Quantum Security: An Urgent Challenge for CISOs
The rapid advancement of quantum computing presents significant challenges for Chief Information Security Officers (CISOs) as they strive to protect their organisations from shifting cybersecurity threats.
With their average tenure often under three years, CISOs face difficulties in maintaining continuity in long-term security strategies, especially concerning quantum computing. This urgency is compounded by government investments in post-quantum cryptography (PQC) as new cybersecurity challenges emerge.
Following the discussions from World Quantum Day, Kirsty Paine, Field CTO at Splunk, explores strategies for CISOs and boards to navigate these challenges by embedding quantum readiness into risk management, thus securing critical infrastructure as "Q Day" approaches.
Kirsty Paine's insight on cyber security
Kirsty Paine, Field CTO for Splunk in the EMEA region, combines a background in mathematics with expertise in cyber security to address the complex challenges organisations face in securing information and operational systems. Splunk plays a central role in this, offering a robust data platform that helps users quickly identify and resolve issues across IT, security and engineering sectors to enhance resilience. It functions as the core of many Security Operations Centers (SOCs), facilitating rapid detection, investigation and response.
"Splunk is a data platform that allows users to find answers to problems. If you have an incident — in IT, security or engineering — you just want to find the issue and remediate it quickly, if automation hasn’t already done it for you," Kirsty explains.
"At heart, Splunk allows you to see data in a useful way and take action on it to improve your organisation’s resilience.
"It’s the core of many SOCs and the backbone of IT departments: detecting issues, allowing easy investigation and enabling the best response — and quickly."
The challenges of CISO tenure
The short average CISO tenure of 18 months to three years complicates sustained efforts towards achieving quantum-readiness. This frequent turnover can disrupt or fragment strategic initiatives, such as those related to post-quantum cryptography. A potential remedy lies in embedding quantum-readiness within cross-functional teams to ensure continuity, although a definitive solution to this ongoing challenge has yet to be established within the industry.
"Every time a new CISO comes in, there’s often a shift in priorities, which can stall or fragment efforts that require long-term focus, like post-quantum cryptography," Kirsty explains.
"Take the UK’s 10-year quantum cryptography strategy, for example. It’s ambitious — and rightly so — but frequent CISO turnover can make it hard to maintain the momentum these strategies need."
Board-level strategies for quantum security
Boards, due to their longer tenure, play a critical role in ensuring continuity in quantum security initiatives. Appointing a board member with a deep understanding of quantum threats as a "quantum champion" is a recommended first step. Such an individual can maintain strategic focus across transitions. Incorporating quantum-readiness into the broader risk management framework with regular updates helps sustain momentum as "Q Day" approaches, ensuring organizations are proactive rather than reactive in their security posture.
Proactive measures for PQC preparation
The UK's £121 million investment in quantum technologies highlights the urgency for organisations to prepare for post-quantum cryptography. Prioritising the protection of at-risk assets — systems reliant on public-key cryptography and data requiring long-term confidentiality — is crucial. Organisations can mitigate risks by employing strategies like ephemeral, per-session encryption keys and using at least 128-bit keys for symmetric encryption like AES to ward off quantum-based attacks. A phased approach to migration, timed with the maturity of PQC standards, is advised to balance readiness with technological evolution.
Ultimately, by focusing on critical assets and taking phased action, companies can mitigate the risks posed by quantum advancements before they become immediate threats. Planning strategically for post-quantum cryptographic shifts is essential to avoid the potential pitfalls of being caught unprepared as new quantum capabilities materialise.
"There’s no need to panic — but there is a need to plan," Kirsty says.
"Start building your migration strategy now. Worrying about which PQC algorithm to choose while leaving critical assets unprotected is like arguing over the canapés on the Titanic.
"Focus on what really matters and take the first steps before the iceberg is in sight."
Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.
Discover all our upcoming events and secure your tickets today.
Cyber Magazine is a BizClik brand
