection Regulation in Europe or specific requirements such as the Health and Information Protection Act of Ontario, enterprises are legally responsible to maintain personal data to protect their customer’s identity and information.

How does quantum information science threaten to compromise an organization’s ability to protect sensitive information?

Within a decade, experts predict that a large-scale quantum computer will be developed. With its particular computing abilities, quantum computers will have the capacity to solve some of today’s hardest problems, including the underlying problems that form the basis for public key cryptography. This is a concern as public key cryptography provides the very foundation of trust required to protect all our online data and digital transactions. In a very real sense, this has a direct effect on an organization’s ability to comply to long-term data requirements and regulations.

Today, some adversaries have the ability to intercept and store – harvest – information for later decryption using a quantum computer. That means data encrypted today could be decrypted within a decade. All variables considered, if your organization has long-term data protection requirements than a “harvest and decrypt later” attack may have already compromised your security objectives. This is critically important for organizations such as governments, financial institutions, and health care industries, who’s long-term data protection requirements can range from 10+ years to the life of a patient. With the quantum threat undermining their security objectives, organizations can be opening themselves up to liability or other damaging business outcomes resulting from a catastrophic data breach.

Organizations have an obligation to prepare for emerging threats

Security leaders are required to take reasonable action to secure against known potential breaches and to continually be aware of new and emerging threats that pose a risk to their business. We already see the quantum threat being recognized by academia and standards bodies, such as NIST and ETSI, so there may already be obligations to shareholders and customers for organizations to prepare for this threat. With growing cybersecurity regulations, failing to secure against a potential breach can open an organization up to class-action litigations due to negligence. Organizations need to begin preparing for the quantum threat so that they can react quickly and cost efficiently to the responsibilities set by standards and legislative bodies.

A quantum-safe migration is an enterprise-wide project

To become quantum-safe, all devices will need to eventually migrate to quantum-safe cryptography. This is a massive project. Due to its scale, one department will not be able to mitigate the risk across an entire organization. Instead, it’s best tackled through a collaborative effort amongst the whole organization.

To start, security leaders can begin identifying high-risk systems and networks within their organization that have critical dependencies on public key cryptography. This is not a trivial task for CIO’s and CISO’s. Public key cryptography is so ubiquitous that pinpointing exactly where it’s used and how could prove very difficult. Once the exposure has been quantified and brought to the attention of the board, steps can be taken as an organization to incorporate quantum-safe cryptography and crypto agility into the overall cybersecurity objectives of the enterprise.

What organizations need to do to mitigate their risk

As suggested by NIST, organizations need to establish procurement policies on an enterprise-wide scale that mandate crypto agility – the ability to rapidly switch cryptographic algorithms for newer/safer ones. By including crypto agility into your networks, system upgrades can be future-proofed against the quantum threat. CIO’s will be able to react quickly to standards, securing customer’s identities and protecting the organization from liability.

However, the first step begins with setting expectations among the entire organization to achieve quantum-safe security before public key cryptography is broken.


Scott Totzke is the CEO of ISARA Corporation, the largest organization in the world focused solely on developing quantum-safe cryptographic solutions for integration into commercial products to protect against emerging security threats. As an expert in cybersecurity and emerging cyber threats, Scott is focused on shaping the security standards of tomorrow, developing world-class security solutions, assisting organizations and governments for the migration to next-generation security solutions and bringing awareness to new quantum threats.

Prior to co-founding ISARA, Scott was Senior Vice President of Enterprise and Security at Huawei where he was responsible for launching Huawei’s R&D office in Waterloo. He drove their global strategy for delivering industry leading mobility solutions designed to meet the most stringent security requirements demanded by enterprise and government customers.

Scott was also a Senior Vice President at BlackBerry, where his organization was responsible for the security of BlackBerry products and services. Scott helped shape BlackBerry’s security, regulatory compliance, lawful access and privacy strategies on a global scale. His organization included accountability for full security life cycle management ranging from design and implementation to in-life response to customer issues and concerns. Under Scott’s leadership, security became BlackBerry’s single biggest differentiator in government, enterprise and consumer markets.

Prior to joining BlackBerry in 2001, Scott was senior consultant with EDS, and built technical expertise and leadership experience in network security, architecture and database design roles. He also spent more than a decade as a system developer and network architect.

The opinions expressed in this blog are those of Scott Totzke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.