State of migration: Encryption underpins the security of everything from healthcare records to government data and e-commerce transactions.But just 8.5% of SSH servers currently support quantum-safe encryption.TLS 1.3 adoption, currently at 19%, also trails older, quantum-vulnerable versions, according to a recent study by Forescout.Other experts paint a more optimistic picture of PQC deployment since NIST finalized the first post-quantum cryptographic standards in August 2024.”Google, Apple, Signal, and Zoom have implemented PQC,” says Duncan Jones, head of cybersecurity at integrated quantum computing firm Quantinuum. “Government mandates like CNSA 2.0 set hard deadlines. Financial services are moving, ASC X9’s 2025 readiness assessment outlines concrete steps from cryptographic inventory through migration planning.” Obstacles to adoption: The main obstacles to widespread PQC adoption including cost, standards uncertainty, and organizational inertia. This last issue is significant given that preparing for the quantum threat requires a phased approach to crypto agility.”The obstacles to widespread adoption are very real,” Keyfactor’s Hickman says. “A lack of skilled personnel, limited time and competing priorities, and the slow adoption of the existing standards are the top challenges slowing progress.”Hickman continues: “Additionally, risk perception varies, especially between security teams and executive leadership, making it harder to align strategies.”Kevin Hilscher, senior director of product management at DigiCert, says the time horizon is playing a significant role in the PQC preparation gap. “Companies are prioritizing other projects because, let’s face it, 2030 is still more than four years away and other projects take precedence,” he says.Moreover, security teams find themselves increasingly under fire from escalating threats in the here and now.”Organizations often lack the expertise or resources to prioritize PQC while dealing with day-to-day threats,” says Dr. Katrina Rosseini, a cybersecurity expert at Ascendant Group. “Standards are still evolving, and deploying quantum-resistant algorithms requires careful testing to avoid breaking critical systems.”Still, delays in PQC adoption not only leave organizations vulnerable to future quantum threats but also amplify the vulnerabilities already being targeted by attackers, Dr. Rosseini warns.Uncertainty, complexity, and the difficulties in mapping cryptographic assets are also putting a brake on PQC rollouts.”Budgets compete with nearer-term threats and not all people are yet aware of the 2030 deprecation of RSA/ECC by NIST, so planning and investment are delayed,” says Sectigo’s Soroko. “Standards and vendor support are still being operationalized, and some algorithms introduce performance overhead or compatibility issues for legacy systems and constrained devices.”Soroko adds: “Skills are scarce and dependencies run through supply chains and cloud services, so end-to-end migration planning and governance slow adoption.”Dr. Rosseini also notes that legacy systems and infrastructure can make rolling out new algorithms difficult.Benjamin Mourad, senior director and solution architect at DMI, sees the main obstacles to widespread adoption being education about quantum computing risks, such as the threat from “harvest now, decrypt later” attacks, and funding.Conversely, improvements in technology over the past year have made implementing and scaling up cryptographic systems more straightforward, Mourad contends.”Technological improvements over the past 12 months have improved capabilities and lowered the costs to migrate to PQC at scale with containerized, lightweight applications that did not exist over a year ago,” Mourad explains. “The decreasing need for significant investments in hardware and software will make PQC more scalable.”
Navigating quantum uncertainty: Analysts predict quantum computers capable of breaking current encryption anywhere from five to 20 years away.This uncertainty can be distracting, Dr. Rosseini says. “The focus has to be on preparedness and resilience,” she advises. “Organizations need to inventory sensitive assets, assess system readiness, run pilot programs, and secure key management.”The PwC report should act as a wake-up call, Dr Rosseini adds.”Organizations that treat PQC as a strategic security initiative now will be positioned to reduce risk and strengthen resilience,” she says. “Those who wait risk leaving themselves exposed to both present and future threats.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4074154/cisos-face-quantum-leap-in-prioritizing-quantum-resilience.html
