Industry & Ecosystem News

IBM’s “Secure the Post-Quantum Future” Report

6 Oct 2025 – A new 2025 report from IBM’s Institute for Business Value (IBV), in collaboration with the Cloud Security Alliance (CSA), paints a stark picture of enterprise readiness for the quantum era. Titled ”Secure the post-quantum future,” the study surveyed 750 executives worldwide on their preparations for quantum-enabled cyber threats. The results reveal a widening gap between rising awareness and lagging action on quantum-safe security.

Key Takeaways

In brief, the IBM-CSA report highlights several major trends and challenges in quantum-safe preparedness:

  • Awareness is high, but action is lagging: 73% of organizations report that business and technology leaders (the C-suite) are actively engaged in quantum-safe strategy, yet only 19% have set near-term maturity goals for their quantum-safe programs. This gap between executive awareness and concrete action is hindering quantum security progress. Leadership may be on board, but plans aren’t translating into enough tangible steps.
  • Cryptographic inventories remain incomplete: A foundational first step in quantum preparedness is mapping out where and how encryption is used. However, just 30% of organizations have conducted a full cryptographic inventory of their applications, data, and services, and even fewer (24%) are applying those insights to guide their remediation efforts. In other words, three-quarters of companies are essentially flying blind about their cryptographic exposure, missing an opportunity to prioritize what to fix first.
  • Misplaced reliance on vendors: Many enterprises are banking on third parties to solve the problem. 62% of respondents believe their vendors will”handle” the quantum-safe transition for them, and over half still see quantum risk as purely a technical issue. IBM’s analysts warn this perspective – treating quantum security as an IT detail that can be outsourced – is a dangerous oversight. If everyone expects someone else to take care of quantum defense, critical preparation will fall through the cracks.
  • Readiness scores are low (but slowly rising): To quantify preparedness, IBM created a Quantum-Safe Readiness Index (QSRI). The average organization in 2025 scores only 25 out of 100 on this index. In fact, even the top 10% of companies (“Quantum-Safe Champions”) only attained scores in the 35-50 range. This modest climb in readiness suggests progress is happening, but not fast enough. Most firms remain at the very early stages of planning and piloting post-quantum defenses.
  • Skills are a key bottleneck: The survey found a significant talent gap in this domain. Organizations estimate they currently have only about two-thirds of the quantum-safe cryptography expertise they will need – leaving roughly a 36% shortfall in required skills. From understanding new post-quantum algorithms to executing cryptographic upgrades, this skills gap is slowing down readiness efforts. It’s not that leaders don’t recognize the threat; they often lack in-house specialists to drive the transition.

Taken together, these findings paint a sobering picture. Many companies recognize the quantum threat at a high level, but have not mobilized an equivalent response. Essential groundwork like crypto inventories and skill-building is lagging, even as quantum-safe awareness permeates the boardroom. The instinct to”leave it to the vendors” or treat it as just another IT problem is widespread – and perilous.

The timeline to act is shorter than it seems, and preparing now is essential to safeguard the digital backbone of the organization. In the next section, we explore why deferring action could be a grave mistake, and how forward-thinking security leaders can turn quantum risk management into a strategic advantage.

Why CISOs Must Lead the Quantum-Safe Journey

Every month of delay in tackling quantum vulnerability is a month that adversaries are exploiting. Threat actors are already using ”harvest now, decrypt later” tactics – stealing encrypted data today in hopes of cracking it once quantum computing advances make current encryption obsolete. This means sensitive information being intercepted now could be decrypted in the future, even if a full-scale quantum attack is years away.

Notably, experts caution that cryptographically relevant quantum computers may arrive sooner than many organizations expect – potentially 5-6 years before most companies finish their encryption upgrades at the current pace. The risk of a”quantum surprise” puts a premium on acting early. Deferring hard decisions is inviting a scenario where your organization’s data vault is quietly pillaged and opened later at an attacker’s convenience.

For CISOs, the message is clear: post-quantum security cannot be treated as a one-time compliance checklist. It’s not just about waiting for a regulatory mandate or a vendor patch. IBM and CSA’s report underscores that quantum-safe preparation should be viewed as a continuous operational capability, not merely insurance against a distant threat.

In practice, that means building crypto-agility into the enterprise – the ability to swiftly identify, test, and swap out cryptographic schemes as threats evolve. Developing this muscle will strengthen your overall security posture regardless of when quantum attacks materialize. Done right, a quantum-safe program yields immediate benefits: deeper visibility into cryptographic assets, more rigorous governance of data protection, and an organization adept at managing complex tech transitions. It’s an ongoing journey of modernization, akin to cloud or AI transformation, rather than a checkbox project for the IT department.

There’s also a competitive upside for early movers. Organizations that embed quantum safety into their broader digital transformation initiatives stand to gain a strategic edge. In fact, the report finds that the most proactive quantum-safe adopters – those dubbed Quantum-Safe Champions – are far more likely to be leaders in overall innovation and resilience. 49% of these champions outperform peers in digital transformation, suggesting that investing in future-proof security goes hand-in-hand with driving the business forward. By treating post-quantum readiness as part and parcel of digital strategy, companies can upgrade their”digital immune system” while modernizing IT. Early adopters will be better positioned to assure customers, regulators, and partners that their data will remain safe in the quantum era. In contrast, laggards may find themselves scrambling to retrofit security under duress, or worse, cleaning up after breaches that could have been prevented.

In short, the time to act is now.

Marin

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven consulting firm empowering organizations to seize quantum opportunities and proactively defend against quantum threats. A former quantum entrepreneur, I’ve previously served as a Fortune Global 500 CISO, CTO, Big 4 partner, and leader at Accenture and IBM. Throughout my career, I’ve specialized in managing emerging tech risks, building and leading innovation labs focused on quantum security, AI security, and cyber-kinetic risks for global corporations, governments, and defense agencies. I regularly share insights on quantum technologies and emerging-tech cybersecurity at PostQuantum.com.
Share via
Copy link
Powered by Social Snap