The thought of quantum computing may elicit a shrug from many a CISO who has enough on their plate already and has decided that\u2019s an issue for the future. My take: get into the conversation, as it is your entity that will be affected sooner or later when post-quantum cryptography becomes a possibly concerning reality.\n\nQuantum cryptography must become a concern for the cybersecurity expert as we (as a community) \u201cdon\u2019t tend to prioritize the things that are important until they become urgent,\u201d Jaya Baloo, CSO at Rapid 7, tells CSO. \u201cIt\u2019s precisely why we need to start getting ready today for the arrival of quantum computers jeopardizing our current cryptography.\u201d\n\nThat advice got my attention. Baloo went on to summarize three steps that every CISO should be taking today:\n\nShe concludes with a sage observation: \u201cIt is helpful to take the lessons learned in this step [3 above] and share them within your trusted security communities to make sure that we all level up together and encourage each other as well as our vendors to help us in the journey of quantum readiness. Only when we secure our ecosystems can we enjoy the benefits of quantum computing without continually worrying about the risks to information security.\u201d\n\nBaloo was not alone in her opinions. Nils Gerhardt of Utimaco spoke to me at the most recent RSA about the need to engage in the first two of Baloo\u2019s steps to get ahead of the proverbial curve. \u201cWe need seamless transitions to occur\u201d was his primary message. While Joseph Carson of Delinea pointed to the need to engage with those steps in looking for opportunities to implement quantum-resistant solutions.\n\nRead the US Government\u2019s how-to guide to quantum preparedness\n\nThen we have the US government publishing in late August 2023 its preparedness guide with advice from NIST, CISA and NSA on \u201chow to prepare now.\u201d\n\n\u201cPost-quantum cryptography is about proactively developing and building capabilities to secure critical information and systems from being compromised through the use of quantum computers,\u201d Rob Joyce, Director of NSA Cybersecurity, writes in the guide.\n\n\u201cThe transition to a secured quantum computing era is a long-term intensive community effort that will require extensive collaboration between government and industry. The key is to be on this journey today and not wait until the last minute.\u201d\n\nThis perfectly aligns with Baloo\u2019s thinking that now is the time to engage, and not to wait until it becomes an urgent situation.\n\nThe guide notes how the first set of post-quantum cryptographic (PQC) standards will be released in early 2024 \u201cto protect against future, potentially adversarial, cryptanalytically-relevant quantum computer (CRQC) capabilities. A CRQC would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used to protect information systems today.\u201d\n\nThe guide points to four steps (not surprisingly, they also align nicely with Baloo\u2019s advice).\n\nWhen all voices are singing the same tune from the same choir loft, one should take note. CISOs should designate a point for their quantum migration project that will take place over a number of years. The first steps as recommended by the US government, Bayoo, Carson, and Gerhardt are all the same - figure out what you have and take inventory.\n\nBegin to sunset PQC-vulnerable systems now\n\nThen, resources permitting, follow the guidance of Bayoo and begin sunsetting those cryptographic systems identified as PQC vulnerable and replacing them as the opportunity presents itself with cryptographic systems which have been identified as being PQC resilient. This is not a light lift, it is indeed a heavy lift, yet a necessary lift.\n\nFor the skeptics amongst us, and we all have a vein or two of skepticism within, I commend to your attention the opinion piece of December 2021: \u201cCollect today, decrypt tomorrow: How Russia and China are preparing for quantum computing\u201d and note the parallelism within the US government bulletin of August 2023 how adversaries will adopt a strategy of \u201ccatch now, break later \u2014 or, harvest now, decrypt later\u201d operations.\n\nSitting on the sidelines and waiting is not an option.