Post-Quantum, PQC, Quantum Security Leadership

Ready for Quantum: Practical Steps for Cybersecurity Teams

Marin November 1, 2021

3 hours read

1. Introduction

In cybersecurity today, it’s impossible to escape the buzz around quantum computing and its implications for security. What used to be a niche concern is now a board-level issue, with regulators setting deadlines and industry peers launching programs. As a result, nearly every CISO I speak with is either scoping a quantum-readiness program or already knee-deep in one.

The question I hear most isn’t about the science or the algorithms – it’s “How do we actually get started and secure the budget for this, now?”. This comprehensive guide is the answer: a practical, step-by-step playbook for launching and running a quantum security program, updated with the latest lessons on budgeting, cryptographic inventory, risk mitigation workarounds, challenges of post-quantum migration, and achieving crypto-agility in a pragmatic way. We’ll bridge the gap between high-level warnings and on-the-ground execution, giving security teams a clear blueprint to follow.

At the highest level, preparing for the post-quantum era isn’t just a technical endeavor – it’s a strategic transformation. It requires executive support, cross-functional coordination, and a phased approach that tackles both immediate wins and long-term resilience.

The urgency is driven not only by the specter of a future cryptographically relevant quantum computer (CRQC) – the so-called “Q-Day” – but by pressures that are already here today. Adversaries are actively harvesting encrypted data now in hopes of decrypting it later (the “Harvest Now, Decrypt Later” (HNDL) risk), meaning the threat is effectively already on your balance sheet. Equally concerning is the integrity threat often overlooked: “Trust Now, Forge Later” (TNFL), where attackers could one day use quantum power to forge digital signatures and certificates that underpin our trust in software updates, identities, and transactions. In short, quantum computing risks aren’t just about privacy and confidentiality; they threaten the very trust fabric of digital systems.

Meanwhile, regulators, insurers, investors, and customers are not waiting for Q-Day to hit. Governments worldwide have begun imposing concrete deadlines to transition to post-quantum cryptography (PQC) – with many roadmaps targeting 2030 to 2035 for completion of migrations. For example, U.S. federal agencies must have quantum-resistant encryption by 2035 per a 2022 law and White House memorandum, and the European Union’s 2025 PQC transition roadmap requires critical industries (like finance) to be quantum-safe by 2030. In finance, G7 and central bank groups have explicitly urged institutions to start planning now, treating quantum preparedness as essential for operational resilience. Cyber insurers are also re-evaluating coverage – some are considering exclusions for quantum-related breaches, arguing that failing to upgrade encryption could be deemed negligence and thus not covered. And major enterprises are starting to demand quantum-readiness from vendors and partners, not wanting a weak link in their supply chain when quantum attacks emerge. Investors and boards, for their part, have begun asking tough questions about management’s plans for this “post-quantum” threat. All of these forces create a very real clock for action – one based on external expectations and risk management mandates, rather than guessing the exact date a quantum computer might break encryption.

In this updated guide, we’ll first solidify why organizations need to start now – covering the practical drivers like data and infrastructure longevity, compliance requirements, immediate security and business benefits, and talent/reputation advantages. We will then delve into the challenges of post-quantum cryptography to set realistic expectations (spoiler: migrating to PQC is not a simple drop-in upgrade). Next, we outline what not to do – avoiding common pitfalls such as panic purchases or waiting passively for vendors. The core of the guide is a detailed action plan of what you should do: from obtaining executive mandate and budget, to setting up governance and teams, running awareness campaigns, performing thorough cryptographic inventories, and devising a risk-based remediation roadmap. We’ll discuss how to prioritize and sequence your efforts, how to engage third parties and vendors, and how to implement interim mitigations (like hybrid encryption, tokenization, or network segmentation) when immediate upgrades aren’t possible. Throughout, we emphasize crypto-agility – building the ability to adapt quickly as threats and standards evolve – because being “quantum-safe” isn’t a one-time project but an ongoing capability.

This is a long read (by design), but by the end you should have a clear understanding of how to kick off and run a quantum security program end-to-end. Consider it a starting playbook that you can tailor to your organization’s context. The recommendations are grounded in both industry best practices and hard lessons learned in the field. No matter where you are in your journey – whether you’re just socializing the issue with leadership or already inventorying your cryptographic assets – this guide will help ensure you cover all the bases and avoid false starts. The quantum threat demands a proactive, well-coordinated response, and with the right approach, you can turn this looming challenge into an opportunity to modernize and strengthen your security posture across the board.

Let’s begin with the motivations for preparing now – the “why” that underpins the entire program – before moving into the challenges and then the detailed “how.”

2. Practical Reasons for Preparing Now for the Quantum Threat

Even if the arrival of a powerful quantum computer feels like a future problem, there are numerous practical reasons to start preparing today. This isn’t about sci-fi or panic; it’s about sound risk management and leveraging a coming change to drive positive improvements. Below we break down the key drivers:

2.1. The Inevitability of Technological Progress

Quantum computing is advancing steadily, moving from theoretical research to engineering reality after decades of work. No serious experts debate whether quantum computers capable of breaking encryption will arrive – the only debate is when. It could be in 5-7 years or 15-20, but the direction is clear: eventually, classical public-key crypto (RSA, ECC) will be vulnerable. Betting that it will never happen is not an option for responsible security planning. Major tech companies and governments are investing billions in quantum R&D, reporting regular breakthroughs. We don’t need to panic about the exact timeline, but we do need to act with foresight. History tells us that big technology shifts (like the advent of cloud or mobile) can surprise us with their speed – and it’s the organizations that prepared in advance that thrived. In short, quantum computing is coming, and ignoring it won’t make it go away. Preparing now ensures you won’t be caught flat-footed when progress crosses that critical threshold.

2.2. The Complexity of the Transition

Switching to quantum-resistant cryptography is not as simple as flipping a switch or applying a routine patch. Cryptography is deeply woven into your IT and OT systems – from obvious places like VPNs, TLS, and code-signing, to hidden corners in applications, hardware, IoT devices, and third-party libraries. Many protocols and systems will need significant re-engineering. PQC algorithms (like those being standardized by NIST) often have larger key sizes or different performance profiles that can stress networks and devices in unexpected ways. In some cases, you might even need to replace or heavily refactor core systems because the new algorithms just don’t fit the old constraints (e.g. an embedded device with tiny memory might not handle a large PQC key). All this means the migration will be time-consuming and complex. It will require careful planning, testing, and phased deployment to avoid breaking things. Starting early gives you the luxury of a gradual, orderly transition – as opposed to a rushed, risky scramble later. Consider that many organizations took years to eliminate old algorithms like SHA-1 after it was broken ; migrating to PQC will be an even bigger challenge. By acknowledging the complexity, you can budget sufficient time and resources for it. As one industry expert bluntly put it, post-quantum migration will be larger and more complex than even Y2K – it touches far more systems and devices than we had in 1999. The effort is huge, so why wait? Delaying only compresses your timeline and increases the likelihood of costly mistakes.

2.3. The Longevity of Data

Some data needs to remain confidential for many years or even decades – think health records, personal identifiable information, long-term financial transactions, intellectual property, or state secrets. If that data is stolen today while protected by current encryption, an adversary could store it and simply wait until a quantum computer can decrypt it. This is the infamous “Harvest Now, Decrypt Later” (HNDL) threat. It means that Q-Day has retrospective impact: a future quantum break can compromise data that was intercepted or exfiltrated years prior. For organizations with long-data-retention requirements or anyone handling sensitive information that must stay secret for 5+ years, the window to safeguard that data with quantum-safe encryption is right now. In fact, for certain types of data, the window has effectively already closed if not addressed – data you encrypted 5 years ago could be in danger if it was quietly stolen. This dynamic creates an urgency to begin deploying quantum-resistant protections (or compensating measures) as soon as possible for your most sensitive, long-lived data. Waiting until a future quantum announcement is too late for that information. By acting now – implementing PQC for critical data flows or adding additional layers of protection – you ensure that data being protected today stays protected in the post-quantum future. (For a deeper dive into HNDL and its implications, see the dedicated article.)

2.4. The Threat to Digital Integrity (Trust Now, Forge Later)

While much discussion focuses on data confidentiality, quantum computers also pose a grave integrity threat. Many security protocols rely on digital signatures and certificates (for software updates, authentication, transactions, etc.). A sufficiently powerful quantum computer could forge these signatures, allowing an attacker to trick systems into trusting malicious code or messages. This is the “Trust Now, Forge Later” (TNFL) scenario. Its impact could be even more immediate and chaotic than HNDL – because if, say, an attacker can forge a software update signature, they can push malware as if it’s a trusted update overnight. Imagine the confidence crisis if suddenly no digital signature could be trusted: software updates, financial transactions, authentication tokens – all would be suspect. TNFL means that once quantum attacks on signatures are viable, an adversary could invisibly undermine systems without any warning (whereas HNDL at least requires them to eventually reveal stolen data). For example, critical infrastructure could be sabotaged by forging code updates or commands, all while appearing legitimate. This integrity issue is a strong reason to start preparing now: it’s not just about protecting secrets decades into the future, but preserving the trust in your systems and processes. We need to begin transitioning to quantum-safe signature schemes (or hybrid solutions) and ensure our PKI and identity systems are quantum-ready, so that when Q-Day arrives, we don’t face an overnight meltdown of digital trust. Boards and regulators are increasingly receptive to this argument – it frames quantum risk not just as a confidentiality issue, but as a systemic integrity and safety issue that could have immediate, widespread impacts on society if unaddressed.

2.5. The Longevity of Digital Infrastructure

Many organizations operate systems with very long lifespans. Industrial control systems (ICS) in factories or power grids, medical devices, automobiles, satellites, even “smart” appliances – these can remain in service for 10, 20, 30+ years. Similarly, protocols and applications in critical infrastructure (telecom, utilities, banking) often have decades-long lifecycles. If you are deploying or buying technology today that you expect to still be in use in 2035 or beyond, you must factor quantum resistance into its security design now. Otherwise, you’re baking in a vulnerability that will be costly to fix later (or worse, may be unfixable if the device can’t be upgraded). Consider also the procurement cycles: large organizations might only refresh certain systems every few years, so there may be only one or two refresh cycles between now and the time quantum attacks are possible. This is why government guidance (e.g., from NIST and others) already recommends making new systems “quantum-agile” or crypto-agile – i.e., able to swap cryptographic components easily – even before final PQC standards are fully deployed. Being prepared could mean choosing software architectures that allow algorithm updates, using modular cryptographic libraries, and avoiding hard-coding crypto so that an algorithm change doesn’t require a major rewrite. If you start doing this today, you ensure that your infrastructure is future-proof. If you ignore it, you might find in 5-10 years that you have a fleet of equipment that all needs emergency replacements or retrofits at once (a very expensive proposition). Planning for longevity also aligns with Mosca’s Theorem, a simple equation from cryptographer Michele Mosca which essentially says: if the time to break your crypto (with a quantum computer) plus the time to retool your systems exceeds the time those systems need to remain secure, then you’re already late. Many long-lived systems fall into that scenario – so we need to start the transition early to avoid running out of time.

2.6. Regulatory and Compliance Pressure

Governments and regulators worldwide have awakened to the quantum threat and are moving from guidance to requirements. Preparing for quantum-safe cryptography is increasingly not just prudent, but mandatory in many sectors. For instance, the U.S. federal government (per the 2022 CRYPTO Act and NSM-10 memorandum) requires agencies to inventory their cryptography and have plans to transition to NIST-approved PQC by specific deadlines (with 2035 as a hard deadline for completion in national security systems). In Europe, the EU’s Coordinated PQC Roadmap (June 2025) mandates critical infrastructure sectors like finance, energy, health, and transport to complete PQC upgrades by end of 2030, with broader adoption by 2035. The U.K.’s NCSC has also published guidance with milestones like having migration steps by 2028 and full rollout by 2035. Regulators in Asia-Pacific and elsewhere are expected to follow suit or even set tighter timelines.

Crucially, financial regulators and cybersecurity agencies are already putting quantum-readiness on their checklists for operational risk management. The G7 Cyber Expert Group in 2024 warned financial institutions to start quantum transition planning or face systemic risks. We may soon see standards like PCI-DSS (for payment card security) or ISO/IEC frameworks updated to include quantum-resistant requirements. At a minimum, supervisory exams and audits could start asking, “What is your plan for quantum risk?” Organizations that lack a plan could be seen as lagging in risk management. Additionally, new cyber reporting regulations (like those from the SEC in the US) might force companies to disclose material risks – which could include quantum risk for data-rich organizations. The writing on the wall is clear: compliance expectations are emerging, and being proactive will position your organization to meet them with less cost and scramble. Conversely, ignoring this could mean non-compliance down the road, with potential fines or liability if a breach occurs that regulators say “you should have prevented.” Preparing now isn’t just about avoiding future crypto failures – it’s also about staying on the right side of evolving laws and industry standards. Early movers will likely find the transition easier and be viewed favorably by regulators, whereas procrastinators could face rushed mandates later.

2.7. Maintaining Customer Trust and Competitive Edge

Trust is a competitive currency. Demonstrating that you are ahead in protecting customer data and maintaining secure services in the quantum era can become a market differentiator. Whether you serve consumers or enterprises, being able to say “we are quantum-ready” or at least “we are actively preparing for post-quantum security” can instill confidence. For example, a bank or healthcare provider that proactively upgrades to quantum-resistant encryption for sensitive transactions could win business from clients who are quantum-conscious (or at least earn goodwill by showing they take future risks seriously). In the near future, large companies might include quantum-readiness as a criterion in RFPs and contract renewals – “Are you using quantum-safe encryption to protect our data?” If you can answer yes (and have the documentation to back it up), you might have an edge in sales or partnerships. Already, some organizations are starting to include such questions in vendor security questionnaires.

On the flip side, falling behind could erode trust. If, say, a breach happens in a few years and quantum vulnerability is a factor, customers and the public may question why the organization didn’t act in time. Companies that are seen as leaders in security will have an easier time retaining customer loyalty. Remember also that public breaches or incidents have marketing and PR fallout. Preparing for quantum can be part of a broader message: “We are forward-thinking and continuously safeguarding your information against emerging threats.” It’s similar to how embracing strong encryption or multi-factor authentication earlier than others was a selling point for some companies. In summary, early adoption of quantum-resistant practices can enhance your brand and reputation. It shows you prioritize data security and privacy, which not only keeps existing customers happy but can also attract new customers who value these commitments. While nobody is doing this purely for bragging rights, the competitive advantage and marketing value of being prepared is a nice bonus on top of the risk reduction.

2.8. Enhancing Overall Cybersecurity Maturity Today

One of the most underrated benefits of starting a quantum readiness program is that it forces you to improve your overall cybersecurity hygiene and visibility right now. To get ready for PQC, you need to do things like conduct thorough inventories of your cryptographic usage, identify where sensitive data lives, update crypto libraries and configurations, and patch known weaknesses. These are tasks you should be doing anyway! In practice, many organizations have neglected areas like an up-to-date crypto inventory or rigorous key management. By undertaking them for quantum preparedness, you simultaneously close gaps that could be exploited by classical threats. For example, while documenting your cryptographic systems, you might find outdated or misconfigured encryption (“crypto debt”) that could be exploited today by conventional attackers. Fixing those will harden your defenses immediately, not just for the quantum scenario. In essence, quantum readiness becomes a forcing function to tackle long-standing security to-dos.

Think of it like this: preparing for Q-Day involves a lot of the same good practices that a strong security program requires. Inventorying assets and crypto, classifying data, ensuring systems can be updated (agile), eliminating hard-coded secrets, improving identity and access management, etc., all yield immediate resilience gains. There are numerous examples of this “dual benefit.” A crypto inventory might reveal shadow IT systems using weak encryption – you can fix those now. Building crypto-agility (the ability to swap algorithms easily) means you likely modularize and centralize crypto calls in your software, which can reduce overall attack surface and make future updates (even non-quantum ones) easier. Cleaning up legacy crypto implementations (like removing old TLS 1.0 or deprecated ciphers) reduces your exposure to current threats. In short, a quantum program can be pitched internally as a way to modernize and uplift security across the organization, using the new threat as motivation and justification. This is not theoretical – many CISOs are already using quantum readiness projects to get funding for broader security improvements (asset management, PKI upgrades, network segmentation, etc.) that have been hard to justify previously. By framing quantum prep as “we’ll fix a bunch of our known issues under this initiative,” you solve two problems at once: you prepare for tomorrow and get stronger against today’s threats.

2.9. Cyber Insurance and Legal Considerations

As mentioned earlier, the cyber insurance landscape is shifting in light of quantum threats. Insurers increasingly ask clients about emerging risks and what controls they have in place. It’s very plausible that in the next couple of years, insurers will start asking large enterprises: “Have you assessed your exposure to quantum-vulnerable cryptography? Do you have a transition plan?” If the answer is no, it could affect your premiums or even eligibility for certain policies. More immediately, we are seeing signs that insurers might include exclusions for losses stemming from outdated encryption. For example, if a company’s data is compromised in the future because they stayed on RSA too long, an insurer might refuse the claim arguing that the company failed to exercise due care by not upgrading. From a legal standpoint, once standards and best practices around PQC are established (say, NIST standards finalized and widely recommended), choosing not to follow them could be seen as negligence. Boards have a fiduciary duty to manage material risks; given all the government warnings, quantum risk could be considered a foreseeable risk. Therefore, starting preparations helps demonstrate “duty of care.” It puts you in a defensible position that you took reasonable actions to mitigate a known risk. This could be crucial if, heaven forbid, a breach related to cryptography occurs in the future – you want to show regulators, courts, or insurers that you weren’t asleep at the wheel.

Furthermore, investors and board members are asking about this (especially in tech, finance, and defense sectors). They don’t want to find out that management ignored clear warnings. By having a plan and budget approved now, you can confidently address those queries. It’s better to proactively brief your board (“Here’s what we’re doing about quantum risk, here’s why it also benefits us today…”) than to be caught off guard when a board member reads an article and demands to know your strategy. Summing up, being ahead on quantum readiness can keep your insurance coverage solid and your stakeholders reassured that you’re managing risks prudently. Waiting could lead to unpleasant surprises – like higher premiums or public criticism for not acting – that you can avoid by starting early.

2.10. Competitive Advantage and Industry Leadership

Beyond risk reduction, there’s a strategic upside to being a leader in quantum security. In some industries, we’ve seen companies use their security posture as a selling point (“XYZ Bank – first to adopt quantum-safe encryption” or “Your data is protected by next-generation cryptography”). Early adopters can help shape industry standards and customer expectations. For instance, if you’re a cloud provider or software vendor, offering quantum-resistant encryption options now can attract security-conscious customers and differentiate your service. On the flip side, if a competitor offers that and you don’t, you might look outdated. This dynamic is similar to how some companies quickly adopted things like encryption-at-rest or SOC2 compliance to win deals, while laggards had to play catch-up. Acting early on PQC could yield PR opportunities, partnership advantages, and maybe even new business models (e.g., advising smaller partners on how to be quantum-ready, thus deepening relationships).

Also, consider the “first-mover advantage” in learning: by starting pilots now, your team gains expertise that others will scramble for later. You’ll likely encounter challenges and solve them, giving you a smoother path when broader rollout is needed. If your industry is one where trust and security are paramount (finance, healthcare, critical infrastructure), being seen as proactive on emerging threats bolsters your credibility. As regulators and customers increase pressure, those who took initiative will be far better positioned than those who waited. For example, if in 2028 a regulation comes out requiring all critical software to be quantum-safe, a company that started in 2024 might already be compliant or close to it, whereas a procrastinator will be in firefighting mode. So there’s a risk-avoidance competitive angle too: you can avoid last-minute costly rushes that could disrupt business, thereby maintaining smooth operations while others might hit turbulence. In summary, investing in quantum readiness can yield a competitive edge in multiple ways: it strengthens your trustworthiness, differentiates your offerings, and ensures you meet future requirements with less drama.

2.11. Talent Attraction and Internal Culture

There’s no denying that the cybersecurity talent market is tight. Skilled professionals often choose employers who offer exciting, forward-looking challenges and who demonstrate commitment to cutting-edge security. Working on a quantum-readiness program is exactly the kind of initiative that many ambitious security architects or engineers find attractive. It signals that your organization is not stuck in reactive mode but is innovative and proactive. By publicly (or even internally) championing quantum security efforts, you position your team as thought leaders. This can help attract and retain top talent who want to be on the forefront of security technology. Folks who might otherwise be lured by big tech companies or startups might see opportunity in leading a first-of-its-kind program at your organization. Additionally, giving your existing staff the chance to develop expertise in PQC, crypto-agility, etc., can boost morale and professional growth. It’s a break from the routine firefighting and allows them to build new skills (which also benefits the company).

From a culture perspective, tackling a quantum program reinforces a mindset of continuous improvement and learning. It sends a message company-wide that the security team is always looking ahead, not just dealing with yesterday’s issues. This can elevate the stature of the security function internally – e.g., other IT and business units see security driving a strategic initiative rather than just being a cost center. Some companies even turn these kinds of programs into marketing for tech recruitment, showcasing at conferences or blogs what interesting problems their teams are solving. Lastly, being early in this space could afford opportunities to collaborate with academia or industry consortia, giving your team access to a broader community of experts (which is great for learning and recognition). All of this helps make your organization a “place to be” for cybersecurity professionals, which is invaluable in a field where human expertise is one of the scarcest resources.

2.12. Opportunities for Innovation

Engaging with quantum-resistant technologies can spark broader innovation in your organization’s IT and security practices. Often, looking at a problem from a new angle (like “how will we do X in a post-quantum world?”) can reveal inefficiencies or inspire creative solutions that have benefits beyond the quantum scope. For instance, you might develop a much more streamlined way to manage cryptographic keys or certificates as part of becoming crypto-agile – a way that also reduces errors and outages in daily operations. Or perhaps exploring post-quantum VPNs leads your team to create a more modular, flexible network encryption service that improves performance generally. We’ve seen cases where tackling quantum readiness led teams to inventory and streamline their cryptographic libraries, and in doing so they removed redundant libraries and legacy code, improving system performance and reducing attack surface.

There’s also the possibility of new products or services. If your organization is tech-focused, maybe you spin up a new offering (e.g., quantum-safe encrypted storage or communications) that gives you a first-to-market advantage. Even if you’re not selling security, innovating internally could improve processes – like automating the generation of Cryptographic Bills of Materials (CBOMs) for all software, which then also helps with software supply chain transparency overall. Additionally, by engaging with emerging tech, you encourage a culture of experimentation. Maybe your R&D folks start thinking about how quantum computing itself (on the positive side) could be used for business optimization once it’s mature – that forward-looking posture can lead to all sorts of breakthroughs. In summary, preparing for quantum is not just a defensive play; it can catalyze improvements and innovations that make your organization more efficient, resilient, and ready to leverage new technologies for advantage.

These reasons all build a compelling case: waiting for clear proof of a quantum computer’s arrival is not the wise approach. By then, it may be too late to avoid the worst impacts (due to HNDL) or you may have lost valuable time to get budgets and plans in place. Fortunately, as we’ve outlined, starting now has many upsides beyond “avoiding disaster.” It can strengthen your security posture immediately, ensure you meet evolving regulations, keep you competitive, and even turn a daunting risk into a driver of positive change. This forms the basis of your business case to executives: quantum readiness is a strategic imperative that aligns with our organization’s long-term security and success. In the next section, we’ll temper this optimism with realism by examining the major challenges you’ll face when transitioning to post-quantum cryptography. Understanding these challenges in advance will help you plan better and avoid underestimating the task ahead.

3. The Challenges of Adopting Post-Quantum Cryptography (PQC)

One common misconception is that once new PQC algorithms are standardized (e.g., by NIST), the hard work is over – as if we could just plug them in and magically be secure against quantum attacks. In reality, transitioning an enterprise (or an entire industry) to post-quantum cryptography will be a multi-year, multifaceted effort, full of technical and organizational challenges. It’s critical to understand these headwinds so that you can manage expectations, secure sufficient resources, and strategize effectively. Below, we outline the major categories of challenges you’ll need to navigate:

3.1. Algorithm Maturity and Standardization

While significant progress has been made, many PQC algorithms are still relatively new and unproven compared to RSA or AES which have decades of vetting. NIST’s multi-year competition has selected a few candidates (like CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for signatures), but even those will undergo further scrutiny and possibly revisions. We must acknowledge that “standardized” doesn’t mean “bulletproof.” It’s possible that after deployment, new vulnerabilities or even breaks could be discovered – for example, through cryptanalysis advances or side-channel attacks. In the past, we’ve seen supposedly strong algorithms suddenly have issues (e.g., certain implementations of elliptic curve crypto had flaws, SHA-1 got broken faster than anticipated, etc.). The quantum threat landscape is dynamic, and our cryptographic solutions will likely need updates over time. This is why building crypto-agility is so important (more on that later).

In practical terms, the algorithms chosen today might be replaced or supplemented by others in a decade. Organizations need to be prepared for that reality. There’s also the challenge of standards coordination: various standards bodies (NIST, ISO, IETF, etc.) will be publishing guidance, and keeping track of which algorithms/protocols are approved for which use-cases might be confusing initially. For instance, NIST might standardize an algorithm, but specific industries (finance, government) might mandate a subset or have additional requirements. We’re also awaiting standards for things like PQC integration into protocols (TLS, IPsec, etc.); some of those drafts exist, but final widespread adoption in products will take time. All this means early adopters may have to iterate and stay flexible. Don’t assume one-and-done: you might implement a PQC algorithm in 2024, and by 2028 decide to switch to a different one because of new information. This challenge underscores why a well-structured, adaptable approach is needed. The goal is to prevent getting stuck with a “quantum-safe” solution that turns out not to be safe or practical in the long run. By acknowledging the relative immaturity of PQC algorithms, you can push for designs that allow swapping them out if needed and invest in continued monitoring of cryptographic research.

3.2. Performance and Infrastructure Impact

Practical experience (from prototypes and trials) has shown that many post-quantum algorithms have performance and size trade-offs that differ from classical crypto. For example, lattice-based schemes like Kyber and Dilithium typically involve much larger keys and signatures than RSA/ECC. A Kyber public key is around 800-1000 bytes (vs 256 bytes for an ECC key), and certain signature schemes like Dilithium can be several kilobytes per signature. If you suddenly replace all your 256-bit ECC keys with 1000-byte keys, what happens? Larger data packets, more bandwidth usage, and potentially higher latency in protocols like TLS. In constrained environments (IoT devices, low-bandwidth networks, older CPUs), this can be a serious issue. We might see slower connection setups, more CPU cycles for cryptographic operations, increased memory usage, and even compatibility problems (like network appliances or VPNs that can’t handle larger handshake messages). Already, in testing, some TLS implementations with PQC key exchange saw handshake sizes that caused IP fragmentation, which then broke middleboxes or firewalls that didn’t expect that.

Also consider the impact on storage and databases: if certificate sizes balloon, your certificate management systems, authentication servers, or blockchain systems (if applicable) will have to handle much bigger objects. Verification of larger signatures can also be CPU-intensive. In short, PQC can stress infrastructure in new ways. The challenge is twofold: technical and logistical. Technically, you might need to optimize code, use hardware acceleration (some PQC algorithms could benefit from specialized CPU instructions or even FPGAs), and possibly upgrade hardware where necessary. Logistically, you need to run a lot of performance testing in realistic environments to detect bottlenecks early. It’s very risky to roll out PQC enterprise-wide without, say, testing how it affects a low-bandwidth remote site or an older mobile device. Bandwidth isn’t free; more data in handshakes or messages can also cost more in cloud environments where data egress is billed. All of this should be factored into planning and budgets (PQC might indirectly mean you need bigger data plans or more server capacity).

The good news is that many mitigations exist: using hybrid approaches (classical + PQC combined) can allow you to keep performance-critical parts fast while adding PQC for safety ; tuning parameters or using different variants of algorithms (some have trade-off between key size and computation) can help; and focusing PQC first on areas where performance can be managed (like internal system links with plenty of bandwidth, vs a customer mobile app on spotty 3G). We’ll touch on hybrids and other strategies later. The key message is: don’t assume PQC fits everywhere out-of-the-box. You will need to measure and likely upgrade parts of your infrastructure – from network appliances (making sure updated protocols are supported) to endpoint devices – to handle the new crypto. Ignoring this challenge could lead to nasty surprises like critical systems slowing down or even failing when PQC is enabled. By being aware, you can incorporate performance testing and capacity planning into your rollout, ensuring a smoother transition.

3.3. Implementation Complexity and Ecosystem Readiness

Adopting PQC algorithms isn’t just a matter of changing a line in code from RSA_encrypt() to Kyber_encrypt(). These new algorithms often require changes to formats, protocols, and even user workflows. For example, a PQC public key might not fit into structures or databases assumed by older software. Digital certificates carrying PQC keys or signatures might not be recognized by existing certificate parsing libraries or hardware security modules (HSMs). Many cryptographic libraries and tools will need updates – and until they do, integrating PQC could mean forking libraries or using less mature implementations. This adds complexity and risk. We also have to manage backward compatibility: not everyone will switch to PQC at once, so protocols need to handle cases where one side is PQC and another is not (this is one reason hybrid solutions are popular – they ensure compatibility by doing both classical and PQC).

Integration complexity also extends to things like key management systems. Your HSMs or cloud KMS might not yet support storing or using PQC keys. In fact, one common challenge is vendors marketing “quantum-safe HSM” when in reality they might only support larger key storage but not the actual algorithm operations in hardware. Relying on them “just supporting PQC” out of the box can be a pitfall – it often requires firmware upgrades or entirely new models of hardware. Similarly, smart cards or secure elements might not handle PQC without new designs.

All this means that a migration will involve a lot of engineering effort: rewriting parts of cryptographic libraries, modifying protocols (or waiting for updated standards like TLS 1.3+PQ), and extensive testing to ensure nothing breaks. A phased approach is wise: trial PQC in a contained environment or on non-critical systems first to iron out issues. Training developers is also crucial – they need to understand these new algorithms (which have different failure modes, like one scheme might be vulnerable to a specific type of implementation bug). The lack of widespread expertise is a challenge; few developers have worked with, say, lattice cryptography before. Engaging with the community (open-source projects, academic experts) can help, as can leveraging any reference implementations from NIST or others.

In summary, PQC integration is not plug-and-play. Expect some roadbumps: maybe a vendor library you depend on doesn’t support PQC yet, or your federated authentication protocol can’t carry the new certificate sizes. Awareness and early engagement with vendors (to ask their roadmap) will be important (we’ll cover vendor management later). By recognizing complexity as a challenge, you can allocate sufficient time and expertise to deal with it, rather than underestimating and ending up in a crunch when you discover half your tools aren’t compatible.

3.4. Compliance and Certification Uncertainty

While regulations are pushing us to adopt PQC, they haven’t fully solidified around exactly how to do that. There’s a challenge in the interim where compliance frameworks and certification processes may lag behind the technology. For instance, you might wonder: if we deploy algorithm X, will it meet our regulator’s requirements? What if we choose one algorithm and later the regulator says we must use a different one? Until bodies like NIST, ISO, and various industry regulators finalize their guidance, there is a bit of a moving target. The NIST PQC standards (first set in 2022, more coming by 2024-2025) will form a baseline, but then those need to be adopted into things like FIPS validation for products, Common Criteria, etc. Your organization might have compliance needs (e.g., FIPS 140-3) – and initially, PQC algorithms might not be FIPS-certified until the standards bodies incorporate them. This could create a weird situation where using the quantum-safe algorithm isn’t yet “approved” under current compliance rules. We expect that to catch up, but it’s something to navigate.

Another example: if you’re in a regulated sector like finance or healthcare, you might need auditor sign-off. Auditors themselves may not yet have clear criteria on what “quantum-ready” entails. The challenge is to avoid either doing nothing (“we’ll wait for guidance”) or doing the wrong thing (“we guessed and implemented X, but now the requirement is Y”). The best approach is to stay closely informed and even participate in the standards process. Monitor NIST’s updates, join industry working groups, comment on drafts if you can. Many regulators are actively seeking input. Also, maintain flexibility: if you start an implementation, design it such that swapping to a different algorithm or parameter is not a total redo (again, crypto-agility). On the certification front, coordinate with your product vendors and partners – for example, if you rely on a VPN product, ask them when they will have a version with NIST-approved PQC and plan upgrades accordingly.

We also should consider export controls and international issues: some countries might have their own PQC standards (China, Russia have independent efforts). If you operate globally, you might need to reconcile different requirements or support multiple algorithm suites depending on locale. It’s complex, but not unprecedented (we’ve dealt with multiple crypto standards before). Organizations should possibly set up a compliance tracking function as part of the program – someone who keeps an eye on all relevant regulatory updates and ensures the program aligns. The worst outcome would be spending millions on a migration only to find it doesn’t tick the right compliance boxes. So treat this challenge seriously: as of now, PQC is a new frontier for compliance, and you will likely need to be in constant communication with regulators and standards bodies as you proceed. By staying ahead of this, you can actually turn compliance into an ally (e.g., use impending regulations as leverage to get budget, as we discussed, or to push vendors).

3.5. The Sheer Cost and Effort Involved

Finally, we must address the elephant in the room: cost. Transitioning to PQC is going to be expensive and resource-intensive. We’re talking about potentially replacing or updating cryptographic components in every corner of the organization – thousands of applications and devices in a large enterprise. This is not just an “IT project” – it’s an enterprise transformation that could span a decade. Costs come from many sources: purchasing new hardware (maybe new HSMs that support PQC, or upgraded IoT devices), buying or developing new software (tools for inventory, new versions of applications), hiring external expertise or additional staff, training the existing team, and significant testing and deployment work. Early estimates from industry case studies suggest these programs can run into the tens of millions of dollars for a large enterprise over several years.

There’s also an opportunity cost: those resources could have been used elsewhere, so part of the challenge is continually justifying the spend. We already made the case why it’s necessary, but ensuring continued funding through a multi-year program requires showing progress and benefits (hence emphasizing those immediate security improvements helps). One tricky aspect is timing: if you wait until the last minute (say a few years before the guessed Q-Day), everyone else will also be rushing, which could drive up costs (think Y2K style – consultants and vendors get swamped, prices soar). We’ve seen predictions that if a major quantum breakthrough were announced, demand for PQC solutions would spike massively, potentially causing shortages or premium pricing for skilled services and hardware. By starting now, you can spread costs over a longer period and potentially lock in contracts at lower cost before demand spikes.

However, you have to be careful with early investments: only invest early in things that you’re confident won’t become obsolete. For instance, buying a ton of hardware now that claims to be “quantum-safe” might backfire if that hardware can’t adapt to final standards. A balanced approach might be to budget for R&D and pilot efforts now, which is relatively small, and then plan the big spend (like replacing all user devices or embedded systems) over time as the tech matures. Also consider seeking external funding or partnerships: governments are offering grants for quantum readiness in some cases, and industry consortiums might share development costs for tools. If you can quantify other benefits (like we did in Section 1, e.g., improved data governance, reduced cyber incidents due to better crypto, etc.), you might offset some costs through operational savings (hard to do, but worth thinking about).

In short, don’t underestimate the cost and complexity – but also, don’t be paralyzed by it. The cost of not doing it could be higher in the long run (breach costs, regulatory fines, etc.). Executives will need to see a plan that breaks the work into phases with estimated budgets, so they understand it’s not a one-year project but a sustained effort with checkpoints. Our guide will later cover how to structure that roadmap. But facing this challenge means securing senior leadership buy-in early (Section 3.1) and continuing to demonstrate value throughout the program. As we often say, “pay now or pay a lot more later” – investing upfront in a planned way is far preferable to scrambling later with blank-check emergency fixes.

Understanding these challenges – from technical pitfalls to resource demands – should not discourage you, but prepare you. A clear-eyed view of the road ahead means you can plan mitigation strategies: ensure crypto-agility to handle algorithm changes, do performance tests to address infrastructure issues, engage vendors and regulators proactively, and secure an appropriate budget and timeline that reflect reality (e.g., a 10-year roadmap, not a 1-year miracle). It also helps in communicating to stakeholders that quantum readiness is not just a simple IT upgrade. It’s akin to a digital transformation project. In fact, many experts are calling the PQC migration the largest and most complex IT/OT overhaul ever attempted. Setting that expectation prevents complacency and motivates proper support.

Before jumping into the action plan, we should also briefly cover some common pitfalls to avoid. There are a few things organizations might be tempted to do (or not do) that could derail a quantum security effort. By learning what not to do, you can steer clear of early mistakes and focus your efforts where they count most.

4. What Not to Do: Common Pitfalls in Quantum Readiness

Embarking on a quantum security program can be daunting, and missteps are easy if you react hastily or without a solid strategy. Based on industry experience and guidance from experts, here are key things to avoid doing as you prepare for the post-quantum transition:

4.1. Don’t Panic-Buy “Quantum-Safe” Solutions

When confronted with a scary new threat, the instinct in some organizations is to throw money at it – often resulting in impulsive purchases of products labeled “quantum-safe” or “Q-Day proof.” Be very cautious here. There’s a growing number of vendors marketing solutions (encryption appliances, VPNs, certificate authorities, etc.) that claim quantum resistance. While some may be credible, buying these too early or without integration plans can be a mistake. As of now, NIST has selected a few algorithms but the full standards and best practices around them are still being finalized (expected by 2024). Many national agencies and regulators (and likely your large enterprise customers) will expect you to use the NIST-approved algorithms once available. If you panic-buy a proprietary “quantum-safe” solution today that isn’t aligned with those standards, you might have to replace it later – wasting budget.

The U.S. Department of Homeland Security explicitly advised against premature adoption of non-standard solutions in its 2022 PQC roadmap. The smarter approach is to focus first on preparatory steps (inventory, planning, crypto-agility) rather than rushing to deploy a shiny new algorithm everywhere overnight. That said, there’s nuance: if a vendor solution can be upgraded easily to the final standards (and you can get that in writing in the contract), then early deployment as a pilot might be okay. Just don’t let fear drive you into buying something that either doesn’t integrate with your systems or locks you into a non-compliant path. For now, keep an eye on market offerings, do small-scale trials if needed, but prioritize understanding your own environment and building a plan. The time for big purchases will come once you have clarity on standards and requirements.

In summary, avoid the “silver bullet shopping spree.” You can’t solve this challenge simply by buying a product. It’s a program of many pieces. If a vendor promises that their solution alone will make you quantum-safe, be skeptical. Focus on foundational work (which is mostly internal) and only invest in tools that complement that work in a well-thought-out manner.

4.2. Don’t Overreact and “Lock Down” Data Prematurely

On the opposite end of the spectrum from doing too much (panic buying) is doing something too drastic in fear – such as severely locking down systems or data access right away. We’ve heard of some organizations considering extreme measures like halting all usage of certain cryptography or adding heavy restrictions on data usage out of quantum fear. For example, upon learning of “Harvest Now, Decrypt Later,” a team might propose encrypting everything with one-time pads or shutting down data-sharing APIs to eliminate any chance of data theft. These kinds of knee-jerk reactions can disrupt business operations and are often unnecessary if you’re starting a measured, multi-year mitigation plan.

Certainly, you should increase awareness of the risk of long-lived data being harvested, and maybe implement tighter monitoring or interim encryption for the most sensitive archives (we’ll talk about some interim protective strategies later). But don’t, for instance, tell your enterprise “we’re going to immediately stop using RSA and only use very cumbersome manual data exchange” just to show action. If done without proper alternatives in place, this could cause more harm than the quantum threat itself in the short term (like breaking integrations or slowing the company down). Remember, the quantum threat – while urgent to plan for – is not materializing tomorrow. We have time to do this right. The development of CRQC (crypto-breaking quantum computers) is likely years away, and even then, early attacks will probably be targeted and expensive, not mass widespread failures at the stroke of midnight. So we prepare with urgency but not panic.

To put it clearly: do not induce a self-inflicted outage or security incident under the banner of quantum readiness. Shutting off data flows or adding overly restrictive controls without planning can hurt your organization’s productivity and trust in the security team. A classic example to avoid is over-classifying information or suddenly forbidding perfectly legitimate encryption methods before replacements are ready – it just leads to workarounds and frustration. Instead, approach this systematically: identify critical data at risk (through discovery and classification), and then for those, consider gradual tightening of controls (like stronger access monitoring, or additional encryption layers) as part of your strategy, not as a one-off reaction. You’ll communicate to regulators and execs that you’re taking it seriously by having a plan, not by performing some symbolic extreme action that doesn’t actually solve the problem. Keep calm, carry on with a plan.

4.3. Don’t Assume “The Vendors Will Handle It” for You

A very common pitfall is thinking, “We don’t need to do much – we’ll just wait for Microsoft/Google/Oracle/Our cloud provider to upgrade their products to PQC, then apply those updates, done.” While vendors indeed have a big role (they will need to incorporate PQC into operating systems, cloud platforms, apps, etc.), outsourcing all responsibility to them is dangerous. Surveys have shown a majority of executives are taking this backseat approach, expecting vendors to make them quantum-safe automatically. The reality: your internal systems, custom applications, and integration of vendor components require active management. Vendors will release patches or new versions, but you need to know where to apply them (hence inventory), ensure compatibility, possibly pressure some vendors who are slow, and validate through testing.

Also, many aspects of quantum readiness are organization-specific: deciding which data to re-encrypt, which legacy systems to replace vs. retrofit, how to redesign your PKI – no vendor can decide that for you. If you just sit and wait, you might find yourself in 2028 with dozens of “available updates” from suppliers but no strategy to roll them out, no testing environment, and maybe some suppliers who have gone out of business or aren’t providing updates (then what?). Additionally, compliance accountability remains with you, not your vendors. Regulators and boards will hold your organization responsible for managing risk, even if part of that means ensuring your vendors meet requirements. Think of it like cloud security shared responsibility – yes the cloud provider secures the infrastructure, but you must configure and use it correctly. Similarly, vendors will supply quantum-safe components, but you must integrate them into an overall secure architecture.

So do not adopt a passive stance. Engage your vendors (we will discuss how in Section 4.5 and 4.13.1.3) – ask them for roadmaps, influence their priorities by signaling you need quantum-safe features, include contract clauses for PQC support. But also, prepare internally with the assumption that some vendors might lag or fail – you may need contingency plans (like isolating or replacing a product if it can’t be upgraded). Another related pitfall: thinking that just because you use cloud services, you’re covered. Cloud providers are among those moving fastest on PQC, but if you build applications on top of them, you still own the app-level crypto in many cases (e.g., if you encrypt data in the application before storing in the cloud, you have to handle that encryption’s upgrade). Summed up, quantum readiness is an enterprise problem, not just a vendor problem. Don’t outsource your brain on this issue. Even as you lean on vendors for support, maintain a comprehensive internal program to drive and govern the transition.

4.4. Don’t Treat PQC Migration as “Just Another Patch Tuesday”

It’s worth stressing a mindset pitfall: underestimation. Do not think of the quantum transition as just a simple patch or version upgrade that IT can do quietly over a weekend. This is more analogous to Y2K or IPv6 or a digital transformation project than a routine patch. If leaders in your org say “can’t we just wait until there’s a quantum breach and then quickly patch?”, they are missing the scope. Why not? Because if an emergency quantum break happened, by the time a “patch” is available, the damage (for long-lived data) is done, and deploying said patch across possibly thousands of systems could take months or years – far too late. The challenge is fundamentally about changing architecture and systems, not applying a hotfix.

So the pitfall is complacency: not allocating enough time, not assigning strong project management, and not involving the broader business. If someone tries to jam quantum readiness under the rug of normal operations, it will languish. You need a programmatic approach with executive mandate (we’ll cover securing that mandate next). We mention this as a “not do” because some organizations initially say “our infosec team will handle this quietly.” That rarely works for something this large. Instead, you should elevate it – avoid the mistake of treating it as a minor technical detail. Communicate to everyone that this is a strategic initiative requiring cross-department effort.

Additionally, don’t assume a one-time fix will suffice. Installing PQC algorithms isn’t the end; maintaining crypto-agility and monitoring new threats is ongoing. If a mindset exists of “once we swap out for PQC algorithms, we’re safe for 20 years,” that’s flawed. As experts note, PQC is necessary but not sufficient for long-term security. You still need defense-in-depth, good key management, and readiness for future cryptographic surprises. The pitfall would be to declare victory after a partial rollout. Instead, build continual crypto management capabilities.

In short, avoid any line of thinking that downplays the effort or oversimplifies the solution. Post-quantum migration is a big deal – likely the biggest upgrade project in cybersecurity history. Embrace that fact and plan accordingly, rather than trying to make it fit into a “normal operations” box. As the saying goes, failing to plan is planning to fail.

With those cautions in mind, let’s turn to what you should do – a structured approach to kickstarting and executing a quantum readiness program effectively.

5. What You Should Do: A Step-by-Step Quantum Readiness Plan

We now transition from the why and what to avoid into the action plan – how to get this program off the ground and see it through. The steps below follow a logical progression that many organizations will go through, though in practice some can overlap or be iterative. We start with obtaining the all-important executive support and budget, then move into building the right team and awareness, and onward through discovery, assessment, remediation planning, and implementation. Throughout, we will highlight practical guidance and lessons learned. Let’s dive in:

5.1. Secure Executive Mandate and Budget for the Program

Every successful security initiative starts from the top. Senior leadership support is critical for a quantum readiness program because it will span multiple years, departments, and require funding and prioritization amidst other projects. Your first mission is to educate and convince the C-suite and board to champion this effort. This involves articulating the threat in business terms, presenting a compelling case with tangible benefits (not just avoiding a theoretical risk), and outlining a high-level plan so they see you know how to tackle it.

Here are key strategies to secure that mandate:

Frame the Risk in Business and Ecosystem Terms: Explain that while the exact timing of quantum threats is uncertain, the pressures are here now – regulatory deadlines (2030-ish), client expectations, and the harvest-now threat which makes it effectively a present risk. Emphasize that this is about protecting the organization’s long-term viability and trust. For boards, frame it as a governance and fiduciary issue – similar to pandemic preparedness or climate risk: low frequency, high impact, and with warning signs we’d be negligent to ignore. Avoid heavy physics talk; instead, highlight real scenarios (e.g., “Our customer data, if stolen today, could be decrypted in 5-10 years exposing personal info – regulators would ask why we didn’t act” or “Our digital signatures could be forged, causing instant trust breaches in our products if we’re not ahead”).
Present the “New Clock” and External Drivers: Use concrete deadlines and external expectations as the ticking clock rather than speculative Q-Day dates. For example: “The EU requires us quantum-safe by 2030 ; US law mandates agency plans now ; our key customer X has asked about our quantum plan in their security questionnaire.” Reinforce that regulators, insurers, and investors are effectively dictating the timeline. This gives a sense of urgency and inevitability that doesn’t rely on crystal-ball predictions.
Highlight the Immediate Benefits (“Why pay now”): As we discussed in section 1, outline the tangible benefits buckets: completing a comprehensive asset and crypto inventory (finally getting full visibility), fixing existing crypto weaknesses (“crypto debt”) which reduces current breach risk, building crypto-agility which future-proofs us for any new crypto threat, strengthening vendor security by proactively engaging suppliers, and improving data governance (knowing where sensitive data is and protecting it better). Basically, show that this program is a vehicle to modernize our security comprehensively, not just a niche exercise. You can quote that many peers are using quantum readiness to justify overdue security improvements. This positions the spend as delivering value today.
Lay Out the Cost of Inaction: Conversely, articulate the cost of waiting. Use analogies: “If we wait until 2030 to start, it will be like trying to change the engine of a flying plane – extremely costly and risky, and we may suffer breaches or compliance hits in the meantime.” Point out that emergency last-minute efforts always cost more (consultants at premium, potential incident losses) – “Pay now or pay much more later”. Also mention insurance caveats: not preparing could invalidate insurance or be seen as negligence. If you have internal risk modeling, maybe assign an estimated financial risk (though that’s hard, even citing studies or government risk estimates can help).
Resource and Budget Outline: Be upfront that this needs a multi-year budget. You don’t need exact figures at first, but give ballparks or at least show phases. For example, “Year 1: assessment and inventory (cost X), Year 2-3: pilots and remediation of highest risks (cost Y), full rollout by Year 5 (cost Z). Total program might be spread over N years.” You might reference a case study or benchmark if available, e.g., “Analysts estimate a large enterprise might spend on the order of tens of millions over a decade on this.” While big, compare it to something like a digital transformation or compliance program cost that leadership can contextualize.
Competitive/Strategic Angle: Note if key competitors are already moving (if you have that info). No one wants to be last. Also, mention any public statements by regulators or industry groups relevant to your sector (we’ve cited many in section 1.6 and 1.7) to show this is mainstream. If applicable, mention the talent angle: “By being a leader here, we’ll attract top tech talent and demonstrate innovation, which leadership has said is a priority”.
Ask for a Champion: Ideally, get a C-level champion (if not the CISO themselves, maybe the CIO or COO) to sponsor the program. This person should be convinced to publicly support it and help navigate roadblocks. Often the CISO will be the champion, but having a business executive co-sponsor (like head of Risk or COO) can reinforce it.
Set Clear, Achievable Objectives: Leaders like to know what success looks like. Propose some high-level goals: e.g., “Within 6 months, complete enterprise crypto inventory; within 12 months, pilot PQC in 2 critical systems; in 18 months, have a roadmap for full migration; by year 3, all new systems use approved PQC or are agile…” Ensure these align with overall business strategies and regulatory timelines. Clear milestones help in getting buy-in because it’s not a blank check – it’s a managed program.
Prepare a Deck/Briefing: Develop a compelling presentation for the board/executives that covers all the above: threat overview (HNDL, TNFL, etc.), external drivers, benefits of acting now, outline of plan and needed resources. Use visuals if possible – e.g., a timeline showing “if we start now vs start later” or diagrams of how many layers of the organization crypto touches (to show breadth). Senior leadership decks from the community can help (for instance, CISO budget justification decks focusing on quantum are available with example benefit breakdowns). An example visualization might be helpful to include: a slide summarizing Why Now?, the Ask (resources needed), and the Outcomes/Benefits.

Example: CISO’s Quantum Readiness Pitch (Slide Excerpt). This illustrative slide shows how a CISO might distill the quantum risk and program ask for senior leadership. It highlights the external “clock” (regulators, clients, HNDL threat), the request to initiate a multi-year program now, and the outcomes – both the avoidance of future crises and the immediate improvements in security hygiene, customer trust, and talent retention gained by acting early. Such a business-focused summary can help board members and executives quickly grasp why investing in quantum readiness now is prudent

Anticipate Q&A: Be ready to answer typical tough questions: “Why can’t we wait 5 years?” (Answer: external pressures, HNDL risk, program length needed), “How is this different from upgrading TLS or something we’ve done before?” (Answer: touches almost everything, akin to big transformations, not a simple patch), “What if quantum is 50 years away?” (Answer: unlikely per consensus, but even if, we gain security and operational benefits now and avoid being behind regulators), “Can we insure against this?” (Answer: insurers are actually pushing us to do this; no insurance if negligence), and “What are others doing?” (Answer: Many Fortune 500s have started assessments; governments are mandating it; we don’t want to be left catching up).

Securing support might take a few rounds – possibly an initial education session then a formal proposal. Once leadership is on board, get a formal mandate: ideally a written charter or inclusion in corporate objectives that this program is approved. And of course, nail down the budget (or at least budget for a first phase). The leadership backing should empower you to break silos (“the CEO says all divisions must cooperate on this inventory”) and to obtain needed funding and headcount. With this foundation, you can proceed to assemble the team and kick off execution, knowing you have air cover from above.

5.1.1. Practical Steps for Engaging Senior Leadership

To summarize and operationalize the above, here are concrete steps and tips when approaching senior leadership:

Develop a Compelling Presentation: Create a focused executive briefing (10-15 slides max) covering the quantum threat overview (without deep tech jargon), real-world drivers (regulations, etc.), and your proposed program outline with timeline and benefits. Use analogies (Y2K, etc.) and visuals like charts or timelines. Highlight key phrases like “mandatory by 2030” or “data at risk now.” Keep it high-level; detailed plans can go in an appendix.
Build a Detailed Business Case Document: Supplement the presentation with a written business case that includes rough cost estimates, resource needs, and ROI analysis. ROI here is mainly risk reduction, but also factor in the “immediate wins” we discussed. Include any data you have (e.g., “we identified X instances of weak crypto already, which we can fix under this program, reducing breach probability by Y”). Leadership will want to see that you’ve done due diligence on what this entails financially.
Secure a High-Level Champion: Identify which executive is most likely to grasp the importance – often the CTO, CIO, Chief Risk Officer, or a tech-savvy business executive. Brief them one-on-one to get them on your side. Having them voice support in meetings or sponsor the initiative in governance forums is invaluable. It signals to others that this has top-level attention.
Propose a Phased Plan: Executives like low-risk approaches. Lay out phases (Phase 0: assessment, Phase 1: inventory, Phase 2: pilots, etc.) so they see it’s incremental and controlled. This also makes the budget ask more palatable (e.g., “Year 1 needs $X, we will come with refined ask for Year 2 after assessment results”). A phased plan shows prudence – you’re not asking for a blank check, you’re planning to pilot and learn.
Emphasize Regulatory Compliance: If anything will get boards moving, it’s compliance. Clearly state how acting now ensures the organization will meet upcoming regulations and avoid penalties. If you have legal or compliance officers, involve them to back you up on this point.
Benchmark with Peers: If you have information about industry peers starting similar initiatives or any public references (sometimes industry conferences or case studies), mention them. Executives often ask “What are others doing?” If you can say, “Bank X has already done a crypto inventory and is piloting PQC tunnels” or “Our competitor Y’s CEO mentioned quantum risk in their annual report,” it drives home that this is taken seriously in your sector.
Highlight Talent and Innovation Aspects: Depending on your audience, it can help to mention that working on this will put your organization at the cutting edge, attract talent, and possibly open innovation avenues (as discussed in benefits). Some execs care about being seen as innovators – appeal to that by suggesting this could garner positive press or thought leadership (e.g., offering to publish a case study, etc., with comms team approval). It positions the spend as not just defensive but forward-thinking.
Plan for Ongoing Governance: Assure leadership that this won’t be an unmanaged sprawl. Propose a governance structure (e.g., a steering committee with executive participation, regular status updates to the board or a risk committee, etc.). This gives them confidence that the program will be tracked and controlled, and they’ll have visibility.
Address Their Concerns Proactively: Be ready to address typical executive concerns. For budget: “We will integrate this with lifecycle replacements to optimize cost where possible.” For complexity: “We have a plan to get external expert support and are following industry best practice guides (like NIST’s roadmap).” For urgency: “Yes, it’s a future risk, but actions today save exponentially more later – analogous to investing in cybersecurity insurance or in cloud migration early.”
Follow Up with Documentation: After discussions, send a follow-up email or document capturing the agreed points – e.g., confirmation of support, next steps (like “approval to hire 2 FTEs and engage X consultancy for assessment”). This helps cement the commitment. If possible, get a formal sign-off on a charter.

Gaining leadership buy-in is arguably the hardest part – it’s where many initiatives fail if the board doesn’t see the value. But once you have it, the path opens up. Assume now that you have the mandate and initial budget in hand. The next step is to establish the team and governance structure to execute the plan.

5.2. Establish a Cross-Functional Quantum Readiness Team

Quantum readiness is not a one-person or one-department show. It impacts numerous domains: IT infrastructure, application development, security operations, risk management, compliance, vendor management, and more. Therefore, you need a cross-functional team dedicated to this program. This team will plan and drive the effort, coordinate across silos, and ensure all the right expertise is applied to the problem.

Key considerations for the team:

Include Diverse Stakeholders: At minimum, your core team should have representation from: cybersecurity (architecture and operations), IT systems/architecture, application development or engineering, compliance/legal, risk management, and possibly data governance. Each brings a lens: the app dev person knows where crypto is in code, the IT person knows legacy systems and networks, the compliance person tracks regs, etc.. If you have separate teams for IT and OT (operational technology), include OT/security engineering too because industrial systems have unique challenges in PQC migration.
Empower the Team: This must be a formally empowered group, not an informal committee. Have the mandate (from step 4.1) explicitly give them authority to request information and action from all departments. Ideally, set it up as a program office or task force. The team lead should be someone who can coordinate across units – often the CISO or a direct report like a head of crypto or enterprise security architect can chair it, but with equal voice from IT, etc.
Define Roles and Responsibilities: Right away, clarify roles: e.g., “Alice from Security Architecture is lead for cryptographic inventory; Bob from IT is lead for systems inventory; Carol from compliance ensures alignment with regs,” etc.. Set expectations that each member reports back to and rallies resources from their respective departments. Document this in a charter.
Assign a Program/Project Manager: Given the complexity, assign a dedicated program manager (or project manager) to this initiative. That person keeps track of tasks, timelines, meeting notes, and follow-ups. They should establish a project plan (we’ll touch on that in Governance later) and coordinate the moving parts. If you can’t spare an internal PM, consider hiring one or using a consulting PM for the duration.
Provide Resources: Ensure the team has what it needs: budget to procure tools or outside expertise (like crypto inventory tools or consultants), authority to set aside time (this might mean adjusting some team members’ other duties – e.g., free up 30% of the network architect’s time for this program), and training if needed. Also, set up collaboration infrastructure like a dedicated project workspace, regular meeting schedule, and a shared repository for documentation (could be a SharePoint or Confluence space, etc.).
Communicate the Team’s Existence: Announce broadly that this cross-functional team is established and has leadership backing. When people across the org hear from them (for interviews, data gathering, etc.), they should know it’s official. You could send an internal memo or have an executive sponsor announce it at a town hall: “We have launched a Post-Quantum Readiness program led by [names], please cooperate fully with them as they may engage many of you for information and support.”
Team Empowerment and Agility: Encourage the team to foster a culture of collaboration and continuous learning. The team will be tackling problems no one has solved before here (at least within your company). They should feel safe to surface challenges and propose creative solutions. Regular knowledge sharing within the team is good – e.g., weekly briefings where one member shares research on a PQC topic to educate others, etc. Also, encourage them to tap external resources: join industry groups, attend webinars, talk to peers at other companies (if possible) to share experiences.

By establishing this team, you effectively create the engine to drive the program. It’s important that it’s cross-functional from the get-go because, for instance, you don’t want to finish a cryptographic inventory only to realize you didn’t have anyone from enterprise architecture weigh in on how to integrate the findings with asset inventory. Early collaboration saves pain later.

5.2.1. Practical Steps to Build and Structure the Team

To break it down into actions:

Define Program Scope and Goals (Charter): Write a short charter document. It should state the purpose (e.g., “to ensure [Organization] is prepared for cryptographic threats from quantum computing by X date”), in-scope activities (inventory, roadmap, pilot, etc.), and initial deliverables (maybe “complete initial assessment in 6 months”). This clarity helps recruiting the right members and sets a unified direction.
Select Team Members: Work with department heads to nominate skilled individuals for the team. Key members might include: a lead cryptographer or security architect (to focus on crypto issues), a lead from IT infrastructure (knows systems and networks), someone from application dev or DevSecOps (knows software side), a representative from compliance or legal (to track regulatory aspects), someone from risk management (to align with enterprise risk processes), and possibly a representative from procurement or vendor management (since engaging third parties is big here). If you have a data privacy officer or data governance lead, consider them too (for the sensitive data inventory part). Aim for a lean core team (5-8 people) who can then pull in others as needed. Ensure they are well-respected and have relevant knowledge in their domain – you want your best people on this, or at least people who can make decisions or get answers quickly.
Appoint a Program Leader: Decide who is leading day-to-day. Often the CISO or head of security architecture will be executive sponsor, but you might have a program lead who is say a Director level. Pick someone with good project management and communication skills, not just technical (since they’ll be coordinating exec updates, etc.). Officially give them authority to make decisions within the program (with oversight from the sponsor as needed).
Clarify Roles of Each Member: As mentioned, define what each member is responsible for. For instance: “IT Infrastructure rep will drive the systems & assets inventory (section 4.10 tasks), Security rep will drive cryptographic inventory (4.7 tasks) and crypto strategy (4.13 tasks), Compliance rep will track regs and ensure our plan meets them, etc.” Write this down and agree on it in the first team meeting. This avoids confusion and gaps (“I thought Bob was checking with that vendor, not me!”).
Secure Time and Budget for Team: Talk to managers of those team members to ensure they can allocate sufficient time. It might mean shifting some of their other work to colleagues or backfilling roles. In some cases, you might need to hire contractors or an extra analyst to take over part of someone’s BAU work while they focus on this. It’s important that team members aren’t expected to do this on top of a full load of normal duties – that’s a recipe for burnout and slow progress. Secure budget if needed to alleviate workload (this could be part of initial budget ask).
Set Up Team Operations: Schedule a kickoff meeting and regular working sessions (e.g., weekly team meeting). Establish a shared repository or project management tool (could be as simple as a Teams/Slack channel and a Trello board, or a more formal MS Project plan accessible to all). Decide on reporting cadence (maybe the program leader will send a monthly update to an executive steering committee).
Provide Training/Resources: Identify any knowledge gaps and address them early. For example, if your IT rep has never heard of lattice cryptography, maybe send them to a training or ensure they read some primers (lots of resources exist, even NIST’s whitepapers). The team might do collective training sessions too – bring in an external expert for a workshop if possible. Also equip them with tools: maybe subscribe to a threat intel or news service about quantum (to keep updated), get them access to testing environments for PQC if needed, etc..
Develop a High-Level Action Plan: In the first few weeks, the team should break down the charter into a concrete plan (even if rough). For instance: “Phase 1: do inventory by month X, Phase 2: risk assessment by month Y, Phase 3: pilots by month Z.” This might align with the phases we outline in this guide. Having an initial plan helps coordinate efforts and also gives something to show leadership that the team is organized. (We’ll get more into planning in governance section 4.6 as well.)
Foster Collaboration and Feedback: Encourage the team to work openly – regular check-ins, share findings, and document as they go. Create a culture where if, say, the app dev rep finds something (like a previously unknown crypto usage), they share it immediately rather than keeping it siloed. Likewise, if someone hits a roadblock, they should raise it so others can help or escalate. Possibly implement a quick feedback loop – like after first month, ask team “what’s working, what isn’t?” and adjust meeting frequency or decision-making processes accordingly.
Engage Leadership Periodically: Even after getting initial approval, keep leadership in the loop. Perhaps have a steering committee with a couple of executives (CISO, CIO, etc.) that the team reports to quarterly. This ensures ongoing buy-in and that if any issues (like needing more resources) come up, they can be addressed with top cover.

With the team in place and functioning, you have the machinery to execute the program. Next, it’s wise to ensure everyone in the organization is aware of what’s happening and why – which is where a good awareness campaign comes in.

5.3. Launch an Organization-Wide Quantum Awareness Campaign

Before diving into inventories and technical work, it’s valuable to get the broader organization on the same page about quantum computing – both its opportunities and its risks. An awareness campaign will educate stakeholders at all levels, preempt misunderstandings, and build a supportive culture for the changes ahead. Think of this as preparing the ground so that when your team approaches people for information or changes processes, they understand the context.

Key elements of a good awareness campaign:

Craft a Balanced Narrative: Avoid FUD (fear, uncertainty, doubt) overload. Yes, you need to explain the threat (HNDL, potential future breakage of encryption), but also highlight the positive aspects of quantum tech (its beneficial uses, why we’re excited about the future). This prevents fatigue and skepticism. For example, your messaging can be: “Quantum computing is an amazing innovation that could solve big problems, but like any disruptive tech it also poses new security challenges – and here’s how we’ll address them.”
Tailor the Message to Different Audiences: One size won’t fit all. Identify the key groups: Executive leadership & Board, General employees/staff, IT and security teams, Developers/engineers, and possibly customers or partners if you engage them on this. For each, emphasize what matters to them:
- For Boards/C-Suite: Focus on strategic risk, compliance, and business impact (as we did in section 4.1). Perhaps prepare a short briefing or Q&A for them specifically.
- For Non-technical Staff: Provide a simple explanation of quantum computing and its timeline, assuring them that the company is on top of it. You might connect it to day-to-day: e.g., “This is why we’ll be updating encryption in coming years – to keep your data safe.”
- For IT/Security Teams: Get more technical. Explain which algorithms are at risk and which new ones are coming, the concept of crypto-agility, and what their role will be (like cooperating in inventories, updating systems). Emphasize that this is an opportunity to improve the environment overall.
- For Developers/Engineers: Possibly separate sessions focusing on coding practices, libraries that will be updated, and how they can design systems now to be agile for future upgrades.
- For External Partners (if appropriate): Maybe a high-level statement or communication in vendor newsletters saying you take quantum risk seriously and will coordinate with them (some companies do PR around being “quantum-safe” ready to assure clients).
Use Multiple Channels and Formats: Some people will read an article, others prefer a short video or an interactive Q&A. Use a mix: company-wide email or intranet announcement, a page on your intranet FAQing “Quantum Threats – What is our company doing?”, lunch-and-learn sessions or webinars, short videos with analogies, and even posters or infographics for quick takeaways. Gamify it if you can – e.g., a quiz after a training session with small prizes to encourage participation. Ensure top leadership endorses it; e.g., a note from the CEO in a newsletter saying “I encourage everyone to learn about this important initiative.”
Bring in External Experts: Quantum computing can seem esoteric. Inviting a guest speaker (maybe a professor or industry expert) to give a talk can add credibility and clarity. They could cover basics of quantum computing in layman terms and what it means for cybersecurity. This breaks the monotony of internal voices and can correct any misconceptions.
Address Misconceptions: Without guidance, people might mix up “quantum computing” with sci-fi or unrelated “quantum” ideas (there have been instances of employees thinking quantum risk is like some mystical concept due to pop science misinfo). Be clear: define cryptographically relevant quantum computer (CRQC) as what we’re concerned about, not the entire field of quantum tech. Also clarify that “quantum-safe encryption” is different from things like quantum physics theories etc. Making sure everyone has a basic common understanding is the goal.
Encourage Continuous Learning: Quantum tech is evolving. Set the tone that this isn’t a one-time training. Provide resources for those interested to delve deeper – like a curated list of articles (you can reference external ones or even use your company’s PostQuantum.com AI Explainer if you have one !), internal discussion channels, or periodic updates as news comes (like when NIST announces something, share it internally). Maybe start a small internal working group or community of interest for quantum, where enthusiasts or relevant personnel can share news and progress.
Link the Awareness to the Program: Make sure people know why they’re being told this: because the company is proactively launching a program. Explain at a high level what to expect – e.g., “In the coming months, our quantum readiness team may reach out to various departments to assess systems and plan upgrades. We appreciate your cooperation in this important effort.” This way when, say, someone from the team asks an app owner “what crypto does your app use?”, they aren’t confused – they recall the awareness campaign mention of inventory, etc.

To illustrate one key aspect: when communicating to boards vs staff, consider content differences. For Boards, maybe share a one-pager titled “What is the Quantum Threat? – A Guide for Executives” summarizing HNDL, TNFL, risk-as-governance perspective, and listing a few questions board members should ask (like “Have we done a crypto inventory? What’s our timeline to upgrade critical systems?”). For General Staff, perhaps an infographic “Quantum Computing 101 and Why Cybersecurity is Adapting” with fun visuals of qubits vs bits, and an analogy like “it’s like the invention of faster lock-picking tools, so we need better locks”.

5.3.1. Practical Steps to Execute the Awareness Campaign

Set Clear Objectives and Audience Segments: Decide what you want to achieve: e.g., 100% of IT staff attend a quantum briefing, all developers read secure coding guidelines for PQC, general staff all see at least an announcement. Identify the groups as mentioned (execs, IT, developers, general) and any specific ones like sales (they might need to respond to customer questions). For each, tailor the key message.
Develop Educational Content: Gather or create materials. You can repurpose good external content (NIST has some FAQs, there are articles like “Quantum threat for dummies,” etc.). Ensure to cover basics: what is quantum computing (in simple terms), what is Q-Day, what’s HNDL/TNFL in non-jargon language, and what are PQC algorithms (conceptually). Also highlight positives: e.g., “Quantum computers may revolutionize drug discovery or logistics” to keep it balanced. Use analogies liberally (like comparing classical vs quantum computing to ordinary vs lock-picking-resistant locks). Possibly create an internal FAQ on your intranet answering things like “Do we have a quantum computer? (No, but we don’t need one to be impacted)”, “Is this AI? (No, different tech)”. Keep tone accessible.
Use Varied Communication Channels: Plan a series of communications. For example:
- Kickoff email from CISO or CEO to all staff introducing the topic.
- A dedicated intranet page or portal for “Quantum Readiness” where resources are collected.
- Schedule live sessions: an exec presentation for senior management, a tech talk for IT, maybe an all-hands if appropriate.
- Webinars/recorded videos that people can watch on their own time.
- Leverage internal social platforms (post short facts or quizzes on Slack/Teams).
- Put posters in offices if in-person, e.g., “Quantum Threat: Did you know encrypted data today might be readable in a decade? Learn more at [link].”
- Ensure those who miss live sessions have recordings or slides available.
Engage External Experts: Coordinate a guest speaker session. Perhaps someone from a respected org (a NIST representative, a professor, or even a consultant with domain knowledge). They can lend authority to the information and also excite people about the technology side of quantum computing. If budget allows, bring them in for a talk plus Q&A. Sometimes staff feel reassured hearing it from a globally recognized expert rather than only internal folks.
Interactive and Tailored Workshops: For your technical teams, do deeper workshops. E.g., a half-day training for developers on how to identify crypto in their code and what changes PQC might bring. Or a threat modeling session: “let’s look at our system X and see how quantum affects its security” – a good exercise to make it concrete for engineers. For general staff, maybe an interactive quiz (“Myth vs Fact: Quantum Edition”) in a newsletter to reinforce points.
Feedback and Q&A Mechanisms: Set up a way for employees to ask questions – could be an email alias or a Slack channel like #ask-quantum. Monitor it and respond. This will surface concerns or rumors you might not have realized. You can then address those in follow-ups (e.g., if many ask “Will quantum break Bitcoin?”, you might put out a small note clarifying that). Also gather feedback through a quick survey after sessions: “Do you feel you understand the basics? Any suggestions?” This shows you care and helps improve the campaign.
Maintain Momentum: Don’t let it be one-and-done. Perhaps plan a quarterly update in internal newsletters, or tie it to news (“NIST just announced new algorithms – here’s what it means for us”). Keep the topic alive but not overwhelming. Also, as the program progresses, share successes: e.g., “Our team completed the first cryptographic inventory – found and updated 50 weak spots already (woohoo!).” This not only educates but demonstrates progress and commitment, keeping stakeholders engaged.

By investing in awareness, you reduce friction later. People will be less surprised when you roll out changes, and some might even become allies or champions in their departments (“oh, I learned about this, let’s cooperate”). It sets a proactive tone: the company isn’t hiding this issue, we’re tackling it openly and everyone has a part to play.

Now that leadership is on board, the team is set, and the organization is informed, the groundwork is laid. Next, we should think about external engagement – because not all knowledge and solutions exist in-house. We should actively connect with standard bodies, government agencies, academia, and industry groups to stay at the forefront.

No organization is an island, especially with something as far-reaching as the quantum transition. Engaging with external stakeholders – like standards bodies (e.g., NIST), national cybersecurity agencies, academic researchers, and industry consortia – will provide you with crucial insights, influence, and support. It ensures you’re not reinventing the wheel and that your program aligns with broader developments. Here’s how to go about it:

5.4.1. Work with NIST and Standards Organizations

NIST (or analogous bodies in other countries) is leading the technical standardization of PQC. Keep a close watch on their announcements, drafts, and events. Subscribe to official updates or newsletters. If public comment drafts of standards (like FIPS standards for PQC algorithms) come out, have your crypto experts review and perhaps even comment with your practical concerns – this can influence final outcomes and gets your team deeper understanding. Also consider joining working groups: for example, the IETF has working groups on PQC for internet protocols; ISO has crypto committees. If you have a chance to send an expert or at least follow their proceedings, do it. By being active, you’ll know about changes early and maybe steer them to be more practical for industry.

NIST and other bodies often host workshops or conferences – try to attend those (virtually or in person). They can be dense, but even gleaning key points or networking with experts is valuable. It’s also worth reading case studies or implementation guides some standards groups might publish. Some countries’ standards groups or agencies issue guidance (like ENISA in EU or NCSC in UK); collect those and use them in your planning.

5.4.2. Collaborate with National Cybersecurity Agencies

If there’s a national cybersecurity center or similar in your jurisdiction, open lines of communication. They often like to gather input from industry and can provide early warnings or advice. For example, the U.S. CISA and DHS have released quantum readiness toolkits; the UK NCSC and Singapore CSA provide guidance too. Sometimes agencies run information-sharing groups or threat intelligence forums – join those. Sharing non-sensitive info about challenges you face and hearing what others are seeing can be mutually beneficial.

Some agencies might also run exercises or drills for quantum-related scenarios – if those happen, volunteer to participate. And ensure you comply with any reporting requirements: for instance, if an agency asks all companies to report progress on quantum readiness annually (which could happen in future), be ready to showcase yours. Being engaged with agencies also shows regulators you’re proactive.

5.4.3. Engage Academia and Research

Quantum computing and cryptography are areas where academia is very active. Consider partnering with a local university or research institute on a small project – e.g., perhaps sponsor a Master’s thesis to analyze your cryptographic footprint or test PQC in one of your systems. This can give you fresh insights and help a student, win-win. You could also invite professors to review your approach or to speak to your team for advanced training. Many academics appreciate real-world validation, so they might be open to informal consulting (maybe even free) to see their research in action.

Attending academic conferences (or sending someone from your team) like PQCrypto, CRYPTO, or various IEEE events can inform you of cutting-edge developments. True, not everything there is practical, but you might spot potential issues or new solutions early. Also, universities might run executive education or courses on quantum for tech leaders – these can be helpful for senior team members to attend.

By engaging academia, you also make your company visible to up-and-coming talent (as mentioned, that helps recruiting). You could host or attend hackathons or workshops on PQC. And if you’re large enough, maybe join consortia that include academia (some government-funded quantum research groups involve private sector as observers).

5.4.4. Join Industry Consortia and Peer Collaboration

There are industry groups specifically addressing quantum-safe security (like the Cloud Security Alliance’s Quantum-Safe Security Working Group, the Quantum Economic Development Consortium (QED-C) in the US, or the European Quantum Industry Consortium (QuIC)). Being a member or at least following their publications can give you access to collective knowledge and tools. These groups often produce whitepapers, best practices, or even open-source tools for inventory or testing. They also provide a forum to share experiences: hearing how another company did their crypto inventory or what challenges they faced with a vendor is golden information.

Additionally, consider informal peer networking: reach out to CISOs or crypto engineers at partner companies or even competitors if appropriate – sometimes there are information-sharing groups (like ISACs for critical industries) where such topics can be discussed. Form a kind of community of practice. As this is not about competitive advantage (everyone needs to secure this), peers are often willing to trade tips. For example, if a certain inventory tool worked well for them, that might save you time evaluating options.

Finally, share back your lessons. If your program finds a particularly effective method or you develop a good process, consider publishing a case study or speaking at a conference. Not only does this bolster your company’s reputation as a leader (useful for trust and talent attraction), but it contributes to the ecosystem’s readiness. This collective defense mindset is crucial because, in the end, if large swaths of industry aren’t prepared, everyone suffers (through interconnected systems, supply chain, etc.).

Engaging externally ensures you’re aligned with the state of the art and not duplicating effort. It also helps avoid isolation – your team will feel supported knowing many others are on the same journey. With external intelligence flowing in, you can adjust your program as needed to new developments (for example, if an engaged group indicates one algorithm might have issues, you can proactively pivot).

So far, we have covered getting buy-in, assembling the team, educating internally, and reaching out externally – essentially, all the preliminary steps to set the stage. Now it’s time to get into the meat of the program: discovering what you have, assessing risk, and planning the actual migration and mitigation activities. The next sections will cover those in detail, starting with managing inventories (cryptography, data, systems) which is the foundation of everything to come.

5.5. Notify and Prepare Third Parties (Vendors, Partners) Early

A significant portion of your cryptographic footprint likely resides in or is dependent on systems provided by third parties – whether it’s a SaaS provider, an on-premise software vendor, hardware manufacturers, cloud platforms, or outsourcing partners. If your organization is ahead of the curve in starting quantum preparations, many of your suppliers and partners may not be. That means a big chunk of your risk could lie outside your direct control. It’s crucial to proactively engage these third parties, both to inform them of your expectations and to gauge their readiness.

Here’s how to tackle third-party engagement:

Communicate Early and Clearly: Don’t wait until you’re ready to deploy PQC to then ask your vendors for support – give them heads-up now. Send out formal communications to all relevant suppliers (especially those that handle your data or provide cryptography-dependent services) explaining that your organization is initiating a quantum readiness program and that as part of this you will be assessing dependencies and expect your suppliers to also plan for quantum-safe security. This could be a letter from your CISO or CIO to key vendors. It should stress that this is an important risk management issue and that you’ll be looking for their cooperation. You might even cite regulators or industry mandates to add weight (“As you may know, regulators are pushing for post-quantum security by 2030, we need to ensure our supply chain is prepared”).
Offer Education to Third Parties: Some of your smaller partners might not have a clue about quantum risks. Consider hosting a webinar or sharing educational material with your vendors similar to your internal awareness (tailored as needed). By doing so, you extend the awareness campaign externally, which can build goodwill and alignment. It also positions you as a leader – you’re helping uplift security across the ecosystem, not just demanding things.
Collaborative Risk Assessment: Where feasible, approach key vendors and suggest working together on a quantum risk assessment of the product or service they provide to you. For example, if you have a core banking software vendor, ask to review with them where that software uses cryptography, what their plan is to upgrade it, and what timelines they foresee. Some vendors might not share details, but you can at least ask questions. You could provide them a checklist or questionnaire:
- Have you inventoried cryptographic algorithms in your product?
- Are you engaged with NIST PQC standards?
- Do you have a timeline for supporting PQC algorithms (and which ones)?
- Will updates be backwards compatible or require major upgrades?
- How will you handle certificates or keys (e.g., will we need new key generation)?
- Are there any known constraints (like your product uses a chip that can’t support bigger keys, etc.)?

This not only signals that you expect action, but the answers will inform your plan (e.g., if a vendor says “we won’t have a solution until 2029,” you know that system remains a risk you might need compensating controls for).

Include Quantum-Safe Requirements in Contracts: As you renew or sign new contracts, bake in obligations related to quantum readiness. For instance, add clauses like “Vendor will, at no additional license cost, provide cryptographic algorithm upgrades to maintain compliance with emerging post-quantum cryptography standards within X months of those standards’ finalization” or “Vendor must disclose cryptographic algorithms used and their plans for PQC transition; failure to address known vulnerabilities (like using RSA/ECC beyond 2030) could be considered breach of contract.” In RFPs, include questions about their roadmap for PQC and crypto-agility. This makes it contractually binding for them to pay attention.
Leverage Existing Compliance as a Stick: If you have compliance questionnaires or standards (like if you require suppliers to meet ISO 27001 or similar), consider adding quantum-related questions or criteria there too. It might not be standard yet, but you can start. Also check if any supplier contracts have a general “meet industry best practices” clause – arguably, preparing for PQC is becoming a best practice, so you can lean on that.
Provide Support and Resources: Realistically, some suppliers (especially smaller ones) might struggle with this. If a key vendor is clearly behind, you have to decide whether to push them, replace them, or help them. Sometimes you can offer support – maybe joint testing, or allow them access to tools you’re using. For instance, if you hire a firm to do crypto inventory, maybe extend that service to scan the vendor’s product (with their permission) and share results. The goal is to avoid a weakest-link situation by lifting them up if needed. This again fosters a partnership approach.
Establish a Tracking and Follow-Up Mechanism: Keep a register of key third parties and their quantum readiness status. After initial outreach, set a schedule to revisit it perhaps annually. Track who responded, who has plans, who seems oblivious. For those critical vendors with unsatisfactory answers, escalate discussions – maybe involve procurement leadership to put pressure or consider alternatives in the long term.
Incorporate Third-Party Readiness into Governance: If you have vendor risk management or third-party risk processes, integrate quantum risk into those assessments. For example, update your vendor risk scoring to include a factor for “crypto agility” or presence of obsolete crypto. Some organizations have started asking vendors to produce a “cryptographic bill of materials” (CBOM) for their products – if you can, ask for that; if they can’t now, they’ll know you expect it eventually.
Monitor Progress and Be Ready to Act: If a vendor consistently has no plan and is critical to you, you might need to plan mitigation. That could be urging them harder (maybe via joint escalation between your CEOs if it’s that important), or developing compensating measures (like fronting their system with a quantum-safe gateway if possible), or in worst case, planning a transition to an alternative vendor in a few years. It’s better to know this now than in 2029. So keep track: maybe maintain a dashboard – e.g., out of our top 50 vendors: 10 have solid plans, 30 have “looking into it”, 10 have nothing – then focus efforts accordingly.

Remember, quantum readiness is a team sport across the supply chain. By lighting a fire (even politely) under your third parties, you not only reduce your own risk but push the industry forward. Many vendors have told analysts that customers aren’t asking yet, hence they haven’t prioritized – well, be that customer who asks! The more we collectively demand quantum-safe assurances, the faster products will come with those capabilities. And if you discover innovative approaches through vendor talks (like one vendor might have a hybrid solution already), that’s great intel you can use.

5.5.1. Practical Steps to Manage Third-Party Quantum Risk

Identify Critical Vendors/Partners: Use your vendor inventory or spend analysis to pinpoint which third parties, if compromised by broken crypto, would pose the biggest risk to you. Focus on those that handle sensitive data, provide security functionality, or are deeply integrated (ERP systems, VPN providers, payment processors, cloud providers, etc.).
Draft a Vendor Outreach Template: Write a standardized letter or email that can go to all (with minor tweaks per vendor type). It should: introduce the issue (quantum threat, timeline), state your company’s commitment (so they know it’s serious from you), and request information on their plans. Keep it non-accusatory; emphasize collaboration. Have it approved by legal if needed. Possibly include a brief questionnaire or a request for a meeting.
Leverage Account Managers: For big vendors (like Microsoft, AWS, etc.), talk to your account reps. They often can provide roadmaps under NDA. Many large vendors have public info too – for example, Cloudflare, AWS, etc. have blogs about their PQC experiments. Gather that info and include it in your assessment.
Update Contract Templates: Work with procurement and legal to insert PQC clauses in all new contracts. For existing ones, you might add them during renewals. Also include a right-to-audit or at least a requirement for them to annually report their progress on quantum readiness to you.
Host a Vendor Webinar: Invite all your key suppliers to a webinar where your CISO or CTO explains why you care about this and what you expect. This might be unusual, but it can make smaller vendors pay attention. Provide them guidance – maybe a one-pager of “How to start your quantum-readiness” with reference to standards (like NIST) for those who haven’t started.
Collect and Analyze Responses: Give vendors a reasonable deadline (a few weeks) to respond to your initial outreach. Track responses in a spreadsheet or vendor risk tool. Rate them: e.g., Green (has concrete plan or already implementing PQC/hybrid solutions), Yellow (aware and working on it but vague timeline), Red (no plan or unresponsive). For Yellows and Reds that are critical, set up follow-up calls.
Integrate into Vendor Risk Process: Add a section to your periodic vendor risk reviews: “Quantum Risk Status.” If you use scorecards for vendors, include that. This ensures ongoing visibility. Also, if you have an internal risk register, log “Vendor X PQC lag” as a risk with an owner to monitor.
Collaborate via Industry Groups: If direct vendor engagement is slow, consider industry pressure. For instance, if a certain widely used software has no quantum plan, perhaps raise it in an industry forum or through a group letter from multiple companies – collective customer voice can push a vendor to act.
Plan Mitigations for Lagging Vendors: For vendors that are critical but lagging, brainstorm interim solutions. Could you put their service behind a quantum-safe VPN of your own? Could you encrypt data before sending to them (application-layer encryption), so even if their encryption fails in future, the data they hold is tokenized/encrypted by you (see tokenization strategies in 4.13.1.2) ? These could be project streams if needed, but ideally your pressure gets them moving to avoid these extra steps.
Document Third-Party Dependencies in Your Roadmap: When building your internal roadmap (later section), annotate where you are dependent on vendor deliverables. E.g., “Q4 2026: upgrade Vendor Z’s software to version with PQC support (if available).” Start that conversation such that your schedule is on their radar too.

The outcome of this third-party engagement should be that no major partner is caught by surprise when you need them to act. It also sets you apart as a forward-thinking client – which might even get you invited into beta programs for PQC features (some vendors might involve early customers to test PQC implementations, which is great for you to trial).

Now, with leadership backing, team ready, internal and external parties informed and engaged, we move into execution mode. The very first execution step (and arguably one of the most important tasks in the entire program) is to discover and inventory what cryptography and assets you have. Nearly every guidance highlights doing a cryptographic inventory as a foundational step – because you can’t protect or upgrade what you don’t know you have. In reality, this involves multiple inventories (crypto, data, systems) and establishing a governance to keep them integrated. The next sections cover how to set up those inventories and actually carry them out.

5.6. Set Up Governance to Integrate Crypto, Data, and Asset Inventories

Most industry guidance will tell you to “do a cryptographic inventory.” That’s absolutely right – but it’s not sufficient by itself for a comprehensive quantum risk assessment. You need to connect the dots between what cryptography is used, where it’s used, and what it’s protecting. That means integrating three key types of inventories:

Cryptographic Inventory: A detailed list of all cryptographic algorithms, libraries, keys, certificates, protocols, etc., in use across your systems.
Sensitive Data Inventory: Knowing what sensitive data you have, where it resides, and its classification (confidential, secret, etc.).
Systems/Assets Inventory: A catalog of all your IT and OT assets – hardware, software, applications – often with insight into their criticality.

Governance here refers to the oversight and processes to ensure these three inventories are built, maintained, and most importantly cross-referenced to inform decisions. If you do them in silos, you might end up with, say, a list of vulnerable crypto instances but not know which ones matter most because you don’t connect them to the data they protect or the criticality of the system.

So, how to set this up:

Define Scope for Each Inventory: Early on, decide what systems and areas each inventory will cover. Crypto inventory should ideally cover everything from software applications to network gear, but maybe you scope it (e.g., start with externally facing systems, then internal). Data inventory likely focuses on major databases, data lakes, file shares, etc., where sensitive info lives. Asset inventory – hopefully you already have CMDB or asset lists, but you may need to enhance it for OT or shadow IT. Document these scopes so teams know their boundaries.
Plan Projects in Parallel and Coordinate: You might have separate sub-teams or tools handling each inventory type, but ensure they talk to each other. Perhaps have a weekly sync meeting between the leads of crypto, data, and asset inventory efforts to share progress and obstacles. Plan milestones such that after initial discovery, you do a mapping exercise: map crypto items to systems (via asset inventory) and map systems to data (via data inventory) – thus you can derive, for instance, “System A uses RSA (crypto inventory) and holds customer financial data (data inventory) and is a critical payment system (asset inventory).” That integrated view is gold for prioritization.
Use Common Reference Identifiers: One practical tip: to join these inventories, use some consistent identifiers. For example, if you have a system ID or asset ID in your CMDB, use that in your cryptographic inventory records to tag where an instance was found. And ensure data inventory entries note which system or database they reside on (again linking to asset). Essentially, structure the data so that relationships can be established without ambiguity.
Normalize and Centralize Inventory Data: As raw inventory data comes in, it might be messy or overlapping. Part of governance is to normalize it – ensuring consistent naming, removing duplicates, and consolidating records. For example, you might find “TLS 1.2 with RSA-2048 on Server X” via a network scan and also “OpenSSL library on Server X supports RSA” via a code scan – those are actually the same issue and should be one record or at least linked. Decide on a single source of truth repository for inventories. Some companies extend their CMDB to include crypto info, others use a GRC tool or even a custom database. What matters is it’s queryable and kept updated.
Classify and Add Context: As you integrate, add context fields. For cryptographic items, include what data classification they protect (from data inventory) and system criticality (from asset inventory). For assets, mark if they have quantum-vulnerable crypto found. This context will directly feed the risk assessment (next step). Also classify crypto issues by severity (e.g., use of RSA/ECC = quantum-vulnerable; using short RSA keys or SHA-1 = already weak; using hardcoded keys = immediate issue, etc.). Mark data by how long it needs to remain confidential – that’s key for HNDL risk (e.g., some data only needs confidentiality for 1 year vs some for 10 years).
Use Governance Structures (Steering Committee) for Oversight: Consider having your program steering committee (or a subcommittee) focus on inventory integration progress. They can break ties if, say, one team wants to proceed one way and another disagrees. Also, set intermediate deadlines: e.g., within 3 months, complete initial crypto inventory of top 50 systems; within 4 months, produce a combined report of crypto vs data vs assets for those. Governance ensures these things don’t drift or get siloed.
Leverage Tooling Wisely: There are tools for each of these: DLP and scanning tools for data, asset discovery tools (scanners, agents, etc.), and specialized crypto inventory tools. Likely you’ll use a combination. Governance means coordinating their use so you don’t overload the environment with scans or conflict. For example, schedule network scans and data scans in a staggered manner if they might interfere. Share findings between tools – e.g., if data scan finds an encrypted file repository, ensure the crypto inventory scans that for what encryption is used. Try to use open standards if available for output (like some are talking about CBOM formats, akin to SBOM, to represent crypto usage).
Mutually Exclusive and Collectively Exhaustive (MECE) Approach: A fancy way to say cover everything without double-counting. Try to partition responsibilities clearly – maybe Crypto Inventory Team covers discovering cryptographic algorithms and where they live, Data Inventory Team covers classification of data and mapping to storage locations, etc., and they collaborate on the overlap. Keep track so nothing falls through cracks (e.g., IoT device cryptography might require both asset and crypto analysis). Aim to have everything important either inventoried or consciously out-of-scope (with rationale).
Maintain Single Source of Truth and Continuous Update Process: Once initial inventories are built, set rules to keep them updated. For instance, integrate updates into change management: if a new application is deployed, updating the crypto inventory is a required step in the checklist. Or schedule periodic rescans. The governance plan should include who is responsible for maintenance long-term (often this becomes part of security architecture or risk management’s ongoing duties).

By integrating these efforts, you ensure that when it’s time to do risk analysis and decide what to fix first, you’re looking at a holistic picture: “We have 100 instances of vulnerable crypto; 10 of those protect our crown jewels – those 10 are top priority to fix or mitigate; the others can follow.” Without integration, you might miss that context and either over-fix trivial things or under-fix critical exposures.

One more benefit: this integrated approach also yields durable documentation that’s useful beyond quantum – it becomes your “security bill of materials.” Regulators are actually encouraging creation of Cryptographic Bills of Materials (CBOMs) exactly for this reason. So you’re not just doing a one-off project, you’re building a living asset for your security program, which is a selling point to leadership (and indeed some regulations may soon require CBOMs for critical systems).

Now, with governance in place, the next step is to execute the inventories themselves. We will focus first on the cryptographic inventory – the cornerstone – and how to perform it effectively.

5.7. Perform a Comprehensive Cryptographic Inventory

Performing a thorough cryptographic inventory is arguably the most important and challenging technical task in your quantum readiness journey. This means identifying all instances of cryptography used in your organization – algorithms, keys, certificates, protocols, crypto libraries, hardware crypto modules, etc. – and documenting them. The goal is to know exactly where you have vulnerable algorithms (like RSA/ECC, AES-256 is fine vs quantum, etc.) and crypto dependencies so you can plan their remediation or mitigation.

Why is this so challenging? Cryptography lurks everywhere. It’s in obvious places (web servers using TLS, VPN appliances, code signing, database encryption) but also hidden (hardcoded into custom application code, used in third-party libraries, in protocols of devices, etc.). Many organizations find even their inventory of systems is incomplete, let alone the crypto inside them. But it’s essential: missing even one significant crypto usage (say an admin interface that uses old SSL, or an IoT device that can’t be updated) could leave an entry point for future attacks.

Here’s how to tackle cryptographic inventory effectively:

Plan for a Long, Iterative Process: Realistically, in a large org, a full crypto inventory can take 1-2 years of persistent effort. Set expectations accordingly with management – you’re going for continuous improvement, not a quick win. Start with the most critical systems (prioritized by what you determined in governance via asset criticality and data sensitivity) and then expand. You might do it in waves: e.g., inventory Tier-1 systems in first 6 months, Tier-2 next, etc.
Use a Combination of Approaches: No single tool finds everything. Use multiple techniques:
- Static Code Analysis: Scan source code and binaries for use of cryptographic functions (e.g., look for calls to crypto libraries, or patterns like “RSA” or constants related to crypto). Many SAST tools or even grep can help – and specialized crypto discovery tools exist that parse code looking for crypto usage. This finds crypto embedded in applications.
- Dynamic/Runtime Analysis: Instrument running systems to catch crypto calls. For example, some agents can hook into crypto libraries to log when they’re invoked. Or use debuggers/tools to monitor if certain crypto functions are used during a program’s execution. This might catch things static analysis misses (like crypto in a loaded plugin or obfuscated usage).
- Network Traffic Analysis: Use network monitoring to identify where encryption is happening on the wire. Tools can detect protocols (TLS versions, SSH, IPsec, etc.) and cipher suites being negotiated. Passive network scanners (packet brokers, IDS) can log what’s seen. E.g., see a TLS handshake with RSA key exchange – that’s a quantum-vulnerable instance.
- Configuration/OS Scans: Many systems have config files or registry entries for crypto (e.g., Windows registry for TLS settings, OpenSSL config, Java security policy files). Scan those for algorithm mentions or key lengths.
- Certificate and Key Repositories: Inventory all certificates (internal and external) – e.g., scan AD, LDAP, key vaults, etc. Extract algorithm info (RSA 2048? ECDSA P-256? etc.). Similarly list out any keys in HSMs or KMS (key management systems) – what algorithms and sizes are they?. Certificate Transparency logs can even be used for your domains to see what public certs you have.
- Interviews and Surveys: While not sufficient alone, talk to system owners, developers, architects: ask “Does your system use encryption or digital signatures? Where and how?”. Many will say “just TLS” but some might reveal custom crypto or old protocols. However, caution: experience shows relying on self-report often misses a lot – people either don’t know or forget. So use this to augment, not replace, automated discovery.
Leverage Crypto Inventory Tools and Vendors: There are now vendors (like SandboxAQ, IBM QSafe, Keyfactor/PrimeKey, CryptoNet, etc. as listed in some references) offering solutions for crypto discovery. Evaluate them – typically they each have strengths: some scan source code repos, some sniff network, some query endpoints. Using a combo can be smart. Also consider open-source tools (there are some scripts and scanners emerging from the community). The key is to cover multiple dimensions as said. No shame in using vendor tools – just understand their coverage. One tool might catch hardcoded certificate chains on disk; another might catch ephemeral protocol usage.
Centralize Findings Continuously: As results come in from various methods, feed them into your inventory repository (from 4.6 governance step). Deduplicate and enrich (like linking them to system owner if known, etc.). For each crypto item, capture attributes: type of algorithm (e.g., RSA 2048, or AES-128, or SHA-1), usage context (TLS handshake? Data encryption? Code signing?), location (system/app name), and any metadata like libraries involved (OpenSSL 1.0.2 etc.), key lengths, whether it’s configurable, etc. This becomes like your Cryptographic Bill of Materials (CBOM) for each system.
Identify External vs Internal Crypto: Mark which crypto is under your control to change and which is in third-party components. For instance, if a vendor app uses TLS 1.2 with RSA and you can’t change it except by patch from vendor, note that. Those items will be tied to vendor management efforts (4.5). Internal ones (like your custom app’s crypto) you have more control to fix.
Assess and Prioritize Crypto Weaknesses: Not all crypto is equal. Clearly label which instances are quantum-vulnerable (basically anything using asymmetric crypto like RSA, ECC, DH, DSA) and which are quantum-safe (symmetric AES-256, SHA-384, etc. are fine). Also, note if any algorithms are already weak today (RSA <2048 bits, MD5/SHA-1, etc.) – those are urgent to fix regardless. This way you know which findings deserve immediate attention (some may need remediation even before PQC migration due to current risk). For example, if you find any use of 1024-bit RSA or MD5 signatures, that’s a red flag to address ASAP for present security, which your PQC program can tackle early as low-hanging fruit (cleaning “crypto debt”). Also flag any lack of crypto where there should be (like data not encrypted at rest where policy says it should) – though not directly quantum-related, fixing that goes hand in hand.
Document Challenges and Unknowns: Expect that some things will be hard to find. E.g., maybe an old device where you can’t inspect inside. Keep track of these unknowns and either plan for deeper dives (maybe get device documentation or test it in lab with quantum algorithm if possible) or mark them as risks to mitigate differently (like isolating that device network). Being transparent about inventory gaps is important – don’t just ignore them. Perhaps you’ll find you cannot get to 100% – then you apply a risk-driven approach to live with the uncertainty (we’ll cover partial measures in 4.8 and 4.13).
Use the Inventory to Plan Quick Wins: As you inventory, you’ll undoubtedly spot some obvious fixes. For instance, if you discover a web server still allowing TLS 1.0, you can likely turn that off now. Or find a service where ECC could be swapped for a larger key RSA as interim hardening (not quantum-safe but maybe stronger slightly). Low effort improvements can reduce attack surface – do them as you go (don’t necessarily wait for full inventory complete if the fix is straightforward and not disruptive). This shows progress and reduces current risk. However, be cautious about making changes that might break something; follow normal change management.

To illustrate, imagine running a network scan and finding that some legacy devices are using 1024-bit RSA for SSH. That’s a discovery from crypto inventory. You’d log it: “Device X – uses SSH with RSA-1024 (quantum-vulnerable, also weak now)”. Immediately, you might mitigate by enforcing only strong ciphers on that device if possible or schedule replacement of it. That one line in inventory leads to an actionable item.

Remember that achieving a 100% cryptographic inventory is extremely hard – but the closer you get, the better your plan will be. Don’t be discouraged by the complexity; break it into parts and keep chipping away. Also, avoid relying solely on asking people – automation is key. One referenced article highlighted how just interviewing asset owners doesn’t work; people overlook things. Use tools and verify.

Also, plan for continuous update: your environment is not static, new apps will be deployed, etc. So treat the inventory as an ongoing process, not one-time. Many organizations tie it into CI/CD (e.g., scanning new code for crypto usage before deployment) and procurement (asking new products what crypto they use). This way, after the initial big effort, you can keep it up-to-date with less drama.

We’ll now detail some of the challenges you’ll face in crypto inventory and how to overcome them, discuss tools, and outline a step-by-step approach to executing it.

5.7.1. Anticipated Challenges in Cryptographic Inventory

Understanding where the pitfalls are helps in planning. Common challenges include:

Hidden and Legacy Systems: Old legacy apps might have custom or outdated crypto hardcoded, often without documentation. You may need to reverse-engineer or run them in test environments to observe crypto usage. Also, equipment in OT or embedded devices might use proprietary protocols that are hard to inspect (you might have to get vendor cooperation or use protocol analyzers).
Scale and Decentralization: In a large org, different teams might use different libraries (Java,.NET, OpenSSL, BouncyCastle, etc.) – there’s no single point to check. It’s a massively distributed search problem. You will need buy-in from all those teams to scan or instrument their stuff. And if your environment spans on-prem, cloud, containers, IoT, etc., each requires different tactics.
Resource Intensive: Scanning code bases or network traffic can be heavy. You might have millions of lines of code. Using automation and focusing on relevant areas (e.g., don’t scan front-end UI code for crypto, focus on backend services, etc.) can help. Also consider segmenting by risk: e.g., inventory high-risk apps thoroughly, for lower risk ones maybe rely on standard libraries usage assumptions.
False Negatives/Positives: Tools may miss some usage or flag non-crypto data as crypto (e.g., encountering the string “SHA256” in a comment doesn’t mean it’s used). Need manual validation. Also, something like usage of a standard library doesn’t always mean quantum-vulnerable algorithms are used – e.g., just because OpenSSL is present doesn’t mean RSA is actively used (could be using only AES). You might need to dig deeper to see actual usage vs capability.
Documentation Gaps: Many findings will require interpretation. E.g., you find a config “supportedSuites: TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384” – you should parse that and log it as using ECDHE (ECC) and RSA (the signature part). If your team lacks crypto expertise, these details can be confusing. Having a cheat sheet for cipher suites and algorithms can help analysts.
People and Process: Getting everyone to cooperate (developers to run static scans on their code, ops to install scanning agents, etc.) is non-trivial. There might be pushback (“this might slow my system” or “we don’t have time”). That’s where executive mandate helps – you can say, “this is a priority, please accommodate these scans.” Try to coordinate scans with minimal disruption (off-hours, test environment scans first, etc.) to reduce friction.

By anticipating these, you can set aside extra time for legacy research, maybe bring in consultants with reverse-engineering skills for obscure cases, or allocate more time in project plan to go back-and-forth validating findings. Also ensure your team has at least one crypto-savvy person to guide it – interpreting the findings correctly is crucial.

5.7.2. Survey of Useful Cryptographic Inventory Tools

As part of preparation, it’s worth listing some tools (commercial or open-source) that can aid the inventory:

Code Scanning Tools: e.g., GitHub’s secret scanning (can catch keys), but for algorithms, something like CryptoLint, or even custom scripts. Some SAST tools have checks for crypto usage. There’s also grep/PowerShell to search for strings like “AES”, “System.Security.Cryptography”, etc., but be careful to refine (lots of noise).
Network Scanners: Nmap with scripts can detect SSL/TLS on ports and list cipher suites. Tools like Qualys SSL scanner for known endpoints, or Zeek (an open-source network monitor) which can log TLS handshakes across your traffic for analysis. Wireshark for targeted protocol analysis.
System Utilities: For Windows, tools to query Schannel settings; for Linux, check openssl versions or use openssl ciphers command. If you have config management, you can query all servers for specific file patterns (like *.pem files for keys, or config lines).
Certificate management tools: If you use a certificate management solution (Venafi, DigiCert, etc.), you can extract a list of all known certs and their algorithm details. If not, scanning subnets for port 443 and grabbing certs is an option (e.g., via Nmap or CertSpotter).
Cryptographic Inventory Services: Mentioned earlier, players like SandboxAQ’s “AQtive” can deploy sensors to catch crypto calls; IBM’s tool scans code and binaries; some startups offer scanning as a service. Weigh the cost vs. time saved. Many have trial versions – maybe test one in a subset to gauge usefulness.
Manual Inspection and Logging: For custom apps where you have source, consider adding logging around crypto functions temporarily to see what they actually do in production (with caution not to leak sensitive data). For example, instrument Java’s JCE providers to log algorithm names when used.
OS and App Logs: Check if any logs already record crypto info. Some systems log when they generate keys or when connections happen (e.g., some VPNs log cipher suite used). Mining existing logs might reveal usage patterns.
Interviews Checklists: Prepare a checklist for system owners: “Does your system use any of the following: SSL/TLS, SSH, VPN, encryption libraries, database encryption, file encryption, digital signatures, etc.” and ask them to fill it. This could catch things like, “Oh yes, we encrypt some config files using this tool” which scanners might miss if it’s done offline.

It’s also advisable to look at reference lists of algorithms to ensure you search for all variants (like search not just “RSA” but also “PKCS#1” or “OAEP”; not just “ECC” but “secp256r1” etc.). A thorough inventory plan will specify these search terms and methods.

5.7.3. Approach: Combining Automated Tools with Manual Effort

No tool will automatically spit out a perfect inventory. You need a hybrid approach of automation plus expert analysis :

Use automated scanning to cover broad ground quickly.
Use manual deep-dives for high-risk or tricky areas (like a legacy COBOL system might require a code review by an expert).
Engage developers and engineers: they might know hotspots (e.g., “We wrote a custom encryption for this file transfer; here’s where to find it.”).
And plan to iterate: first pass finds 70%, next pass digs into remaining unknowns, etc.

Also foster an environment of continuous discovery – encourage anyone who finds a crypto usage to report it to the team (maybe you have an internal bug bounty or recognition for finding unknown crypto usage).

One suggestion: gamify the inventory for developers – e.g., a contest who finds the oldest crypto algorithm usage gets a prize, or department with fewest weak crypto gets recognition. This can make it engaging.

5.7.4. Practical Steps for Performing the Crypto Inventory

Let’s outline actionable steps:

Preparation Phase: Train the inventory team on crypto basics (if needed) – ensure they know what to look for. Gather tools (get licenses for any commercial tools approved, set up open-source tools on scanning servers). Obtain necessary approvals (some scanning can be intrusive, coordinate with IT change management). Communicate to all teams that scans will happen.
System Scoping: Use your asset inventory to list systems to inventory. Prioritize by criticality. Start with a pilot on a few diverse systems to refine approach (like one web app, one backend service, one IoT device, etc.).
Execute Pilot Scans: Run code scans on those, monitor their network traffic, examine configs. See what worked and what missed. Adjust tool configurations or add new methods as needed.
Roll Out Broad Scans: Possibly tackle by environment or application group. For each, do:
- Static scan of code (if code available).
- Network port scan of the servers.
- If possible, run the app with instrumentation.
- Query system for keys/certs.

Document all findings in the central repository.

Analyze & Consolidate Findings: After scanning a batch, have the crypto specialist review the raw data. Remove duplicates and interpret each item: e.g., “Service A -> uses TLS with ECDHE and RSA-2048; also uses an internal token encryption with AES-128 (symmetric, okay), and uses JWT signing with RSA-2048.” That would yield multiple line items in inventory.
Validate with Owners: Go back to system owners with what you found and ask if it’s complete. Often, showing them you found X will jog their memory about Y. They might say “Oh yes we also have a scheduled job that uses PGP encryption to send files.” Catch that too. Mark any owner attestation as such.
Rinse and Repeat: Move to next group of systems. As patterns emerge, you might speed up (like if all your web servers are behind the same load balancer doing TLS, then scanning one might cover many instances).
Address Roadblocks: Some systems (especially OT or proprietary appliances) you can’t easily scan. For those, engage vendors (as in 4.5) or use indirect methods (protocol analysis). If truly not accessible, consider it a known gap and treat via risk approach (like isolate that device or plan replacement).
Continuous Monitoring: As inventory nears completeness, set up monitoring to catch new appearances of crypto usage. For example, integrate into CI pipelines a check: if someone introduces a new crypto library or function in code, alert the security team. Also, put a recurring task to rescan key environments every quarter or if major changes occur.
Report Inventory Progress: Keep stakeholders updated that “we’ve inventoried X% of environment, found Y instances of vulnerable crypto so far.” It demonstrates progress and justifies upcoming projects. Eventually, you may produce a CBOM document or database for the organization, which can be used in audits or compliance.

Completing the cryptographic inventory (to the best of your ability) sets the stage for the next steps: assessing vulnerabilities and planning remediation. But before diving into remediation, one crucial step is to evaluate which crypto vulnerabilities matter most – that’s the risk assessment phase.

However, often simultaneously or right after identifying crypto instances, you should also examine how vulnerable each identified instance is and what the impact would be if it were broken (which depends on the data and system – hence needing data and asset inventory context). So in practice, you might start preliminary risk assessment in parallel. We will formalize that in section 4.8 and 4.12.

One more note: in the process of inventory, you might find some quick mitigations short of full replacement. For example, enabling Perfect Forward Secrecy (PFS) ciphers for now can mitigate HNDL risk somewhat (since with PFS, past sessions can’t be decrypted even if long-term key is broken, which quantum could do to RSA but not retroactively if ephemeral Diffie-Hellman was used correctly). Ensuring all your TLS uses ECDHE (which most modern does) is good – though ECDHE is itself not quantum-safe, it at least limits retrospective decryption of past sessions if Q-Day hits. Consider such interim improvements as part of inventory follow-up.

Now, with the crypto inventory in hand, let’s talk about assessing the identified cryptographic vulnerabilities and how to prioritize what to fix or mitigate first.

5.8. Assess and Prioritize Cryptographic Vulnerabilities

After collecting data on all your cryptographic uses, the next step is to perform a vulnerability assessment on those cryptographic elements and determine which ones pose the greatest risk. Not all crypto vulnerabilities are equal – some might expose critical data, others might be trivial. We need to identify which crypto issues are most urgent (because they protect high-value assets or are weak even pre-quantum) and which can be scheduled later, thereby prioritizing remediation efforts.

Here’s how to assess and prioritize:

Determine Quantum Vulnerability: Go through your inventory and mark each entry:
- Quantum-vulnerable algorithms: RSA (any key length), ECC (any curve), DH (non-quantum safe groups), DSA, etc. These are definitely broken by a future CRQC.
- Quantum-safe algorithms: AES (with sufficiently long key, 128+), 3DES (technically would require huge quantum resources, but also it’s outdated), SHA-2/3, etc. These symmetric algorithms are not broken by known quantum algorithms except needing larger key lengths (Grover’s algorithm halves the effective strength, so AES-128 acts like AES-64 effectively – still huge, but some recommend AES-256 to be safe). Mark these as okay, except consider increasing symmetric key sizes if any are low (like 3DES is only 112-bit effective, borderline).
- Hashes and MACs: SHA-1 is broken classically; definitely mark that as needing fix. SHA-256 or better is fine (Grover’s algorithm would effectively make SHA-256 a 128-bit strength, which is okay; some might push to SHA-512 for long-term safety). HMAC-SHA is fine as symmetric security. If any custom or obscure algorithms are found, treat as suspicious (e.g., “proprietary encryption” or home-rolled algorithms are often weak).
- Protocol/PFS consideration: if something uses RSA/ECC only for signatures (like signing a file) vs for key exchange, the risk is different (signatures being broken = integrity risk; key exchange broken = confidentiality risk). Also note if TLS uses PFS (ECDHE) or not (RSA key exchange in TLS means recorded traffic can be later decrypted by quantum; ECDHE in TLS means an attacker needs to break the discrete log which is ECC – still possible with quantum but they’d need to break each session individually if they recorded).

With that, assign a base “quantum risk level” to each: e.g., High (uses RSA/ECC and protects long-term sensitive data), Medium (uses RSA/ECC but maybe for data that isn’t sensitive or short-lived), Low (mostly symmetric and robust algorithms). Also identify any algorithms with known classical weaknesses – those are immediate high risk (like any MD5, SHA-1 usage, RC4 cipher, etc.).

Map to Data Sensitivity and Longevity: Now incorporate the data inventory results. For each crypto instance, ask: what data or function does this protect? If a vulnerable algorithm protects highly sensitive or long-lived data, that’s a critical issue. For example:
- An RSA-encrypted database of patient records (which need confidentiality for decades) – very critical, because if harvested now and decrypted in 10 years, it’s a breach of health data.
- An RSA-based code signing system for software updates – very critical on integrity side (TNFL scenario) because if broken, attackers could distribute malware as legit updates.
- TLS on an API that handles short-lived transactional data (like ephemeral stock quotes) – lower risk, because even if decrypted in future, that data is stale.
- A VPN using ECC for authentication – moderate risk: if an attacker records traffic, they would need to break ephemeral keys if PFS is on; if not PFS, then high risk for confidentiality.

Also consider volume and aggregation: if one weak crypto protects a massive trove of data vs just a small subset, the former is higher impact.

Map to Asset Criticality: If an asset is deemed critical (say, supports a critical business service), any break in its cryptography may have systemic impact (e.g., if an attacker can forge commands to a power grid controller due to quantum-broken signature, that’s severe – even if the data itself isn’t sensitive, the control is). So factor in asset criticality: crypto in safety-critical or uptime-critical systems gets priority. E.g., an OT control network using RSA-based auth is a big worry.
Likelihood Considerations: Quantum attacks aren’t possible yet, but “likelihood” in a risk sense might be considered as timeline + adversary interest. For instance, if you have nation-state adversaries who might be recording traffic now (common in government or high IP sectors), any external-facing encryption protecting strategic comms is at very high risk now (because of HNDL). If your field is less likely targeted, you might weigh it slightly differently. But since we plan for worst-case, mostly assume that if data is interesting enough, someone might be harvesting it.
Existing Compensating Controls: Check if any interim mitigations reduce the risk. For example, if sensitive data is also protected by strong access controls or additional layers (like the data is encrypted at app level even if underlying channel uses RSA), then the exposure is reduced. Document these but note they might not fully eliminate the risk. Or if you have a robust monitoring and zero-trust architecture, maybe forging a signature wouldn’t immediately give widespread access without other checks.
Scoring and Ranking: Develop a simple scoring model to combine the above factors:
- One approach is to score Impact (e.g., 1-5 scale based on data sensitivity & asset criticality) and Urgency (based on algorithm weakness and data longevity).
- For example: Impact 5 if it’s crown jewels data or life safety systems; Impact 1 if trivial data.
- Urgency 5 if using RSA/ECC on long-lived sensitive data (or already-breakable algorithm); Urgency 1 if primarily symmetric strong crypto and short data lifespan.
- Multiply or otherwise combine to get a risk score.
- Then rank all identified crypto issues by score.

Alternatively, categorize into High/Med/Low risk qualitatively. The key is to highlight the top tier that absolutely needs addressing first.

Focus on “Critical 10%”: Often, a small fraction of crypto instances will account for the majority of risk (those protecting very sensitive or wide-scope stuff). Identify those and treat them as top priorities for mitigation (like within next year). The rest can follow in phases.
Document Findings & Recommendations: For each significant vulnerability identified, write down the recommended action even if high-level (e.g., “Migrate system X’s TLS from RSA key exchange to ECDHE hybrid or PQC by 2024” or “Replace algorithm Y in product Z (requires vendor update)”). This sets up the inputs to your roadmap. Also, note interim steps if any (like increase RSA key from 2048 to 4096 now as a minor improvement, though not quantum-proof it buys time and maybe some assurance).
Integrate with Broader Risk Register: Add the highest risks to your organizational risk register to ensure management attention. Example: “Risk of breach of encrypted data archive due to potential future quantum decryption – rated High – mitigation: re-encrypt with PQC or double-encryption by [date].” This helps track at governance level.

Essentially, this step translates the technical inventory into actionable risk items. It answers: which of these many crypto uses are the ticking time bombs we must defuse first?

One immediate spin-off could be a “cryptographic health check” report : summarizing how much weak crypto is found and where. This can be used to brief leadership and justify tackling them. It might say, for example: “We found 250 instances of RSA/ECC usage. Of these, 50 are in systems with high-value data – those are priority 1; another 150 are moderate, e.g., used in internal systems with limited data (priority 2); 50 are low impact. Additionally, 10 instances of deprecated crypto (like SHA-1) were found and will be fixed immediately.”

To give an example: say you discovered that an internal database with customer SSNs is encrypted with RSA-2048 using a service that could have its key stolen and later decrypted. And suppose regulations say SSNs must remain confidential indefinitely. That’s a scenario to rank extremely high – you might plan to re-encrypt that database with AES-256 now (if not already) and schedule migrating the key protection to PQC algorithm or hybrid soon. Versus another finding: a nightly batch file of low-sensitivity log data is PGP-encrypted with RSA and sent to an archive. If that log data is not sensitive, its risk is low – you could rank that lower.

5.8.1. Methods for Vulnerability Assessment of Cryptographic Implementations

To supplement risk scoring, you may do some deeper analysis on certain items:

Dependency Analysis: For each crypto component, analyze what other components depend on it. If an algorithm break would cascade into multiple systems failing, that ups the criticality. Also see if alternate mitigations exist (e.g., if TLS breaks, can data still be safe because it’s also encrypted at rest? If code signing breaks, is there multi-factor verification?).
Configuration Audits: Check if crypto is configured properly. A quantum computer could break RSA regardless of config, but config issues like shorter keys, no forward secrecy, etc., worsen risk. If you find any misconfigurations (like a server that allows 1024-bit RSA or outdated protocols), those are immediate fixes. Also ensure things like proper random number generation (bad RNG could already break crypto).
Penetration Testing (Crypto-focused): You might engage a security testing team to simulate what could be done if crypto breaks. Obviously, they can’t simulate a quantum attack, but they can check e.g. if your monitoring would catch an integrity attack (like try to forge something with a fake signature to see if system accepts it – not actually possible without quantum, but maybe test process if a certificate chain is tampered, etc.). More practically, they can find any crypto backdoors or weak implementations you missed (some pen test tools find known crypto flaws in configurations).
Quantify Exposure: For critical items, quantify how many records could be exposed or what the business impact would be. E.g., “If quantum broke our VPN tomorrow, up to 500 remote admins’ sessions could be decrypted, potentially exposing internal network.” This helps convey urgency in business terms.

Now, after doing all that analysis, we fold it into a broader Quantum Readiness Risk Assessment, which includes not just crypto but other factors (like vendor risk, governance gaps). That is formally covered in section 4.12 (Perform Risk Assessment and Prioritize for Remediation). Essentially, the cryptographic risk assessment we did is one input into that overall quantum risk assessment.

By the end of this step, you should have:

A clear list of where your biggest quantum-induced security failures could occur (if nothing changes).
A list of “to-dos” – which algorithms to replace or augment, where to implement mitigations, which systems to focus on first.
And a sense of how to sequence the upcoming remediation (most likely tackling highest risk first and possibly doing pilots there).

Before building the full remediation strategy, remember that cryptography isn’t the only piece. We also need to consider sensitive data and critical systems in their own right. In parallel to the cryptographic inventory, you should also be performing or refining your data discovery/classification and asset criticality assessment (if not already well-documented). That’s covered in the next steps (4.9 and 4.10), which complement the crypto analysis by ensuring our focus is rightly placed on the most sensitive data and most important systems.

5.9. Discover and Classify Sensitive Data

A quantum adversary’s primary goal for many organizations will be to obtain and decrypt sensitive data – personal information, financial records, intellectual property, national security data, etc. So alongside mapping cryptography, you need a firm handle on what your sensitive data is and where it resides. This is classic data classification and discovery, but with a quantum twist: we care especially about data that must remain confidential or trustworthy for a long time.

Steps to discover and classify sensitive data:

Define Data Sensitivity Categories: Likely your org already has classification levels (Public, Internal, Confidential, Secret, etc.). If not, create a scheme now. Make sure it maps to impact: e.g., “Confidential – would cause harm if disclosed” or “Highly Sensitive – would cause severe harm or regulatory breach if disclosed.” Also consider integrity: some data might not be secret but must be trusted (like configuration files or code, where forgery is a risk). But main focus is confidentiality in quantum context.
Use Automated Data Discovery Tools: Deploy tools (DLP solutions, data discovery scanners like those from Varonis, Symantec DLP, Microsoft Purview, etc.) to scan your data stores – databases, file shares, SharePoint, cloud storage, big data clusters, etc. – for sensitive content. These typically have patterns (SSNs, credit card numbers, personal info keywords, etc.). They can identify where such data is located and often auto-classify it. If you already have such a program (for compliance like GDPR, PCI, etc.), leverage those results. If not, prioritize scanning stores likely to have long-lived sensitive data (e.g., backups, archives, customer data repositories).
Map Data to Systems/Owners: As you find sensitive data, note which system or business process it belongs to and who owns it. E.g., “Customer PII in Database X (HR system), owned by HR Dept, classified Confidential under GDPR.” This mapping is crucial for later – when you secure crypto, you’ll often need that system owner to take action or approve changes.
Include Unstructured Data: Don’t forget things like email repositories, document drives, etc. Sometimes sensitive data lurks in Excel spreadsheets or email attachments. If you have an archive of such, either rely on DLP or do targeted searches. But prioritize structured data (databases) first as they are bigger troves.
Determine Data Retention/Longevity: For each type of sensitive data, estimate how long it needs to remain confidential. This is key: e.g., personal health info might need privacy indefinitely; credit card numbers might change every few years (so if they are stolen and decrypted 5 years later, maybe less impact by then); trade secrets could be valuable for decades. If you don’t have formal retention requirements, talk to business lines: “If these files were decrypted in 10 years, would that matter?” That input helps gauge quantum risk (Mosca’s theorem concept). Mark data that has long shelf life of sensitivity as high risk if not quantum-protected soon.
Identify High-Value Aggregations: Which databases or repositories hold large volumes of sensitive data? Those are prime targets (because steal once, decrypt later yields a lot). For example, an enterprise data warehouse with millions of customer records is higher priority than an individual encrypted file with one record. So size/volume matters. Also consider if multiple data types are aggregated (like a dataset that has both personal info and financial info together).
Classify Data in Context of Crypto: Now cross reference with cryptography: which sensitive data is currently protected by which crypto? If you find, for instance, a backup drive containing confidential designs that is only protected by an RSA-encrypted disk, that linking tells you: design data (very sensitive for 20 years) -> on encrypted disk using RSA (quantum-vulnerable). That becomes a high priority to address, as earlier identified. The data discovery might also reveal sensitive data that is not encrypted at all (some companies find whole databases of PII unencrypted). That’s a huge immediate risk – not directly quantum (it’s already exposed to any hacker), but your program can take the opportunity to encrypt it (and if doing so, use PQC-ready algorithms or at least modular crypto to allow future PQC swap). So absolutely list out any unencrypted sensitive data, as those should get encryption even before PQC (quantum risk just adds more reason).
Focus on Long-Term Confidentiality Needs: You might want to tag certain data as “Q-Day relevant.” E.g., state secrets needing 50-year secrecy, personal IDs with 80-year lifespan (like someone’s SSN is sensitive their whole life). These should guide your timeline: such data might need PQC protection very soon or now since if Q-Day is e.g. 10-15 years out, the window is tight or closed per Mosca’s condition. Data with shorter sensitivity (like a transactional password that changes daily) is lower priority from quantum perspective.
Use Business Input: After initial scanning, go to business units with a structured approach: “Please confirm what your most sensitive data is, where it’s stored, and classification.” They might reveal things automated scans missed (like maybe sensitive PDFs, etc.). It also fosters ownership. Emphasize cross-functional involvement: legal or compliance should weigh in on regulatory-driven sensitive data (e.g., what do privacy laws consider sensitive – likely personal info, etc. – ensure those are accounted).
Update Data Handling Policies: As part of this, reinforce or update policies that sensitive data must be encrypted (at rest, in transit). If new, institute a requirement that when sensitive data is identified, it should be tied to an inventory of how it’s protected cryptographically. Essentially integrate data classification with crypto usage documentation. This helps long term.

The output of data discovery/classification is a clear view of “what we’re protecting.” For quantum readiness, it zeroes in on data that if stolen today must remain safe beyond the expected advent of quantum breaking. Those are the crown jewels to focus crypto upgrades on first.

For example, you might conclude: “Our highest sensitivity data: 1) Customer personally identifiable info (PII) in database X, needed confidential 20+ years (regulatory and trust reasons), currently encrypted with AES-256 (good) but the key is protected by RSA-2048 in our KMS (quantum risk); 2) Intellectual property designs in file server Y, needed confidential ~15 years, currently not encrypted at rest, only network controls (very high risk now and quantum); 3) Financial transaction logs in archive, sensitive for 7 years audit period, encrypted with vendor tool using ECC (quantum risk but shorter horizon).” From that, you can see #1 and #2 are high priorities: #1 to address RSA key protection, #2 to implement encryption ASAP.

So, data inventory complements crypto inventory by highlighting where the impact lies. It ensures you don’t, say, spend tons of time PQC-proofing some system that has trivial data, while ignoring a trove of critical unencrypted data. It brings the “value” side into equation.

5.9.1. Practical Steps for Sensitive Data Discovery and Classification

Inventory Data Repositories: List all major data stores – databases (SQL/NoSQL), big data clusters (Hadoop, etc.), file servers, cloud storage buckets, backups, email archives, etc. Use existing architecture docs or ask IT. Prioritize scanning those likely to hold sensitive info (HR DB, customer DB, etc.).
Deploy Scanning Tools: If you have a DLP solution, use its discovery feature on file shares and databases. For databases, you might run queries for certain patterns (like 16-digit numbers resembling credit cards, name/address fields to see content type). For files, scans for regexes or classification labels. Many cloud services have built-in scanners (e.g., AWS Macie for S3).
Aggregate Results and Classify: Collect results, which often show files with certain regex hits, etc. Interpret them: e.g., a file with 100 SSNs -> classify that file as Highly Sensitive (PII). Document which repo and path.
Consult Compliance Requirements: Align with definitions like GDPR’s personal data (which is broad), PCI’s cardholder data, HIPAA’s PHI, etc., depending on your business. Ensure any data that falls under these is marked at least Confidential. Typically, national IDs, financial info, health info, credentials, etc., are high sensitivity.
Manual Spot Check: Automated tools can misclassify. Manually look at samples (if allowed – maintain privacy, maybe have a small trusted team for this or just verify metadata). Ensure not to violate privacy while doing this (could anonymize data or just look at metadata counts).
Populate a Data Inventory List: For each dataset or type, note: classification level, location, business owner, retention period, associated application. E.g., “Employee Records DB – Sensitive – HR owns – retention 7 yrs – behind HR Application.”
Identify Existing Protections: Note what encryption or access controls are on each data store. E.g., DB encrypted with TDE (Transparent Data Encryption) using AES-256, or files stored in encrypted volume, etc. Also note if it relies on some key management (like keys stored in HSM).
Highlight Gaps: Mark any sensitive data store that is not encrypted or not adequately protected. Those are immediate action items (encryption projects or at least ensuring network encryption).
Integrate with Crypto Inventory: Link data stores to crypto entries. E.g., if DB uses TDE with RSA-managed keys, connect that to the RSA entry in crypto inventory. Or if file server is unencrypted but relies on TLS for access, link to that TLS entry.
Review with Business Units: Circulate the compiled sensitive data inventory to relevant business or data owners to confirm nothing major is missing and the classification is right. This also helps raise their awareness that these are being specifically looked at for quantum risk (and might nudge them to address any glaring issues like unencrypted files).
Secure Sensitive Data Immediately (if quick wins): If you found, say, plaintext sensitive data where encryption is easily enabled (like flipping a switch on a database for encryption at rest, or enabling full disk encryption on a laptop backup store), do those now. Don’t wait for PQC – those are normal security hygiene fixes that reduce classical and quantum risk concurrently.
Plan Data Tokenization or Reduction: If there’s sensitive data that could be tokenized or reduced in volume as a way to mitigate risk (we’ll discuss tokenization as a strategy in section 4.13.1.2), note it. E.g., “We have decades of old customer data. Perhaps we could tokenize or archive older than 10 years offline,” so even if someone gets it later, the live environment has less real data. That might be part of the roadmap: reduce the sensitive data footprint which in turn reduces quantum risk.

By mastering your data landscape, you empower your crypto mitigation strategy to be truly risk-driven.

Next, we look at assets and systems inventory – making sure we know all hardware/software and their criticality, because that influences how and when we can upgrade them to PQC or apply mitigations.

5.10. Discover and Catalog Critical Systems and Assets

In tandem with mapping crypto and data, you need a solid grasp of your asset inventory – all the IT and OT systems in your environment – and an understanding of which are most critical to your operations. This is essential because upgrading cryptography in some systems (especially legacy or OT) might be extremely challenging, and because you want to prioritize efforts on systems whose compromise (due to broken crypto) would cause the most disruption or danger.

Steps for asset discovery and classification:

Leverage Existing Asset Inventories: Hopefully your org has a CMDB or asset register. Pull that data. However, often those are incomplete. To fill gaps, use network scans (Nmap across IP ranges to find devices), endpoint management tools, and ask teams (shadow IT is common – like a department stood up a server unknown to central IT). Industrial/IoT devices are often missed – coordinate with facilities or OT engineers to list those (SCADA systems, PLCs, smart devices).
Catalog Hardware and Software: For each identified asset, gather details: device type (server, laptop, PLC, router, etc.), OS, applications running, location (network segment or site), owner team. This matters because cryptographic upgrades often depend on OS/hardware support. For example, some old HSMs might never support new algorithms – then that asset (and everything depending on it) is a problem. Or an old Windows 2003 server likely won’t get PQC support patch. Identify such legacy tech.
Assess Criticality and Role: Determine how critical each asset/system is. Criteria:
- If it fails or is compromised, what’s the impact on operations? (e.g., core banking system high, a test server low).
- Does it have safety implications? (OT controlling power grid – very critical).
- Does it connect to many others (is it a central hub that could spread impact)?
- Are there regulatory or reputational implications if it’s compromised (e.g., systems handling financial reporting).

Use existing business impact analyses if available, or consult business continuity plans. You might classify criticality as High (mission-critical or life/safety), Medium, Low. Also mark systems that are externally facing vs internal – external might be higher risk of attack.

Identify Dependencies: Map out upstream/downstream dependencies. For instance, critical system A relies on a database B and certificate authority C. If C’s crypto breaks, A is indirectly affected. So an asset might not be critical itself but if it supports many others, that elevates it (for example, an internal CA server is critical because it underpins trust across environment).
Find Hard-to-Upgrades: Note assets that are unlikely to be easily crypto-agile: legacy embedded devices, vendor appliances, anything that you know has infrequent updates. These might need special strategies (segmentation, gateways, etc.). E.g., a medical device that can’t have its firmware upgraded easily is a concern.
Integrate with Crypto Inventory: Ensure for each asset, you link the cryptographic uses found on it (from step 4.7). That way you can see “Asset X – critical level High – has RSA usage Y”. This integration is what we set up in governance. Particularly mark any critical system that uses vulnerable crypto.
Plan Asset Upgrades/Refresh Cycles: Part of this inventory is to inform scheduling – if some critical systems are due for tech refresh in 2 years, you might align PQC upgrades with that. If others have no planned refresh (maybe OT devices intended to run 15+ years), you know you must retrofit or isolate them.
Include Third-Party Services: Not exactly assets you own, but if you rely on cloud or vendor systems, list those as well with criticality. E.g., you use a SaaS for CRM – it’s critical, and you need to ensure that vendor will handle crypto transitions (tie to vendor management info).
Use Monitoring to Catch Unlisted Assets: Modern networks often have rogue or forgotten systems. Use continuous scanning or network monitoring (looking at IPs on network segments that aren’t in inventory, etc.) to discover new or missed assets. This is part of “continuous inventory.” If your environment is dynamic (cloud auto-scaling, containers), you might instead inventory by cluster or application rather than individual ephemeral instances.
Classify Assets for Quantum Impact: Perhaps add a field: “Quantum readiness difficulty” – e.g., “Compatible with PQC easily (maybe modern x86 servers running updated OS) vs Hard (legacy).” Marin’s Law on crypto-agility suggests if agility is low (A -> 0), time to migrate is infinite. Identify those near-zero agility assets – those are risk because they can block migration unless addressed differently. Mark them to consider special treatment.
Segment by Environment: Possibly categorize by environment too: IT vs OT vs Cloud vs Endpoints. Because strategies differ. OT (Operational Tech) often can’t tolerate much latency or change easily (like adding bigger crypto might strain them, plus vendor lock-in). Cloud might actually be easier (cloud providers will do a lot for you, but you need to know where to configure). Endpoints (employee laptops, phones) – you will have to eventually ensure those use PQC in VPN/communications. Each environment category might have separate plans in the roadmap, so capturing them now helps planning.

By knowing your assets intimately, you can prioritize which ones to tackle first in the quantum upgrade plan:

If an asset is critical and has high quantum-vuln crypto, that’s a top priority scenario. Possibly schedule a pilot around it.
If an asset is low criticality, even if it has weak crypto, you might do that later.
If an asset is critical but can’t be upgraded (like an OT device), you need to plan compensating controls.

For example, you might find: “We have 50+ PLCs in factory running vendor firmware from 2015 using RSA for firmware verification. Those PLCs are critical for production, lifespan till 2030, vendor unknown if providing update.” That’s a serious issue – you’d highlight it and consider something like adding an external monitoring or using network segmentation to limit exposure if someone could forge an update later. Or plan to replace them before Q-Day if possible – which might need budgeting soon (these things can be expensive).

5.10.1. Practical Steps for Systems and Assets Discovery and Classification

Consolidate Asset Sources: Pull data from CMDB, network scans, Active Directory (list of computers), cloud accounts (list of VMs, etc.), vulnerability scanner asset lists, etc. Merge into one master list.
Fill in Metadata: For each asset/system, add: owner (could be application owner or IT owner), business function (e.g., Finance, Manufacturing, etc.), environment (Production/Dev), location, etc.
Criticality Assessment: Use existing BIA (Business Impact Analysis) docs if they exist for applications. If not, you might have to do a quick survey: ask each business unit to list their top 5 critical systems, map those to assets. Another approach: rely on tiering if your DR plan has tiers (Tier 0 must restore in 0 hours, Tier 1 in 4 hours, etc.). Those correlate with criticality.
Assign Criticality Ratings: Perhaps define criteria: High (loss of system causes immediate severe business impact – revenue loss, safety issue, legal non-compliance; or system integral to many others), Medium (impact but workarounds exist, or downtime tolerated short while), Low (non-essential, test, or easily recreatable data).
Identify Legacy & Difficult Systems: From asset info, tag anything older than say 2010 tech, or vendor-supplied black boxes, etc., as “Legacy”. These often correlate with low crypto agility. Could even rank crypto-agility per system (like how easy to update crypto on a scale). If known, note if system supports TLS 1.3 or can only do old protocols (an indicator of agility).
Map Assets to Data and Crypto: Using the integration from earlier, for each asset mark if it stores sensitive data (from step 4.9) and which crypto issues (from 4.7) are on it. If many assets share one crypto component (like all endpoints rely on same CA), note that relationship separately.
Plan Tiered Approach: You might later do remediation by asset tier, so ensure you can filter assets by criticality combined with having vulnerable crypto or not.
Check Physical and Network Context: Which network zone is asset in (internal secure zone vs Internet DMZ)? If an asset is in a high-threat zone (Internet-facing) and critical, that heightens risk. Mark that. Also consider physical exposure – OT devices in field may be physically accessible to adversaries, etc.
Review with IT Ops & Business: Let IT operations and maybe the architecture board review the criticality assignments. They might adjust some if you missed how critical something is or overestimated another.
Continuously Update Asset Inventory: Implement scanning or discovery to catch new assets or changes. E.g., integrate with IP address management or cloud API to detect new VMs, and require registration in inventory. The governance should incorporate maintaining this (which often is beyond quantum program – it’s a general IT discipline, but quantum program can spur improvements here).

Now you have:

A list of what matters most (critical systems).
Which of those have crypto weaknesses or long-lived sensitive data.

This three-dimensional view (assets + crypto + data) is exactly what you need to create a prioritized remediation roadmap.

The final preliminary step (before we plan the solutions and rollouts) is to combine everything into a Quantum Readiness Risk Assessment (QRA) – basically formalize the risks and ensure nothing is overlooked (like governance gaps). But we’ve covered the main ingredients:

Crypto vulnerabilities (with context of data and systems).
We might also consider other facets like operational readiness: do we have the right skills, monitoring for quantum developments, etc., as part of risk.

Nonetheless, at this point it might be prudent to formally do a risk scoring, maybe present to a risk committee to get concurrence on priorities. That’s 4.12 coming up.

But let’s reflect on the progress:

We have buy-in, team, awareness, external engagement, we inventoried cryptography, data, and assets, and integrated them, and we identified where our biggest quantum-related security holes will be. Likely, a pattern emerges: e.g., “We really need to address our PKI and VPN systems, and that one legacy database, etc., first.”

Now we move to planning solutions: designing the cryptographic strategy (like how to replace or mitigate each vulnerable component), scheduling it (roadmap), and building necessary governance and agility into the process.

Before that, ensure to perform that formal risk assessment (if required by your frameworks), to translate this technical analysis into risk terms for leadership (some of which we did: mapping to impact, etc.). This can be documented as a QRA report highlighting exposures and recommended actions, which then feeds into the planning.

We will proceed with risk assessment and then strategy development and planning.

5.11. Maintain Up-to-Date Inventories (Continuous Monitoring)

(This section is brief, since it’s more of an ongoing practice than a one-time step, but it’s included for completeness.)

After the herculean effort to build crypto, data, and asset inventories, it’s imperative to keep them up to date. The threat landscape and your IT environment will continue to evolve between now and the advent of full PQC deployment. New systems will be added, new software will be written (possibly reintroducing vulnerable crypto if developers aren’t careful), and business priorities may shift requiring reclassification of some data.

To maintain inventories:

Automate Continuous Discovery: As mentioned, deploy monitoring tools:
- For assets: network discovery tools that detect new devices, cloud inventory scripts that list new VMs or services. Possibly integrate with CI/CD so that when new apps roll out, they register themselves.
- For cryptography: implement scanning in CI pipelines to catch use of banned algorithms in new code commits. Also, some runtime monitoring can be left in place—like an IDS rule to flag any TLS handshake that negotiates an unexpected cipher, or periodic rescans of configs.
- For data: if you have DLP, keep it running on endpoints and servers to ensure data classification tags stay correct. If a new data store is created, apply classification and encryption policy from the start.
Set Alerts on Changes: If someone installs a new certificate that uses RSA, maybe log it and flag if it’s something you intend to phase out. Or if a server that was inventory-empty (no crypto) suddenly starts hosting a new web service with TLS, you’ll discover it. Tools like SolarWinds, or SIEM correlation can detect changes in environment baseline.
Periodic Audits: Schedule formal reviews of inventories at least annually, if not quarterly for critical segments. Essentially repeat (in a lighter way) the steps above to catch drifts. For example, do a quarterly review: has any new system been stood up that hasn’t been classified? Did any developer re-enable a weak cipher? Regular audits keep people on their toes and ensure the program’s progress doesn’t erode.
Integrate with Change Management: Update your change management process to include crypto considerations. E.g., any change that introduces new encryption must specify what algorithm and whether it’s approved (and if not, security team must review). Also for new third-party procurement, require assessment of their crypto (tie into procurement policy as earlier).
Maintain Documentation and Ownership: Assign each part of inventory to an owner for upkeep. For instance, maybe the PKI team owns the certificate inventory, the data governance team owns the data classification list, etc., under oversight of the quantum readiness program lead. Ensure that if personnel changes, this responsibility is handed over (so you don’t lose track).
Update Governance Body: Keep a section in your quantum program governance meetings for “inventory update”. If, say, next year a new quantum algorithm emerges or NIST adds a new standard, you’ll need to update criteria (maybe some algorithm you thought safe is now questionable, etc.). Or if you divest a business unit, drop those assets from scope and adjust priorities.

Maintaining inventories is somewhat tedious, but it’s vital because if you let them get stale, your subsequent planning and execution may miss things. Also, regulators may ask for evidence of continuous management; having current BOMs and inventories is great for compliance evidence.

At this stage, you likely have a dynamic, living knowledge base of your cryptographic posture and data/systems. With that, you can now craft a robust remediation and transition strategy: decide what mitigation techniques to use (not just PQC algorithms, but also things like network segmentation, tokenization, etc.), and how to sequence implementation.

The next sections (4.12 onward) will cover forming that strategy, executing pilots, and rolling out upgrades in a controlled manner, all while handling practical challenges like performance and vendor management.

Finally, after covering all those, we’ll mention operations (monitoring, training, etc., but those are integrated in parts above too).

Now, moving to 4.12 Perform Risk Assessment and Prioritization for Remediation, which is basically summarizing our findings into an actionable risk-based plan.

5.12. Conduct a Quantum Readiness Risk Assessment and Prioritize Remediation

Armed with inventories and a clear view of where your greatest exposures lie, the next step is to synthesize that information into a comprehensive Quantum Readiness Risk Assessment (QRA). The goal is to formally evaluate how quantum-vulnerable your organization is, document the key risks, and prioritize which ones to tackle in what order. Think of this as translating technical findings into a risk management framework that executives and auditors can understand and that will guide your remediation roadmap.

Key components of a QRA:

Scope of Assessment: Clearly define that you assessed cryptographic readiness across systems, data, and vendors. Mention what was in scope (e.g., all enterprise IT and OT systems) and any exclusions (maybe extremely small embedded devices if none found, etc.). This sets context.
Summary of Findings: Provide an overview: e.g., “We found X instances of quantum-vulnerable cryptographic implementations across Y systems. Out of these, Z are associated with high-impact assets or data.” Highlight the big-ticket issues (without too much detail yet). For instance: “Our PKI and VPN infrastructure, certain legacy databases, and third-party dependencies represent the top quantum-related risks.”
Risk Evaluation for Each Area: Break it down by category:
- Confidentiality risks (HNDL): List where long-lived sensitive data is at risk (with current controls vs needed controls). E.g., “Risk: Encrypted customer data could be harvested and later decrypted due to RSA-protected keys. Impact: exposure of PII affecting compliance and reputation. Likelihood: adversaries are known to target such data (HNDL scenario).”
- Integrity risks (TNFL): List where digital signatures/cert trust is a risk. E.g., “Risk: Attackers forge code signing certificate to distribute malware via legitimate update mechanism if quantum decryption of RSA is achieved. Impact: high (could lead to widespread compromise).”
- Availability/Operational risks: Quantum threats could indirectly cause availability issues (less direct, but e.g., if a crypto-broken event leads to emergency patches that disrupt operations, etc.). But main focus is confidentiality/integrity.
- By Business Process: You might align risks to business processes or units: like “Risk to Finance: Secure payment instructions could be forged. Risk to R&D: Trade secrets in repository could be decrypted later,” etc. This can help engage specific stakeholders.
Risk Scoring: If you use a risk matrix (like probability vs impact, though probability in quantum is more timeline-based), you might score each risk. Many might be “High impact, Low current probability but increasing over time.” Some like use of weak crypto now (SHA-1) is high impact, medium probability even now (someone could break it classically). So include those as immediate risks. Use your corporate risk scoring methodology if one exists (like a 5×5 matrix or a heat map).
Prioritized Risk Register: From the evaluation, produce a list of top risks (maybe rank 1 to 10). For each, include:
- Description of risk (scenario).
- Assets/Data at risk.
- Consequences (e.g., data breach, system trust collapse).
- Current controls (if any).
- Risk level (High/Med/Low).
- Recommended Remediation/Mitigation : not the full plan yet, but general approach. E.g., “Upgrade encryption to PQC or hybrid by 2025” or “Implement network segmentation and crypto-gateway for OT devices.”
- An owner (like which team should address it).

This becomes essentially the to-do list that your roadmap will implement.

Consider Business and Regulatory Context: Incorporate external drivers in the risk narrative. For example, if regulators require quantum-safe crypto by 2030, any risk open beyond that becomes not just a security risk but compliance risk. So you might frame: “Risk: Non-compliance with upcoming regulations leading to legal penalties” as a line if appropriate.
Integration of Third-Party Risks: Include vendor risks in this risk assessment. For instance: “Risk: Critical vendor XYZ has no plan for quantum-safe upgrade, potentially blocking our own compliance and exposing data via that vendor’s system.” Rate and plan to manage (maybe in mitigation you say “work with vendor or find alternative by X date”).
Risk Treatment Plan Overview: For each risk, decide if you will Mitigate (most likely via upgrades or compensating controls), Transfer (not really possible for quantum risk aside from insurance which is dubious here), Accept (maybe some minor ones), or Avoid (e.g., eliminate a data set). Likely you mitigate, but e.g., you may accept a low risk like “public-facing website authenticity risk after Q-Day might be low impact, accept until better solution,” etc.
Timeline Consideration: Recognize that quantum risk is time-dependent. You may include a statement like: “These risk ratings assume a significant quantum capability by ~2030 (for planning). If that timeline accelerates, risks become more urgent. Our plan will be continuously adjusted based on quantum progress monitoring.” This covers you if something changes.

Once you have this assessment, it’s wise to review it with stakeholders (risk committee, IT steering, etc.) and get their buy-in that yes, these are the top risks to address. This might involve some tough discussions (“Do we really need to spend on this now for a threat that may be years away?” – you use the assessment to show yes, because the exposure is accumulating now (HNDL) and deadlines loom).

This risk assessment essentially becomes the business case for the next phase, which is remediation. It’s easier to justify funding and action when you can say “We have 5 High risks identified; we propose these 5 projects to bring them to acceptable level.”

5.12.1. Practical Steps to Perform Risk Assessment and Prioritization

Compile All Risk Factors: Gather output from crypto analysis (4.8), data and asset criticality (4.9, 4.10), vendor status (4.5) and see which combinations create critical scenarios. E.g., highlight items where all three align badly: high sensitivity data on a critical system using weak crypto = primary risk item.
Hold a Risk Workshop: Bring together your cross-functional team plus risk/compliance representatives. Walk through identified vulnerabilities and brainstorm impacts and likelihoods. This ensures no perspective is missed (IT might focus on tech impact, compliance on legal impact, etc.).
Document Each Risk in Risk Register Format: Usually a table: Risk, Consequence, Inherent risk level (assuming no new controls), Proposed controls, Residual risk expectation.
Assign Risk Owners: Usually the person who will oversee remediation. Could be the same as the project owner later. E.g., CISO might own the risk “Harvest-now decrypt-later of data X” until mitigated.
Prioritize by Combining Severity and Urgency: Not all High risks need action today if the timeline is long, but you likely treat them as multi-year tasks anyway. Consider something like: fix now (within 12 months) vs fix soon (2-3 years) vs monitor (for beyond 3 years or low impact). This might align to program phases (phase 1 immediate, phase 2 etc.).
Get Management Sign-off: Present the risk findings to an executive risk committee or similar for acknowledgment. Ideally, they formally accept the risk assessment and endorse the remediation prioritization. This helps if any one complains about resources spent – you have management consensus that these are real risks.
Incorporate into Enterprise Risk Management (ERM): If your company has an ERM process, ensure at least an overarching entry like “Post-Quantum Cryptography Transition Risk” is on it, with sub-risks as needed. This means it will get board-level visibility periodically.
Communicate to Stakeholders: For example, let application owners know if their app was identified as high risk due to crypto. It’s partly their risk too (they might need to help fix it). Giving them heads-up that “Application A has high quantum risk because of X” and that you’ll be working with them to mitigate it by Y timeline prepares them.
Plan Risk Reduction Measures: Map each high risk to one or more planned projects or controls. E.g., risk of VPN being broken -> project to implement PQC or hybrid VPN by certain date. This sets stage for next part: the strategy and roadmap.
Set Risk Milestones: Define at what points risk will be reduced. E.g., “By end of 2024, mitigate 50% of identified high risks (by implementing new crypto for these systems), by 2026 mitigate remaining high risks, etc.” These can serve as program KPIs and be reported.

With a prioritized list of problems to solve, you now transition to solution mode – developing the cryptographic strategy (which includes picking approaches like hybrid, replacement, compensating controls, crypto-agility improvements) and then creating a concrete implementation roadmap.

That’s what section 4.13 (Develop Your Cryptographic Strategy) will address: how do we decide what solutions to apply, in what order, and ensuring we maintain agility going forward.

Finally, we’ll get into actual execution: pilots, rollouts, etc., and operationalizing the program (governance, training, etc. as needed).

5.13. Develop a Comprehensive Cryptographic Transition Strategy

By now, you know what needs fixing and in what order of priority. The next step is to devise a cryptographic transition strategy – essentially a plan for how you will remediate or mitigate each risk and move the organization into a quantum-resistant state. This strategy isn’t just “use PQC everywhere” – it needs to consider practical constraints, choosing appropriate solutions for each scenario (be it direct algorithm replacement, hybrid approaches, compensating controls, etc.), aligning with risk appetite and budget.

Key elements of developing this strategy:

Align with Risk Appetite and Constraints: Determine, in consultation with leadership, how aggressively you will pursue mitigation. For instance, some organizations might decide “we will eliminate all RSA/ECC by 2028” whereas others might say “we will implement hybrid solutions by then and fully switch by 2035.” This depends on risk tolerance, regulatory deadlines, and resource capacity. Document these high-level goals.
Set Target State Principles: Define what “quantum-ready” means for you. Example principles:
- All high-value data at rest is protected with quantum-resistant encryption or layered defenses.
- All network communications use PQC or hybrid key exchange by X date.
- The organization maintains crypto-agility to swap out algorithms within Y months when needed (to handle future changes).
- All critical systems can be updated to new crypto without major redesign (this may require modernization).
- Vendors must support PQC or provide mitigations.

These guide the detailed choices.

Risk Mitigation Options – Catalog & Decide: For each risk or crypto use case, decide the best mitigation strategy. Consider:
- Direct algorithm swap: e.g., replace RSA with a PQC algorithm (like CRYSTALS-Kyber for key exchange, or Dilithium for signatures). This is the ultimate goal in many places, but may not be feasible immediately if products don’t support them yet. But likely part of long-term strategy.
- Hybrid cryptography: Use a combination of classical and PQ algorithms in parallel. Strategy could be: in the interim, implement hybrid TLS (ECDHE + Kyber) for external connections – thereby gaining quantum safety now without dropping classical trust. Many see hybrid as a bridge through the 2020s.
- Layered encryption (overlay networks or double encryption): If you can’t replace crypto in an application easily, you might add an extra layer. E.g., use a quantum-safe VPN tunnel overtop an older protocol, or application-level encryption of data before sending over a non-PQ channel. Strategy example: put quantum-safe gateways in front of groups of legacy endpoints.
- Tokenization & data minimization: For data that’s too hard to re-encrypt in place, consider tokenizing it (store real data in secure PQC-protected vault, replace records with tokens). Strategy might be: implement tokenization for all long-term stored personal data by 2025, reducing the sensitive data that needs protection.
- Network Segmentation & Isolation: If certain legacy systems cannot be upgraded, plan to isolate them such that even if their crypto is broken, an attacker can’t move laterally or access critical data. E.g., put legacy OT devices on separate networks with strict controls and quantum-safe link encryption on gateways to them.
- Accelerated Decommission or Replacement: Some outdated systems might just need to go. Strategy could include: identify legacy systems that cannot be made quantum-safe and schedule their replacement (perhaps moving to a new vendor or cloud service that is quantum-ready).
- Strengthening Surrounding Controls: For some systems, adding additional integrity checks or monitoring might mitigate risk of forged commands (e.g., requiring 2-factor or out-of-band verification for critical transactions, so even if a signature is forged, a secondary check stops it).
- Crypto-agility improvements: Ensure all new development follows practices (using centralized crypto libraries, configuration-driven algorithms, etc.), and refactor some existing systems for agility now. This might not directly fix quantum risk but prepares for smoother transitions.
- Monitoring “Quantum Threat Timeline”: Part of strategy can be simply to monitor tech progress so you can accelerate if needed. Include how you’ll keep track (maybe using the Q-Day Estimator tool or intelligence from research).
Design Patterns for Implementation: It helps to outline patterns (some references call these “migration patterns”) :
- Pattern A: In-place upgrade (software that can be patched to PQC).
- Pattern B: Side-by-side environment (build a new environment with PQC and migrate to it).
- Pattern C: Gateway encapsulation (for OT devices: put a PQC gateway that translates).
- Pattern D: Hybrid library insertion (where you insert PQC calls into existing handshake).
- etc. For each category of system, decide which pattern to use. E.g., for internal web services, maybe upgrade TLS libraries; for embedded devices, perhaps gateway overlay, etc.
Address Governance and Key Management: Quantum-safe algorithms often come with new key sizes and management challenges (some PQC public keys are large, which might strain PKI infrastructure). Plan for PKI updates: do you need new CA hierarchy for PQC certs? Multi-algorithm certificates? How will you store and distribute larger keys (maybe HSM firmware needs updates)? Incorporate that into strategy – likely you will need to upgrade cryptographic infrastructure itself. Maybe plan to deploy a new PKI that supports both classical and PQ certificates in parallel, etc.
Consider a “PQC+” Approach: A good strategy recognizes PQC alone isn’t enough. So include complementary security improvements: e.g., more zero-trust architecture (so even if encryption is broken, blast radius is limited), better identity verification (so if digital signatures break, you have other ways to authenticate devices/users), robust monitoring to detect anomalies that could result from crypto bypass (like if suddenly an old certificate is accepted, generate an alert) – these things might already be good security practice, but now you emphasize them specifically for the quantum context.
Set Roadmap and Milestones (Phase-wise): Outline the sequence. Typically:
- Phase 1 (Year 1): Quick wins – fix known weak crypto (SHA-1, short keys), implement crypto agility basics, do pilots of PQC/hybrid on non-prod or select interfaces.
- Phase 2 (Years 2-3): Deploy hybrid solutions on critical external channels, upgrade internal crypto libraries where ready, engage vendors to ensure solutions forthcoming.
- Phase 3 (Years 4-5): Begin cutover to PQC algorithms as standards/products allow on major systems, possibly run them in parallel with classical if needed.
- Phase 4 (By 2030-ish): Achieve full quantum-resistant posture for all critical systems. Decommission or isolate any stragglers.
- Include intermediate goals like “by end of 2024, no more RSA-only key exchanges on public networks” etc.

We will detail the roadmap in 4.14 perhaps, but strategy includes high-level scheduling.

Resource and Budget Planning: For each aspect of strategy, consider resources: do we need new tools (like new VPN appliances that support PQC), training (developers need to learn PQC libs), extra hires (crypto engineer)? Build that into strategy so that when you propose it, it’s clear what investment is needed. Possibly some mitigations are cheaper (segmentation) vs others expensive (replacing all HSMs). You might include an estimate of cost and time per measure.
Contingency Plans: If certain vendor solutions don’t arrive in time, what’s Plan B? E.g., if standard PQC algorithm suffers a crack in next 5 years (always possible one gets broken by classical means or something), how will you adapt? This is where focusing on agility is key – strategy should emphasize building adaptability (like continuously testing new algorithms in lab so you can switch if needed).

Put this all together into a strategy document or playbook. It should connect the dots: because we have these prioritized risks, we will apply these solutions, in this order, to mitigate them within our risk tolerance. It becomes the blueprint for actual project plans.

5.13.1. Understanding Risk Mitigation Options (Key Focus Areas)

Let’s delve a bit deeper into some mitigation options and when to use them:

Strengthening Traditional Security Controls (while waiting for PQC): For systems you can’t immediately fix, improve existing security to lower risk. For example, if an internal application uses RSA and you can’t upgrade it this year, ensure that application is behind robust access control and monitoring so an attacker can’t easily exploit it even if they had the ability. This includes network segmentation (isolate the app to limit traffic capture), stricter access (so fewer insiders or attackers can even get at ciphertext), and logging to detect any anomalies. It’s not a quantum solution per se, but it reduces the chances that someone can perform HNDL in the meantime. A near-term action might be: implement micro-segmentation such that sensitive encrypted flows can’t be tapped except by authorized security tools.
Tokenization and Data Reduction: As mentioned, if you can simply not have the sensitive data at rest, you drastically reduce risk. For instance, instead of storing raw credit card numbers (even if encrypted), store tokens provided by a payment gateway. Then even if an attacker gets the database, there’s nothing to decrypt (the actual cards are elsewhere). This might be easier in some cases than complex crypto upgrades, and aligns with good data hygiene. Plan to identify where tokenization can replace encryption (not everywhere, but often in payment, identity info scenarios it’s possible via third-party vaults). It’s a complement, not replacement, to PQC – but it can lessen the amount you need to protect with PQC.
Vendor Dependency Mitigation: For vendors slow to act, plan mitigations like requiring them to enable hybrid modes (some vendors might allow you to use custom cipher suites, etc.), or front their service with your own proxy that adds quantum-safe encryption. In strategy, say “if Vendor X doesn’t have PQC by 2026, we will implement a TLS proxy with PQC at our end to connect to them, thereby at least protecting half the channel.” Not ideal, but something.
Direct Upgrades (Plan for Each System): Work with each system’s team or vendor to set a target for when they can support PQC. E.g., if you have custom software, schedule development in say 2024-25 to integrate a PQC library once standards are stable. For COTS products, push vendors for roadmap and plan upgrades aligning with their release cycles. Essentially, set an internal deadline per system. E.g., “Email server – upgrade to version supporting PQC by Q1 2025; If not available, implement hybrid TLS on the gateway or find alternative.” This is very specific planning but ensures no one lags indefinitely.
Hybrid Approaches (Bridging Strategy): Recognize that from now until PQC is fully mature and widely adopted, hybrid crypto is a sensible approach. Your strategy should include deploying hybrid solutions where possible as an intermediate milestone. For example: adopt hybrid TLS ciphers (like TLS 1.3 with X25519+Kyber key exchange, which some early implementations already test) for external web services by year X. Or sign critical documents with dual signatures (ECDSA + Dilithium) and store both – so that even after Q-Day, you have a PQC signature for verification. Hybrid gives defense in depth (if PQC later has an issue, classical still there until it’s resolved, and vice versa). It’s a prudent strategy element.
Ephemeral and Short-Term Measures: Use ephemeral cryptography more. E.g., ensure Perfect Forward Secrecy everywhere now (makes HNDL harder) and shorten certificate validity periods (like use short-lived certs that expire annually or faster – so even if one could be forged in future, it’s only valid for short window). Some strategies mention using one-time symmetric keys or rotating keys more frequently to limit exposure time (so an attacker has to capture and break quickly or data becomes moot). This doesn’t solve quantum attacks directly but can narrow the window of useful data for them (e.g., a database re-encrypt data with new keys periodically – so an attacker would have to collect and break multiple keys to get multi-year data). However, note that rotating keys frequently doesn’t ultimately stop a CRQC (it can break them all given enough time) but it might add complexity for an attacker or reduce payoff if some older data changed keys to a new algorithm when you rotate.
Crypto-Agility Investments: Outline tasks purely to improve agility. For instance: implement a centralized crypto service – so that all apps call an API for crypto operations. That way, when you need to swap algorithms, you change the API implementation and all apps automatically use new algorithm. This might be a long-term architecture change but worth pursuing for survivability. Possibly adopting an open standard format for cryptography that allows algorithm identifiers to be updated (like usage of algorithm agility in data structures). Also, build testing and dev environments to experiment with new algorithms – part of agility is familiarity; maybe include PQC in your CI test suite (e.g., test an application with a PQC cipher to see if any assumptions break).
Combine Remediations with Digital Transformation Projects: This is tactical – if you know a certain legacy system is slated for a major upgrade or migration to cloud, incorporate quantum-safe design into that project rather than doing it separately. The strategy can note: “Coordinate PQC upgrades with digital transformation initiatives to minimize duplication of effort.”

Once you’ve chosen methods for each risk, the strategy should be reviewed by stakeholders (especially those who must implement it – Dev teams, IT ops, etc.) to ensure it’s realistic. Adjust as needed.

Now, with strategy in place, the next part is executing – i.e., building the actual roadmap, running pilots, and scaling up. That likely falls in section 4.14 and onward: Pilots & Interim Strategies, and further phases like infrastructure changes and vendor management and training, which in our outline were possibly beyond 4.14 (since 4.14 touched on hybrid strategies in the snippet we saw).

We should align with the aggregator or typical outline:

Actually aggregator had:

Phase 5 – Pilots & migration patterns (which we saw)
Phase 6 – Infrastructure & performance (common failures, dropping in PQC challenges)
Phase 7 – Vendor & supply chain (we covered some under vendor mgmt)
Then sector deep-dives.

Given the user’s request: “the ultimate resource for starting a quantum readiness program”, we likely cover up to including the main execution aspects. Possibly not need to go into sector specifics or knowledge base references (since those were extra reading in aggregator). But maybe a brief mention if relevant.

But we’ve been very comprehensive. We likely have enough to start wrapping up after covering how to pilot and then govern the ongoing program:

I’ll briefly cover piloting and testing (vital to do PQC pilots to see performance etc.), then mention vendor engagement (we did partly), and training (ensuring staff can operate and maintain PQC etc.), and monitoring quantum progress.

5.14. Pilot, Implement, and Iterate – The Roadmap to Quantum Safety

With a strategy defined, the final step is execution: carrying out pilot projects, scaling up deployments, and continuously refining your approach. This involves testing solutions in controlled environments, addressing technical challenges (like performance and interoperability), and then rolling out changes across the enterprise in phases – all while maintaining agility and monitoring progress. Think of it as learning by doing and gradually moving from planning to full implementation.

Key actions in this execution phase:

Run Pilot Projects: Before a full-scale rollout, select a few pilot scenarios to implement quantum-resistant measures and hybrid solutions. For example:
- Pilot a PQC VPN or TLS connection: Perhaps between two of your locations or with a friendly partner. Use one of the PQC algorithms (like set up a test OpenVPN that uses a hybrid ECDH+Kyber key exchange). Measure the performance impacts and catch any compatibility issues.
- Pilot dual-signing of documents or software: E.g., start issuing a secondary post-quantum signature on critical software patches in test environment, to see if validation processes can handle it. This can reveal needed changes in tooling (like if your update mechanism expects a certain signature size).
- Pilot a crypto-agile library in an internal app: Modify a simple internal application to get its crypto calls from a config that can be switched between RSA and a PQC algorithm. See how easy or hard that is for the dev team, and document lessons for other teams.
- Pilot tokenization of a data set: Take a small subset of sensitive data and push it through a tokenization solution, to gauge feasibility and performance.

Document pilot results carefully: performance (latency, throughput differences), any protocol quirks (some middleboxes might block larger handshake messages, etc. – it’s known that PQC algorithms can bloat TLS handshakes causing fragmentation), user experience changes, etc. Use these to fine-tune your strategy. Pilots make the abstract plan concrete and uncover real-world obstacles.

Address Common Implementation Pitfalls: From early experiments and industry knowledge, be mindful of typical pitfalls:
- Protocol and Infrastructure Issues: For instance, some PQC signatures are large and might not fit in existing certificate fields; you might need software updates for that. PQC key exchange might make TLS packets larger than some network gear tolerance – you might have to update or reconfigure those.
- Hardware Limitations: Many HSMs or smart cards currently don’t support PQC. If your pilot shows that, plan alternative key management (maybe software for now, or wait for new HSMs).
- Performance Overheads: Expect that CPU usage might go up for handshake heavy workloads (e.g., a busy web server doing thousands of handshakes may need more CPU if using PQC). Use pilot to measure and plan capacity upgrades if needed (like more CPU or enabling TLS offload on updated hardware).
- Integration with Existing Systems: You might find, say, an older client OS doesn’t support new cipher suites and fails to connect when you enable them – these need identification and remediation (update that OS or else maintain dual-support for a time).

There are resources listing common issues (like the aggregator’s “Common Failures in a Quantum Readiness Program”, which mention things like assuming HSM support, handshake sizes, certificate format issues – we’ve touched on those).

Establish a Multi-Year Roadmap: Create a timeline (Gantt chart style or so) that sequences initiatives:
- Year 1: Inventory, quick fixes, pilots (we’ve done).
- Year 2: Core infrastructure upgrades – e.g., deploy new PKI that can issue PQC certs, enable hybrid modes on external interfaces.
- Year 3-4: Application upgrades in waves – maybe handle one division at a time or one technology stack at a time (like update all Java applications with a new crypto provider that supports PQC).
- Year 5+: Tighten the net – deprecate any remaining classical-only usages, finalize vendor transitions.

Align these with any external deadlines (e.g., if a regulator says critical infra PQC by 2030, ensure your roadmap hits that for those systems by maybe 2028 to be safe).

Also build in review points – perhaps mid-roadmap, re-evaluate if quantum progress is faster/slower than thought and adjust pace accordingly. This is a living roadmap, not static.

Implement Governance & Change Management: Set up a crypto-migration governance board (if not already existing) – comprising stakeholders from different teams – to oversee execution, approve changes, and resolve conflicts (like scheduling downtime for upgrades, etc.). Update change management processes to handle the unusual nature of some changes (like updating certificates to new formats). Possibly maintain a RAID log (Risks, Assumptions, Issues, Dependencies) specifically for the quantum program to track known challenges and mitigation plans.
Engage Vendors Continually: Now that you know when you plan to upgrade each system, coordinate with vendors on required updates. For example, if you plan to switch your database encryption to a PQ algorithm in 2025, ensure the database vendor plans to support that by then. If not, escalate or prepare alternatives (like wrapping DB files in an external encryption). Perhaps arrange joint testing with important vendors – some might be willing to pilot their PQC features in your environment early if you are a willing partner.
Training and Awareness 2.0: As you get closer to making changes, do another round of targeted training. E.g., network engineers might need training on new TLS cipher suites or configuring hybrid VPNs; developers need training on using new crypto libraries properly (to avoid implementing them incorrectly). Also, IT support staff need to know what to expect (if any user-facing changes occur, albeit most should be behind scenes).

Train security operations too: new forms of logs (PQC algorithms might log differently), or how to handle incidents (maybe quantum safety introduces new failure modes). For instance, if a PQ algorithm fails due to something, how to troubleshoot? Have run-books updated.

Monitor Quantum Technological Developments: As execution proceeds, dedicate someone (or use a service) to keep you updated on quantum computing progress. If breakthroughs or delays happen, adjust your program acceleration accordingly. For example, if unexpectedly a research lab hits a milestone implying Q-Day might be sooner, you may trigger contingency to speed up certain parts. Conversely, if progress is slow, you may still continue as planned (can’t slack too much due to the HNDL factor). But monitoring is crucial.

Similarly, monitor cryptanalysis of PQC algorithms: if one of NIST’s algorithms shows a weakness (it’s possible small cracks or parameter changes could be needed), you might pivot to another algorithm or add extra safety margin (like using bigger parameters). Being plugged into the community (via NIST mailing lists, conferences) ensures you catch this.

Validate and Test Continuously: Each time you roll out a new crypto mechanism, do thorough testing:
- Security testing (are there any new vulnerabilities opened by misconfiguration?).
- Interoperability testing (does every client still connect? Are backups still restorable with new encryption?).
- Performance testing (monitor CPU, memory, network after change to catch any saturations).
- If any issues arise, consider rolling back carefully or applying a hybrid approach (maybe keep old method alongside new until fully stable).
- Penetration testing focusing on PQC aspects (though an attacker doesn’t have a quantum computer, they can still test if, say, your fallback from PQC to classical can be forced – ensure you configure to avoid downgrade attacks, etc.).
Celebrate Milestones and Inform Stakeholders: When major milestones are achieved (like “We have made our public web services quantum-safe!”), publicize that internally (and possibly externally as a competitive advantage if your comms team agrees). It boosts morale, validates the program, and shows progress. It might even attract positive attention from customers or regulators (which could be a business advantage). But always be clear that it’s an ongoing journey, not one-and-done.
Plan for Post-Deployment Maintenance: Once PQC algorithms are in place, they too need maintenance (patches for any implementation bugs, potential rotation if something better comes along). Integrate these into normal operations. Maybe decide on a periodic key rotation schedule using PQC keys, etc., to ensure processes are in place (like how we treat classical crypto – regularly update and audit). This ensures the organization stays ready even beyond this initial migration project.

In summary, the execution is iterative: Pilot – Learn – Implement – Monitor – Adjust. It’s a multi-year marathon but by taking it in phases, you make it manageable. You likely will end up revisiting earlier steps (e.g., doing another inventory to ensure nothing new popped up unprotected, or adjusting risk assessment if something drastic changes externally). That’s expected – it’s why establishing governance and agility are so important.

Finally, once your program matures, quantum readiness will become just a part of business-as-usual security and IT management – the distinction fades once everything is in place. But until then, it requires dedicated focus as we’ve outlined.

We have now covered end-to-end steps: from planning, gaining support, to nitty-gritty execution and continuous improvement.

To conclude the ultimate guide, we should reinforce key takeaways and encourage taking action now with these practical steps, summarizing that by following this approach, an organization can confidently navigate to a quantum-safe future and even reap side benefits immediately.

Let’s proceed to a strong conclusion and recap.

Conclusion and Key Takeaways

Transitioning to a post-quantum security posture is undoubtedly a complex, multi-year journey, but it is achievable with foresight, structured planning, and cross-functional commitment. By following the practical steps outlined in this guide – from securing executive buy-in and assembling a capable team, through comprehensive discovery of cryptography, data, and assets, to prioritizing risks and systematically upgrading your defenses – you can build a quantum-ready program that not only addresses future threats but also strengthens your cybersecurity today.

Key takeaways include:

Don’t Wait to Start: The threat of “harvest now, decrypt later” means data you protect today could be compromised in the future if you delay action. Moreover, regulators and customers are already moving the goalposts closer. Initiate your quantum readiness program now to stay ahead of both criminals and compliance deadlines.
Executive Support is Critical: Obtain a clear mandate from senior leadership with defined goals and funding. Use external drivers (regulations by 2030, client demands, cyber-insurance trends) and immediate security benefits (fixing crypto debt, improving inventory) to build a compelling business case. This ensures you have the influence and resources to drive changes across the organization.
Knowledge and Teamwork Matter: Educate stakeholders at all levels – from board members to developers – about the quantum threat and your plan. Establish a cross-functional team that unites IT, security, risk, and business experts to carry out the program. Breaking silos is essential; quantum readiness is not just a CISO or IT project, it’s an organization-wide evolution.
Inventory is Foundational (Know Your Crypto, Data, Systems): You cannot protect what you don’t know you have. Invest time in discovering all cryptographic usage (including hidden and legacy), mapping where your sensitive data resides, and cataloguing your assets and their criticality. This will likely be the most labor-intensive phase, but it yields the roadmap for everything else. Use automated tools but also manual expertise to achieve a thorough inventory, and keep these inventories updated continuously as your environment changes.
Prioritize Based on Risk: Not all vulnerabilities are equal. Focus first on cryptographic exposures that protect long-lived, high-value data and critical systems. For example, an old VPN or database encryption guarding years of personal data is a top priority, whereas a transient test system with minimal data might be lower. Conduct a formal risk assessment to rank these and get agreement on what to tackle in what order. This ensures you apply resources where they matter most and meet key deadlines (e.g., “upgrade all internet-facing encryption by 2025, core internal systems by 2027…”).
Develop a Multifaceted Mitigation Strategy: There is no one-size-fits-all fix. Your plan should combine several approaches :
- Deploy post-quantum algorithms or hybrid solutions in systems where available (e.g., enable hybrid TLS ciphersuites on servers and VPNs as they become supported).
- Use compensating controls for hard-to-upgrade systems (network isolation, crypto gateways for OT devices, stricter access control and monitoring to reduce risk of data theft or forgery).
- Tokenize or purge sensitive data where possible, to reduce the “treasure” an attacker could decrypt later.
- Modernize your PKI and crypto infrastructure to be agile – e.g. introduce support for larger keys and new algorithms, and ensure you can swap components without redesign.
- Plan for vendor delays by leveraging interim measures (such as wrapping third-party services in quantum-safe tunnels) and pushing contractual requirements.

This defense-in-depth approach ensures that even if some parts of your environment take longer to upgrade, you have layers of protection and risk reduction in place.

Pilot and Iterate: Test out new technologies and approaches in controlled pilots before wide rollout. This will help you uncover real-world issues – like performance impacts, software incompatibilities, or unforeseen user experience quirks – while the stakes are low. Use pilot feedback to refine your implementations and timelines. Treat these pilots as learning opportunities that make enterprise deployment smoother and more successful.
Address Practical Challenges (Performance, Compatibility, Skills): Be prepared to solve hands-on problems:
- Expect that some post-quantum operations (especially signatures) will be slower or produce larger data – monitor and mitigate performance issues via tuning or hardware upgrades.
- Replace or update network devices or applications that choked on larger PQC handshakes.
- Update HSMs, client software, and libraries to versions that support new algorithms – and if vendors aren’t ready, coordinate closely or find workarounds.
- Train your technical teams on the new tools and algorithms so they feel comfortable managing them. The program should include upskilling of developers, admins, and security analysts so that PQC and crypto-agility become part of the organization’s skill set.
- Leverage “Marin’s Law” of crypto-agility: the less agile your crypto systems, the longer (potentially infinitely long) it takes to migrate. So invest in agility to make this and future migrations easier.
Build Crypto-Agility for the Future: Perhaps the most enduring lesson is that agility is survival. The post-quantum transition will not be the last crypto upheaval – new threats or better algorithms can emerge anytime. Use this program as an opportunity to embed crypto-agility into your architecture and processes (modular crypto, regular crypto audits, quick update mechanisms). That way, your organization will never be caught off guard by a cryptographic development again, whether it’s a new quantum attack or a classical vulnerability.
Drive Continuous Improvement: Treat quantum readiness as an ongoing program, not a one-off project. Continuously monitor quantum computing advances and cryptographic research – so you can adjust your timelines or approach if needed (for example, speeding up if a breakthrough appears imminent). Keep inventories and risk assessments living documents that are revisited periodically. Incorporate quantum-resistant practices into business-as-usual (e.g., any new system must go through a “quantum risk check”). And remain active in the broader community – share experiences with peers, learn from new guidance (like NIST’s upcoming standards or industry consortium recommendations). A feedback loop of learning and adaptation will keep your program on track amid uncertainty.

Embarking on a quantum readiness initiative is a significant undertaking, but it brings immediate and tangible benefits while safeguarding the future. By systematically enhancing your cryptographic foundations now, you are not only preparing for the advent of powerful quantum computers, but also tightening your security against today’s threats, achieving better visibility of your IT environment, and positioning your organization as a forward-thinking leader in cybersecurity.

In essence, quantum readiness is more than a defensive maneuver – it’s an opportunity to modernize and future-proof your entire security posture. Organizations that act early will minimize the upheaval and cost of the transition and avoid the panic that will ensue when legacy encryption finally falls. They’ll also earn trust from customers, regulators, and partners by demonstrating foresight and resilience.

The path to quantum safety is clear: start now, take practical steps, and build steadily. Use this guide as your blueprint, tailoring it to your specific context. As you execute these steps – from executive buy-in all the way to final rollouts – you will transform a looming cryptographic crisis into a well-managed, even routine evolution of your cybersecurity capabilities.

The quantum clock is ticking, but with the right approach, you are in control of the timeline. By following the comprehensive steps we’ve laid out – and citing the wealth of available resources and lessons learned – you can lead your organization confidently into the post-quantum era, turning what could have been a grave risk into a strategic advantage. Now is the time to act, plan, and execute: embrace crypto-agility, ensure quantum-resilience, and secure your digital future.

1. Introduction

In cybersecurity these days it is impossible to escape the noise about quantum computing. From government agencies to industry organizations and tech bloggers, everyone seems to be pushing a bit of a FUD (fear, uncertainty, and doubt) about quantum computing, as well as weighing in on how organizations should prepare for the expected arrival of Cryptographically or Cryptoanalytically Relevant Quantum Computers (CRQC), or Q-Day, the day when quantum computing is expected to break our current cryptographic defenses.

For a grounded perspective on when Q-Day, also known as Y2Q, might actually occur and what you should monitor to decide on it yourself, check out “Q-Day Predictions: Anticipating the Arrival of Cryptoanalytically Relevant Quantum Computers (CRQC).”

Whenever the Q-Day arrives, today’s main concerns for preparation revolve around the cost and time needed to transition to new quantum-safe technologies. The window for an orderly transition is shrinking because of the advancing maturity of quantum computing. For data that needs to remain confidential for decades, the window for safely transitioning may already be closed. The “Harvest Now, Decrypt Later” threat is critical because adversaries can capture encrypted data today, store it, and wait until quantum computers are capable of breaking traditional encryption. Sensitive information, such as financial data, intellectual property, or government secrets, could be exposed in the future, even if it’s securely encrypted now. For more on this topic, see “Harvest Now, Decrypt Later (HNDL)”

Despite the flurry of attention, much of today’s advice remains vague and high-level. Recommendations like “increase awareness, ” “perform risk assessment, ” “make an inventory of your cryptography, ” or “implement PQC ” keep being repeated, but I have yet to find practical guidance on how exactly one might implement some of these common suggestions. Although the topic of quantum technology is undeniably intriguing, from the practical perspective, the biggest challenges lie in executing thorough inventories of cryptography, sensitive data, and critical systems; mapping system dependencies and especially cryptographic interdependencies; understanding the cryptographic performance and scale requirements; and devising a realistic, risk-driven, optimal plan for the quantum risk mitigation aligned with the organization’s risk tolerance. These tasks will demand the most time, effort, and expertise, yet they are often overlooked in industry publications. In this article, I aim to address this gap by providing holistic, clear, actionable steps that cybersecurity professionals could start implementing right now to prepare their organizations for the quantum era.

2. Practical Reasons for Preparing Now

If you’re involved in cybersecurity, you’re likely aware of the potential risks quantum computing poses to the field. For a refresher, consider reviewing “What’s the Deal with Quantum Computing: Simple Introduction” and “Adiabatic Quantum Computing (AQC) and Its Impact on Cybersecurity” which introduce the key concepts. Additionally, check the “Harvest Now, Decrypt Later (HNDL)” post to understand why addressing the future risk of CRQC is crucial today.

The concept of Q-Day has shifted from a distant possibility to a foreseeable reality. Up until a few short years ago, experts were still questioning the feasibility of quantum computers and whether they would ever become a reality (see “The Argument Against Quantum Computers“). No expert questions the arrival of quantum computers anymore. The discussion these days is about when exactly it will happen, not whether it will happen. Whether CRQCs are already here in secret government labs as some vendors claim, or whether they will arrive in 7-8 years as I optimistically predicted in “Q-Day Predictions: Anticipating the Arrival of Cryptanalytically Relevant Quantum Computers (CRQC),” or in 15 years as is expected by many in the field, there are practical, grounded reasons organizations should start preparing now besides the imminent quantum threat materialization. Here are some:

2.1. The Inevitability of Technological Progress

Quantum computing is advancing at a steady pace. Although it may seem like a recent development with all the noise recently, this field has been evolving for decades (see: “Early History of Quantum Computing“). Even with no groundbreaking discoveries, we can trace a clear trajectory towards the realization of this technology. I am publishing my personal prediction, as well as all the news that shape my prediction, at “Marin’s Q-Day Prediction Page.” While the exact timeline may be uncertain, the direction is clear: quantum computers will eventually become powerful enough to challenge existing cryptographic systems. Major tech companies and governments heavily invest in quantum research, with significant breakthroughs reported regularly. The inevitability of these advancements isn’t a cause for panic but a call to proactive preparation.

2.2. The Complexity of Transition

Transitioning to quantum-resistant cryptography isn’t as simple as flipping a switch, despite what some vendors might claim. It involves evaluating current cryptographic uses, understanding the quantum threat specific to those uses, and then implementing new protocols deemed secure against quantum attacks. Whole protocols and services will need to be re-engineered, because Post-Quantum Cryptography (PQC) typically places greater demands on devices and networks than traditional public-key cryptography. Sometimes it might require replacements of whole core critical systems that would require massive transformation programs lasting many years. This process is time-consuming and complex, requiring a gradual approach to manage risks effectively without disrupting existing operations.

2.3. The Longevity of Data

Many types of sensitive data need to remain secure for long periods. For example, sensitive personal data, trade secrets, and national security information have lifespans that can extend decades into the future. If adversaries intercept such data today, they could potentially store it and decrypt it with quantum computers in the future once CRQCs arrive. This “Harvest Now, Decrypt Later” (HNDL) scenario is a genuine concern driving the need for quantum-resistant measures to be implemented sooner rather than later.

2.4. The Longevity of Digital Infrastructure

For organizations deploying long-lived digital infrastructures, such as those used in critical national infrastructure, industrial control systems, or long-term data storage solutions, the expected lifespan of these systems may exceed the anticipated arrival of CRQCs. Implementing quantum-resistant solutions now is critical to ensure that these systems remain secure throughout their operational life. Or, at least, implement them today in a way that would allow an easy swap of cryptographic modules in the future. More on this later.

This might be a good moment to discuss the oft-mentioned Mosca’s theorem. Named after Dr. Michele Mosca, a prominent researcher in quantum computing, this theorem indicates when to start transitioning to quantum-safe cryptography. The theorem states that if there is a non-negligible chance that the total time required to keep data secure, plus the time needed to upgrade cryptographic systems, exceeds the time until quantum computers capable of breaking current cryptography become operational, then you are already too late.

2.5. Regulatory and Compliance Requirements

Governments and international bodies are beginning to recognize the potential impact of quantum computing on cybersecurity. See “National Initiatives in Quantum Technologies (as of April 2022)” for some of the latest initiatives. This recognition is slowly translating into guidelines and regulations aimed at ensuring that public and private sector entities are quantum-ready. This might speed up soon. With the anticipated release of the National Institute of Standards and Technology (NIST) PQC standard, I expect to see a significant surge in regulatory activity. Many regulators I have spoken with have been waiting for the NIST PQC standard to integrate it into their requirements. Organizations that prepare in advance will position themselves better to comply with these emerging regulations efficiently and cost-effectively.

2.6. Maintaining Public Trust

For businesses, especially those handling customer data, maintaining trust is paramount. Being early adopters of quantum-resistant technologies can give you a competitive edge, showing that you prioritize data security and customer privacy.

2.7. Enhancing Overall Cybersecurity Maturity

Preparing for Q-Day will require thorough audits, inventories of sensitive data, inventories of all cryptographic solutions, and updates of their cybersecurity policies and systems. As you will see later, some of these efforts could have many other cybersecurity and privacy benefits besides preparing for Q-Day. This can lead to overall improvements in cybersecurity hygiene, including better key management practices, better privacy program management, updated security protocols, and strengthened defenses against a variety of cyber threats.

2.8. Insurance

As cyber insurance develops, insurance companies might start asking for proof of proactive actions taken against quantum threats in order to approve policies or provide better terms. Starting early helps ensure compliance with future insurance requirements that might stipulate quantum-readiness.

2.9. Competitive Advantage

Organizations that move quickly to adopt quantum-resistant technologies not only safeguard their data but also position themselves as leaders in a competitive market. Early adoption can serve as a differentiator, highlighting a commitment to cutting-edge security and future-proof strategies.

2.10. Cybersecurity Talent Attraction

Another benefit is the attraction and retention of cybersecurity talent. In a market with a shortage of skilled cybersecurity professionals, organizations that prioritize security and engage with cutting-edge challenges often attract and retain the most qualified candidates.

2.11. Opportunity for Innovation

Engaging with quantum-resistant technologies opens opportunities for innovation within an organization’s IT and cybersecurity departments. Exploring new technologies can lead to discoveries and developments that benefit other areas of the business.

3. Challenges with Post Quantum Cryptography (PQC)

One common misconception I frequently observe among my clients is the belief that once the NIST releases its PQC standards, implementing these new solutions will be simple and straightforward, instantly making their systems compliant and secure. Unfortunately, the reality is far more complex. The transition to PQC will not be a plug-and-play solution; it involves a myriad of intricate challenges that organizations must navigate. For more on PQC challenges see Post-Quantum Cryptography PQC Challenges.

3.1. Algorithm Maturity and Standardization

Despite significant advancements, many PQC algorithms remain in the experimental phase, lacking the extensive testing and validation that current cryptographic standards enjoy. Organizations like NIST have spearheaded the development and standardization of these algorithms through initiatives like the Post-Quantum Cryptography Standardization Project. While promising candidates have emerged, they have yet to achieve the maturity needed for widespread adoption. Even after final standards are released, selected algorithms may require updates as new vulnerabilities are discovered and our understanding of quantum computing evolves. Historically, cryptographic algorithms like RSA and AES have provided long-term security, but the rapidly changing quantum landscape will demand continuous adaptation. Organizations must be prepared for PQC algorithms implemented today to require updates or replacements in the future, emphasizing the need for crypto-agility. For more on crypto-agility, see “Introduction to Crypto-Agility.”

3.2. Performance Challenges

When transitioning to post-quantum cryptography (PQC), one of the critical challenges that organizations often overlook is the significant increase in computational demands and the associated resource requirements. Quantum-resistant algorithms, such as those based on lattice-based or hash-based cryptography, generally require larger key sizes and more complex computations compared to traditional cryptographic methods. For instance, while current RSA implementations might use a key size of 2048 bits, lattice-based cryptographic algorithms may require key sizes of several kilobytes, leading to an increase in the amount of data that needs to be processed and stored, which can lead to increased processing times and greater power consumption. The cumulative impact of deploying PQC across an entire infrastructure can be substantial, with increased key sizes and computational requirements consuming more bandwidth and introducing latency in network communications. This increased computational load can significantly impact performance, especially for IoT devices and other underpowered systems that already operate under stringent resource constraints. Failure to consider these factors can lead to significant slowdowns, increased operational costs, and potentially compromised security if performance issues cause organizations to revert to less secure, pre-quantum cryptographic methods.

Addressing these performance challenges requires strategic approaches such as using hybrid cryptographic schemes that combine classical algorithms with PQC algorithms to balance security and performance. More on that later. Or, improving the efficiency of PQC implementations through code optimization, hardware acceleration, and efficient mathematical libraries is essential. Conducting extensive performance testing and benchmarking in actual operating environments helps identify bottlenecks and optimize configurations. An incremental approach to deployment, gradually introducing PQC algorithms, allows for monitoring performance and making necessary adjustments, ensuring a smoother transition to quantum-secure cryptographic infrastructure.

3.3. Implementation Complexity

Adopting PQC algorithms requires significant changes to existing cryptographic libraries and protocols, which are deeply integrated into infrastructure. Transitioning involves rewriting libraries, modifying protocols, and optimizing performance, demanding substantial code changes and rigorous testing. A phased approach, starting with pilot projects in non-critical systems, and using hybrid cryptographic schemes can help manage these challenges.

Ensuring backward compatibility with existing systems adds another layer of complexity. Many applications and protocols are tailored to specific cryptographic algorithms, making it difficult to introduce new ones without disruption. Implementing PQC in a layered manner and using intermediary solutions like gateways can bridge the gap between classical and quantum-resistant algorithms. Additionally, developers need specialized training to understand and implement PQC algorithms effectively.

3.4. Compliance and Regulatory Challenges

Compliance with new requirements and obtaining certification for PQC systems present significant challenges. The regulatory landscape for PQC is still evolving, with standards and requirements continuously emerging. This ongoing development creates uncertainty for organizations striving to ensure compliance with current and future regulations. Bodies such as NIST and ISO are actively working on establishing PQC standards, but definitive guidelines are not yet fully established. As NIST prepares to release its PQC standard, we can expect a surge in regulatory requirements. Organizations must stay informed by monitoring updates from regulatory bodies, participating in industry forums, and engaging with regulatory agencies to provide feedback during public comment periods. Larger organizations should establish dedicated compliance teams to monitor regulatory developments and ensure alignment with emerging standards, working closely with legal, security, and IT departments.

To address regulatory uncertainty, organizations should adopt a proactive approach to compliance by implementing flexible and adaptable cryptographic systems that can be updated as new standards emerge – in other words, become crypto-agile. For more information see “Introduction to Crypto-Agility.”

3.5. Cost

Transitioning to PQC involves substantial financial investments across various domains, including new technologies, training, and infrastructure upgrades. This can be daunting for organizations with extensive and complex cryptographic infrastructures. Adopting PQC requires purchasing updated cryptographic algorithms, hardware security modules (HSMs), and other cryptographic hardware and software solutions. Additionally, integrating these new technologies into existing systems incurs further costs for customization and implementation. The release of NIST’s PQC standards and the eventual achievement of quantum supremacy are expected to drive a sharp increase in market demand for PQC-enabled equipment, potentially leading to shortages and price hikes.

To mitigate these costs, organizations could consider early investments or early financial commitments in necessary hardware and software by locking in prices and quantities with vendors before the demand spikes. However, be careful, this approach is only recommended if you are able to ensure that these assets can be easily upgraded to meet future standards. Adopting a phased approach to PQC implementation, starting with pilot projects, allows organizations to spread out costs and gain practical insights. Seeking funding and grants from government bodies and industry consortia dedicated to quantum readiness can alleviate some financial burdens. Moreover, as PQC algorithms often require more computational power and memory, planning for infrastructure upgrades, such as purchasing new servers and enhancing network capabilities, is essential. Transitioning to cloud solutions and building up on-premises capacity ahead of demand can further ensure cost efficiency and readiness for the quantum era.

3. What You Shouldn’t Do

Before we get into the specifics of how to prepare, it’s important for cybersecurity professionals to understand the potential challenges posed by Q-Day and be aware of certain pitfalls to avoid during their preparations. Based on my experience in the industry, some of the most common ones include:

3.1. Avoid Panic Buying of Solutions

There are many vendors offering cryptographic solutions that claim to be quantum-resistant. While it may be tempting to purchase these solutions right away to mitigate quantum risks quickly, this approach may not be the most prudent. The National Institute of Standards and Technology (NIST) is currently developing a post-quantum cryptographic standard, which is set to include four encryption algorithms rigorously tested to ensure they provide the necessary protection. The team at NIST expects to finalize and have these standards ready for implementation in 2024. Given the extensive effort put into the NIST Post-Quantum Cryptography (PQC) standard and NIST’s strong reputation, it is likely that other national authorities, sectoral regulators, clients, and insurers will standardize on NIST-approved PQC algorithms and will expect organizations to adopt the same.

Before rushing to purchase or implement new tools, organizations should focus on other steps to prepare for the transition to post-quantum cryptography that are outlined below. This cautious approach is also recommended in the U.S. Department of Homeland Security’s Post-Quantum Cryptography guidance issued in 2022, which advises against premature adoption of unverified technologies.

This approach only makes sense if you are able to technically and contractually assure yourself that the purchased systems can be easily upgraded in the future to comply with NIST PQC standard. In that case it might be prudent to start buying certain solutions now ahead of the mass demand.

3.2. Avoid Rushing to Lock Down Systems

Reacting hastily to latest doom-and-gloom articles in industry publications or inquiries from regulators and national infrastructure protection agencies might lead to a premature “locking down” of systems to demonstrate seriousness of quantum risk management. Such knee-jerk reactions can sometimes disrupt day-to-day operations, especially if, for example, access to data is excessively restricted due to fears like the “Harvest Now, Decrypt Later” (HNDL) risk. While it’s crucial to prepare for the potential impacts of quantum computing, it’s important to remember that the disruption of existing cryptographic systems by quantum capabilities isn’t immediate. The development and deployment of quantum computers capable of breaking current encryption will take time. By starting your preparations now, you can proceed in a calm and coordinated manner.

4. What You Should Do

4.1. Secure Support from Senior Leadership

Securing support from senior leadership is a critical first step in transitioning to post-quantum cryptography. By articulating the importance, presenting a compelling business case, advocating for necessary funding and resources, and setting clear objectives, organizations can help ensure that the initiative receives the necessary funding, resources, and strategic alignment across the organization.

To gain senior leadership support, it’s essential to clearly explain the necessity of transitioning to PQC. Highlight the imminent threats posed by quantum computing, emphasizing that traditional cryptographic algorithms like RSA and ECC will become vulnerable. Explain that failure to adapt could lead to severe security breaches, regulatory non-compliance, operational disruptions, and loss of customer trust. Use real-world examples and case studies to illustrate these points, making the threat tangible and immediate.

Develop a compelling business case that outlines the benefits of crypto-agility. Include cost-benefit analyses, potential risks of inaction, and projected return on investment (ROI). Demonstrate how crypto-agility can enhance security, ensure compliance, improve operational efficiency, and maintain competitive advantage. Show that proactive measures are not just a cost but an investment in the organization’s future stability and reputation. Highlight the long-term savings and risk mitigation that come with proactive security measures.

Work with the leadership to define clear, measurable objectives for the crypto-agility initiative. These objectives should align with the organization’s overall strategic goals and be communicated throughout the organization to ensure alignment and commitment. Setting clear goals helps track progress, measure success, and maintain focus on the most critical aspects of the transition to PQC.

4.1.1. Practical Steps for Engaging Senior Leadership

Develop a Comprehensive Presentation: Prepare a detailed presentation that outlines the threats posed by quantum computing, the necessity of PQC, and the benefits of crypto-agility. Use visuals, graphs, and real-world examples to make the case compelling and understandable.
Develop a Detailed Business Case: Create a comprehensive business case that includes cost-benefit analyses, potential risks of inaction, and projected ROI. Use financial models to demonstrate the long-term savings and risk mitigation associated with PQC.
Secure a Champion: Identify a senior executive who can champion the PQC initiative. This person should have the influence and authority to drive the initiative forward and secure the necessary support from other senior leaders.
Propose a Phased Implementation Plan: Suggest a phased implementation plan that begins with pilot projects in non-critical systems. This approach allows for manageable, incremental changes and provides valuable insights that can be applied to more critical systems later.
Highlight Regulatory Compliance: Emphasize the importance of staying ahead of regulatory requirements. Explain how adopting PQC can help the organization comply with future regulations, avoiding potential fines and legal issues.
Demonstrate Industry Trends: Showcase how other leading organizations and industry peers are preparing for PQC. This benchmarking can provide a compelling argument for why your organization needs to act now.
Plan for Continuous Monitoring and Updates: Propose establishing continuous monitoring and update mechanisms to ensure the cryptographic systems remain secure and compliant. This ongoing effort demonstrates a commitment to long-term security.
Offer Training and Education Plans: Include plans for comprehensive training programs to equip staff with the necessary skills and knowledge for implementing and maintaining PQC. Highlight the importance of staying updated on the latest developments in PQC.
Prepare for Q&A: Anticipate potential questions and concerns from senior leadership. Prepare clear, concise answers that address their concerns and reinforce the urgency and benefits of the PQC initiative.

4.2. Establish a Cross-Functional Team for Quantum Readiness

The foundational steps in the program to prepare for the arrival of Q-Day is to establish a cross-functional team dedicated to driving the quantum readiness program. This team will be pivotal in navigating the technical, regulatory, and strategic challenges associated with transitioning to quantum-safe cryptographic systems.

It is important that the team is a cross-functional team assembled from participants from various relevant teams across the organization. Quantum readiness impacts multiple areas of the organization, from IT and cybersecurity to legal, compliance, and business operations. A cross-functional team brings together diverse expertise, ensuring comprehensive coverage of all necessary domains. This diversity is crucial for addressing the technical complexities, regulatory requirements, and strategic implications of quantum computing.

The team must be empowered with the authority to make decisions and implement changes across the organization. This empowerment ensures that the team can act decisively and effectively, without being hindered by bureaucratic obstacles.

Clearly defining roles and responsibilities within the team ensures accountability and streamlined operations. Each member should understand their specific duties and how they contribute to the overall goals of the quantum readiness program.

4.2.1. Practical Steps to Establish the Team

Define the Scope and Objectives: Clearly outline the scope of the quantum readiness program, identifying specific goals, deliverables, and timelines. This includes conducting cryptographic inventories, transitioning to post-quantum cryptographic algorithms, and ensuring compliance with emerging standards. Set clear, measurable objectives for the team, such as completing a cryptographic inventory, developing a transition strategy, and implementing quantum-resistant cryptographic solutions.
Select the Right Members: Include representatives from key departments such as IT, cybersecurity, legal, compliance, risk management, business operations, and research and development. Ensure that the team includes subject matter experts in cryptography, quantum computing, and relevant regulatory frameworks. These experts provide the necessary technical and strategic insights to guide the program.
Assign Roles and Responsibilities: Appoint a team leader with strong project management skills and the authority to drive the program. The team leader will coordinate activities, manage resources, and ensure that milestones are met. Clearly define roles for each member, such as cryptographic analyst, cryptographic strategist, legal advisor, compliance officer, IT infrastructure lead, and business liaison. This clarity ensures that each aspect of the program is adequately covered. Establish accountability mechanisms to ensure that each member fulfills their responsibilities effectively. Regular progress reviews and performance metrics help maintain focus and drive results.
Provide Necessary Resources and Support: Secure the necessary budget to support the team’s activities, including tools, training, and external consultancy if needed. Adequate funding is crucial for the success of the program. Provide the team with access to state-of-the-art tools and technologies for cryptographic analysis, data discovery, and systems inventory. These tools enable efficient and accurate assessments. Invest in training and education to ensure that all team members are up-to-date with the latest developments in quantum computing and cryptography. Continuous learning is essential in this rapidly evolving field.
Develop a Detailed Action Plan: Create a detailed project plan that outlines the specific steps, timelines, and milestones for the quantum readiness program. This plan serves as a roadmap for the team’s activities. Identify potential risks and develop mitigation strategies to address them. Proactive risk management ensures that the program stays on track and adapts to challenges. Develop a communication plan to keep all stakeholders informed about the progress and key developments of the program. Transparent communication fosters trust and collaboration.
Foster Collaboration and Continuous Improvement: Schedule regular meetings to review progress, address challenges, and make necessary adjustments to the plan. These meetings facilitate ongoing collaboration and problem-solving. Implement mechanisms to gather feedback from team members and other stakeholders to continuously improve the program. Feedback helps identify areas for enhancement and ensures that the program evolves effectively. Encourage the team to engage with industry forums, conferences, and working groups to stay informed about the latest trends and best practices. External engagement provides valuable insights and fosters innovation.

4.3. Launch an Awareness Campaign on Quantum Computing

The initial step in preparing for the impacts of quantum computing, once the project team is set up, is to launch an enterprise-wide awareness campaign. This is listed as the first step in most papers and guidances. This campaign should educate all levels of the organization about both the opportunities and risks associated with quantum computing. Here are some key recommendations on how to conduct this campaign:

Balance the Narrative: Avoid focusing solely on the fear, uncertainty, and doubt (FUD) often associated with quantum computing. While it’s important to discuss the challenges, including the potential risks to cryptography (as discussed in my Q-Day article), it’s equally important to highlight the opportunities that quantum computing presents. This balanced approach helps foster a realistic understanding of what quantum supremacy and CRQC will mean for your organization. Emphasizing the potential benefits, such as breakthroughs in optimization, materials science, and machine learning, can help engage stakeholders positively.

Tailored Communication Strategies: Develop multiple campaign streams with tailored messages for different groups of stakeholders within the organization. Some of the key stakeholder groups and their specific concerns might include:

Corporate Boards: Focus on strategic risks and opportunities, compliance, and the long-term impact on business models. Highlight the importance of proactive measures and investments in post-quantum cryptographic solutions to safeguard the organization’s future.
Executive Management: Address operational risks and the need for integrating quantum-safe practices into the organization’s security strategy. Discuss resource allocation, timelines for transitioning to quantum-resistant cryptography, and potential collaborations with industry and academic institutions for staying ahead of quantum advancements.
IT and Security Teams: Provide detailed information on the technical aspects of quantum computing threats, such as the vulnerabilities of current cryptographic systems and the specific post-quantum cryptographic algorithms recommended by standards bodies like NIST. Emphasize the importance of conducting a comprehensive cryptographic inventory and the steps needed for transitioning to quantum-resistant algorithms.
General Staff: Create easy-to-understand materials that explain the basics of quantum computing, its potential impact on their daily work, and the broader implications for the organization. Use engaging formats such as videos, infographics, and interactive sessions to ensure widespread understanding and retention.

Involve External Experts: Engage external experts and consultants to provide insights and training sessions on quantum computing. Collaborating with academic institutions, industry leaders, and specialized organizations can bring authoritative perspectives and up-to-date knowledge on quantum computing developments and their implications. Given that quantum computing is a nascent and complex field, misunderstandings are common. There have been instances where major companies tasked internal non-experts with preparing awareness materials, resulting in confusion and conflation of quantum computing with unrelated topics such as quantum mind theories and quantum mysticism.

Promote a Culture of Continuous Learning: Encourage a culture of continuous learning and curiosity about emerging technologies. Offer incentives for employees to participate in training programs and stay informed about the latest developments in quantum computing and cybersecurity.

4.3.1. Practical Steps to Launch an Awareness Campaign on Quantum Computing

Define Objectives and Audience: Clearly define the goals of the awareness campaign. This might include educating employees about quantum computing fundamentals, explaining the potential risks and opportunities, and preparing the organization for future transitions to quantum-safe technologies. Segment the audience into different groups such as executives, IT staff, security teams, and general employees. Tailor the campaign messages to address the specific concerns and interests of each group.
Develop Educational Content: Develop a range of educational materials, including whitepapers, articles, infographics, videos, and presentations. Ensure the content covers: basics of quantum computing and how it differs from classical computing; potential benefits, such as advancements in optimization, drug discovery, and cryptography; and, risks associated with quantum computing, particularly the threat to current cryptographic systems. Collaborate with quantum computing experts, academic institutions, and industry leaders to ensure the content is accurate and up-to-date. Use analogies and simplified explanations to make complex quantum computing concepts accessible to non-technical audiences.
Tailor Communication Strategies: Provide high-level briefings for executives, focusing on strategic implications, potential business impacts, and the importance of proactive planning. Conduct detailed technical workshops for IT and security teams, explaining the specifics of quantum threats and mitigation strategies. Organize interactive sessions for general staff, using engaging formats such as quizzes, gamified learning, and interactive webinars.
Utilize Multiple Communication Channels: Publish articles, updates, and educational content on the company intranet and through internal newsletters. Send targeted email campaigns with key messages and links to further resources. Host live webinars and workshops with Q&A sessions to address questions and concerns in real-time. Use posters and digital signage in common areas to reinforce key messages and maintain visibility of the campaign.
Engage and Involve External Experts: Host guest speakers from academia, industry, and cybersecurity organizations to provide authoritative insights and firsthand experiences. Engage with industry groups and consortia focused on quantum computing to share knowledge and best practices.
Monitor and Evaluate Effectiveness: Implement feedback mechanisms such as surveys, polls, and suggestion boxes to gather input from employees about the campaign’s effectiveness. Monitor participation rates in webinars, workshops, and other activities to gauge engagement levels. Use the feedback and engagement data to refine and adjust the campaign, ensuring it remains relevant and impactful.
Maintain Momentum and Continuity: Keep the momentum going by providing regular updates on quantum computing advancements and related organizational plans. Offer ongoing learning opportunities such as advanced workshops, certification programs, and access to online courses. Periodically reinforce key messages through various communication channels to keep quantum computing risks and opportunities top of mind.

Quantum computing and PQC represent emerging fields with the potential to significantly impact organizations. However, the rapid development of these technologies and the scarcity of experienced professionals create substantial challenges. In this context, it is critical for organizations to engage with external entities such as NIST and other Standards Development Organizations (SDOs), local national cybersecurity agencies, academia, and industry consortia. Such engagement is essential for staying informed, accessing cutting-edge research, and building a robust security posture.

4.4.1. Engage with NIST and Other Standard Development Organizations

Stay Informed on Standards Development: Regularly monitor updates from NIST and other relevant standards bodies to stay abreast of the latest developments in PQC standards. Subscribe to newsletters, attend webinars, and participate in public comment periods. Staying informed helps ensure your organization is prepared for emerging standards and best practices.
Participate in Working Groups: Actively participate in working groups and committees focused on PQC. Involvement in these groups provides insights into emerging standards and offers opportunities to contribute to the development of new cryptographic methods. By being part of the conversation, your organization can influence the direction of standards development and stay ahead of regulatory changes.
Contribute to Standards Development: Offer feedback during public comment periods for draft standards. Sharing practical insights and challenges can help shape more effective and implementable standards. Engage in collaborative research projects with standards bodies to test and refine new cryptographic algorithms, accelerating the development of robust PQC solutions.

4.4.2. Collaborate with National Cybersecurity Agencies

Establish Regular Communication: Establish liaison relationships with local national cybersecurity agencies. Designate a point of contact within your organization to maintain regular communication and share information on emerging threats and best practices. Participation in advisory committees and working groups organized by these agencies can provide valuable insights into governmental priorities and initiatives.
Share Threat Intelligence: Join information-sharing programs and platforms facilitated by national cybersecurity agencies. Sharing threat intelligence enhances collective security and helps identify emerging threats more quickly. Transparent incident reporting to national agencies builds a comprehensive understanding of the threat landscape and informs the development of more effective defensive measures.

4.4.3. Engage with Academia

Collaborate on Research Projects: Partner with academic institutions on research initiatives focused on quantum computing and cryptography. These collaborations can lead to innovative solutions and provide access to cutting-edge research. Funding and grants to support academic research foster the development of new technologies and strengthen ties with the academic community.
Leverage Academic Expertise: Invite academic experts to conduct guest lectures, workshops, and training sessions for your organization. Engaging with academia provides valuable insights and helps build internal expertise. Attending and presenting at academic conferences related to quantum computing and cryptography offers opportunities to share knowledge, network with researchers, and stay informed about the latest advancements.

4.4.4. Collaborate with Industry Consortia and Peer Organizations

Join Industry Groups and Consortia: Join industry groups and consortia focused on cybersecurity and cryptography, such as the Quantum-Safe Security Working Group of the Cloud Security Alliance (CSA) or the European Quantum Industry Consortium (QuIC). Membership in these groups provides access to a wealth of resources and collaborative opportunities.
Share Best Practices and Experiences: Use knowledge-sharing platforms and forums facilitated by industry groups to exchange best practices and experiences with peer organizations. Publish case studies and white papers detailing your organization’s experiences with implementing PQC and achieving crypto-agility. Sharing these insights helps other organizations navigate similar challenges and fosters a culture of collective learning.

4.5. Preparing Your Third Parties for the Arrival of CRQC

The reality is that the majority of companies will not start preparing for the arrival of CRQC in a timely manner. If your organization begins its preparations now, as it should, a significant portion of your risk exposure will come through your third parties – providers of services, software, and infrastructure that are deeply embedded and interlinked with your systems.

At this point in the process, you should inform all your relevant partners and providers that in the coming months you will be working to understand your total quantum risk exposure, which will include assessing their readiness for quantum threats as well.

4.5.1. Practical Steps for Preparing Your Third Parties for the Arrival of CRQC

Communicate Early and Clearly: Start by sending formal communications to your third-party vendors and partners, informing them about your quantum readiness initiatives. Explain the importance of preparing for CRQC and how it could impact not just your organization but the entire supply chain. Organize webinars or meetings to discuss quantum computing threats and the necessity of transitioning to quantum-safe cryptography. Provide educational materials such as whitepapers, articles, and videos that highlight the implications of quantum computing on current cryptographic systems. Providing this early heads-up helps maintain strong relationships with your suppliers by demonstrating transparency and proactive risk management.
Collaborative Risk Assessment: Propose collaborative risk assessments where you can work together with your third parties to evaluate their current cryptographic practices and readiness for quantum threats. Develop a checklist or framework to guide the assessment process, ensuring all critical aspects are covered. This collaborative approach not only helps in identifying potential vulnerabilities but also fosters a sense of shared responsibility and partnership.
Incorporate Quantum Readiness in Contracts: Review and update existing contracts to include clauses that require third parties to adhere to quantum-safe practices.Specify timelines and milestones for completing quantum readiness assessments and transitioning to quantum-resistant algorithms. Define clear compliance requirements and standards that third parties must meet to ensure alignment with your organization’s quantum security policies. Update your contractual agreements to include clauses that require third parties to adhere to quantum-safe practices and to undergo regular assessments. This contractual obligations ensures that your partners take the necessary steps to prepare for quantum threats, aligning their security measures with your own.
Provide Resources and Support: Offer resources, such as guidelines, toolkits, and access to quantum computing experts, to help your third parties understand and implement quantum-safe practices. Offer access to quantum computing experts who can provide personalized advice and support to third parties. Consider hosting workshops or training sessions led by these experts to address specific concerns and challenges. Facilitate forums and communities of practice where third parties can share their experiences, challenges, and solutions related to quantum readiness. By supporting their efforts, you create a more resilient ecosystem that can collectively withstand the challenges posed by CRQC.
Monitor and Review Progress: Establish mechanisms for regular monitoring and reviewing the progress of your third parties’ preparations. Use tools and platforms that allow for continuous tracking and reporting of their quantum readiness status. Periodic audits and assessments will help ensure that your partners are on track and that any gaps in their quantum readiness are addressed promptly. Provide feedback and recommendations based on audit findings to help them improve their preparedness.

Your proactive approach can motivate your suppliers to begin their own preparations, creating a ripple effect across your extended ecosystem. As more organizations within your network adopt quantum-safe practices, the overall resilience against CRQC threats is enhanced. By taking these steps, you not only reduce your organization’s risk exposure but also contribute to a broader industry movement towards quantum readiness.

4.6. Set Up Governance for Integrating Cryptographic Inventory, Sensitive Data Discovery, and Systems & Assets Inventory Projects

While most industry guidances emphasize the importance of conducting a cryptographic inventory, this step alone is insufficient for a comprehensive quantum readiness strategy. A cryptographic inventory identifies where and how cryptographic functions are implemented within your organization, but it does not provide the context necessary to prioritize these findings effectively. For example, discovering a highly vulnerable cryptographic module used solely to protect non-sensitive data within an otherwise closed, well-protected system would not warrant immediate action. Therefore, integrating cryptographic inventory with sensitive data discovery and classification, as well as systems and assets discovery and classification, is essential. This integrated approach ensures a more efficient and effective post-quantum migration plan. Beyond preparing for quantum threats, these discovery, classification and inventory effots will in other ways enhance your overall security, facilitate regulatory compliance, and help with operational efficiency improvements.

So, my recommendation is to conduct comprehensive inventories in three key areas: cryptographic implementations, sensitive data, and systems and assets. While each of these inventories serves distinct purposes and requires different methodologies, integrating and coordinating them is a prerequsite for a comprehensive and efficient quantum risk mitigation planning.

Cryptographic Inventory: This inventory identifies and assesses all uses of cryptography within the organization. It focuses on evaluating current cryptographic implementations and understanding their vulnerabilities to quantum threats.

Sensitive Data Discovery and Inventory: This inventory aims to discover, catalog, and classify all sensitive data within the organization. It ensures that in the quantum resistance planning, the focus of mitigation actions is appropriately allocated to protect the most sensitive data first.

Systems and Assets Inventory: This inventory catalogs, and classifies, all hardware and software assets within the organization. It provides visibility into the IT and OT infrastructure and helps prioritize quantum risk mitigation activities for most critical systems.

By conducting these inventories separately, cybersecurity teams can leverage specialized tools and methodologies tailored to each inventory’s unique requirements. However, integrating the findings and coordinating these efforts are essential for comprehensive quantum readiness efforts.

4.6.1. Practical Steps for Setting Up Governance for Integrating Cryptographic Inventory, Sensitive Data Discovery, and Systems & Assets Inventory Projects

Define Objectives and Scope: Define the scope to include all systems, applications, and devices using cryptographic functions. Define the scope for sensitive data inventory as well. It should encompass all data repositories, including databases, filesystems, and cloud storage. Finally, define the scope for systems and assets inventory, which should include all network-connected devices and software applications.
Develop Detailed Project Plans: Create detailed project plans with clear timelines and milestones for each inventory effort. Ensure that plans are realistic and achievable. Allocate necessary resources, including personnel, budget, and tools, to support the inventory efforts.
Establish Integration and Coordination Mechanisms: Develop a comprehensive, unified framework that integrates all three inventories. This framework should outline the integration points, coordination mechanisms, and reporting structures. Schedule regular synchronization meetings to ensure that teams stay aligned and can share progress and challenges. Implement a centralized reporting system that consolidates findings from all inventories, enabling comprehensive analysis and decision-making.
Normalize Collected Data: Recognize that the inventory information you gather will require continuous maintenance. Overlapping data points are inevitable, so it’s crucial to establish a records structure that is mutually exclusive and collectively exhaustive. Ensure all necessary information for cryptographic strategy development is included, while avoiding duplication and data inconsistencies. Store each relevant data element only once, maintaining a single source of truth.
Conduct Periodic Reviews and Audits: Schedule periodic reviews and audits of the inventory processes and findings, coordinated across all these three categories of inventories, to ensure compliance with established standards and to identify areas for improvement. Regular audits help maintain the integrity and reliability of the inventories.

4.7. Perform Cryptographic Inventory

Performing a thorough cryptographic inventory will be your most important preparation step. Recommended by all major post-quantum security guidances and frameworks, this step is essential for understanding and mitigating quantum-related risks. However, it is often portrayed as a straightforward task, or even mentioned only in a passing implying that this step is easy, when in reality, it is a complex and lengthy exercise that requires extensive technical knowledge and coordination across the organization. Major organizations, based on my experience so far, should plan for this step alone to take one to two years of dedicated team effort. The situation is further complicated by cryptographic inventory tool vendors who may imply that their tools provide a complete solution. While these tools are invaluable in aiding the inventory process, they can never provide a 100% inventory on their own. A holistic approach combining tools, manual audits, and continuous monitoring is necessary to achieve a comprehensive cryptographic inventory.

Achieving a 100% cryptographic inventory is critical because leaving even a single cryptographic module left vulnerable can serve as an entry point for attackers, potentially compromising the entire network. In the context of quantum threats, traditional cryptographic algorithms like RSA and ECC will be rendered insecure, making it imperative to identify and remediate every instance where these algorithms are used. A thorough inventory ensures that all cryptographic implementations are accounted for, assessed for vulnerability, and prioritized for transition to quantum-safe algorithms.

4.7.1. Challenges With Cryptographic Inventory

The primary difficulty with this step lies in the sheer complexity and diversity of modern IT environments. Cryptographic functions are often deeply embedded in a wide range of applications, systems, and devices, making them difficult to discover. This is particularly true for legacy systems and third-party applications where documentation may be incomplete, outdated, or entirely absent. The distributed nature of modern IT architectures, including cloud services, microservices, and IoT devices, further complicates the task, as cryptographic implementations can be scattered across various environments and platforms.

4.7.2. Cryptographic Inventory Tools

There are number of very useful tools on the market that can help you with the initial cryptographic inventory. Some of the most well-known ones are listed below (in not particular order). Please note that I am not endorsing any of these tools, just providing the list for your convenience: SandboxAQ AQtive Guard; IBM Quantum Safe Explorer; Infosec Global AgileSec Analytics; Keyfactor The Crypto-Agility Platform.

When selecting automated tools for conducting a cryptographic inventory, it is crucial to ensure that the tools offer comprehensive coverage across various facets of the IT environment. Effective tools should have capabilities that include as many capabilities as possible from the list below:

Passive Network Traffic Monitoring: The tool should be capable of passively monitoring network traffic to identify any encrypted communications. This involves analyzing data packets to detect the use of secure protocols such as TLS/SSL, IPsec, and others. By highlighting all instances of encrypted communication, organizations can map out where cryptographic functions are being utilized across the network.
Runtime Application Monitoring: The tool should monitor applications at runtime to detect calls to known cryptography APIs. This real-time analysis can identify dynamically loaded libraries and cryptographic operations that are not evident in static code analysis. It ensures that all cryptographic uses, including those in memory or during specific application states, are accounted for.
Filesystem Scanning: Comprehensive filesystem scanning is essential to locate DLLs and other libraries known to contain cryptographic functions. The tool should search for and analyze these files to identify embedded cryptographic operations. This step helps in uncovering cryptographic implementations that might not be directly visible through code or network analysis.
Source Code Analysis: The tool should perform a thorough review of all accessible source code to identify any uses of cryptography. This includes scanning for known cryptographic libraries, functions, and custom implementations. Source code analysis provides a detailed understanding of how cryptographic techniques are applied within the organization’s applications and can reveal hard-coded keys or deprecated algorithms.
Deep Binary Analysis: Tools should be able to analyze compiled binary code for embedded cryptographic operations. This is particularly useful for applications where source code is not available, such as proprietary software or third-party applications. Binary analysis can detect the use of cryptographic functions and identify hard-coded keys or insecure algorithms.
Database Scanning: Tools should include capabilities to scan databases for cryptographic usage, such as encrypted columns or fields, and the use of cryptographic functions within stored procedures. This helps in identifying cryptographic operations that may not be apparent from application code alone.
Memory Dump Analysis: Tools should have the capability to analyze memory dumps to detect cryptographic keys, algorithms, and operations that are in use during runtime. This helps in identifying cryptographic functions that may not be evident through static or dynamic code analysis.

While automated tools play a crucial role in identifying cryptographic uses, they have significant limitations. Tools can help scan and detect cryptographic functions across the network, but they often fall short in uncovering non-standard or deeply embedded implementations. Automated tools might miss custom cryptographic algorithms, proprietary encryption methods, or cryptographic functions embedded within obscure code paths. Additionally, these tools may struggle with environments that have limited visibility, such as encrypted communication channels or protected storage areas, leading to gaps in the inventory.

4.7.3. Approach

To overcome these challenges, you should adopt a comprehensive approach that combines automated tools with manual methods. Begin by deploying automated scanning tools to cover the broad spectrum of the IT environment and identify obvious cryptographic implementations. Supplement this with manual code reviews and audits, particularly focusing on legacy systems, custom applications, and third-party software where automated tools might miss critical details. Engage with software developers, system architects, and third-party vendors to gain insights into less visible cryptographic uses.

Additionally, foster a culture of continuous discovery and improvement. Regularly update and audit the cryptographic inventory to account for new implementations and changes in the environment. Training and awareness programs for developers and IT staff can also help in recognizing and documenting cryptographic uses as they develop new systems and applications. By adopting a multi-faceted approach, organizations can achieve a more accurate and comprehensive cryptographic inventory, laying a strong foundation for transitioning to quantum-safe cryptography.

4.7.4. Practical Steps for Performing Cryptographic Inventory

Preparation and Planning: Clearly outline the systems, applications, and data repositories included in the inventory. This should encompass servers, databases, applications, network devices, IoT devices, and any third-party systems. Establish the goals of the inventory, such as identifying cryptographic vulnerabilities, planning for migration to post-quantum cryptography (PQC), and ensuring compliance with security standards.
Data Collection and Discovery: Deploy automated tools to monitor networks, analyze the file system, capture run-time calls to cryptographic functions, and scan all the source code for cryptographic calls. Supplement automated scanning with manual audits and reviews. Perform manual code reviews to uncover non-standard or deeply embedded cryptographic uses. Engage with developers, system architects, and third-party vendors to gather insights on cryptographic implementations that may not be visible through automated tools.
Utilize Dependency Analysis Tools: In addition to automated scanning and manual reviews, use dependency analysis tools to trace and document the dependencies between various software components. These tools can help map out which components rely on specific cryptographic functions and how they interact with each other, providing a clearer picture of potential vulnerabilities and critical points in the system.
Mapping Dependencies: Supplement automated dependency analysis with manual mapping and develop maps of system dependencies to understand how different components interact and rely on cryptographic functions.
Integrate with Configuration Management Databases (CMDBs): Integrate your cryptographic inventory efforts with existing Configuration Management Databases (CMDBs) to maintain an up-to-date record of cryptographic assets. CMDBs can help track changes in the environment, heloing ensure that any new cryptographic implementations are added to the inventory.
Consider Implementing a Cryptographic Management Platform: Deploy a cryptographic management platform to centralize the management and monitoring of all cryptographic keys, certificates, and algorithms. These platforms can provide real-time visibility into cryptographic assets, automate routine tasks such as key rotation, and enforce policies.
Establish Continuous Monitoring and Updates: Use automated monitoring solutions to continuously track cryptographic implementations and detect changes. Set up alerting mechanisms to notify relevant teams of any deviations or new cryptographic instances detected.
Conduct Regular Audits: Perform regular audits to verify the accuracy of the cryptographic inventory and ensure compliance with updated policies and standards. Maintain and update the cryptographic inventory regularly to reflect new applications, updates, and configurations.

4.8. Assess Cryptographic Vulnerabilities

After completing a thorough cryptographic inventory, the next critical step is to assess the vulnerabilities of these cryptographic systems. Before embarking on a comprehensive risk assessment that incorporates additional business context and dependencies, it is essential to evaluate the current cryptographic implementations in isolation to determine their susceptibility to quantum computing threats. For many of the identified cryptographic systems, the vulnerability assessment will be straightforward, as the algorithms used will be well-known and recognized as vulnerable. However, for some cryptographic implementations, additional approaches may be required to thoroughly assess their vulnerabilities. These approaches include:

Comprehensive Vulnerability Assessment Approaches: A comprehensive cryptographic vulnerability assessment will, to a large extent, be performed by the same automated tools above that will help you with the cryptographic inventory. However, for certain systems you might need to supplement the output of those tools with additional vulnerability assessments performed by other specialized tools or manually. Key approaches will include:

Dependency Mapping: Develop detailed maps of system dependencies to understand how different components rely on cryptographic functions. This helps identify critical points where vulnerabilities could have the most significant impact.
Static and Dynamic Code Analysis: Use both static and dynamic analysis tools to identify cryptographic functions and assess their security. Static analysis examines the code without execution, while dynamic analysis evaluates the behavior of cryptographic systems during runtime.
Configuration Audits: Perform detailed audits of cryptographic configurations across all systems and applications. Ensure that settings adhere to best practices and that there are no misconfigurations that could compromise security.

Cryptographic Health Check: This process involves a comprehensive review of all cryptographic implementations to identify weaknesses and ensure they adhere to current security standards. Key aspects of a cryptographic health check include:

Algorithm Review: Examine the cryptographic algorithms in use to ensure they are not deprecated or considered weak. Algorithms which are vulnerable to quantum attacks, should be flagged for replacement.
Key Length and Management: Assess the key lengths used in cryptographic operations. Ensure that key management practices follow best practices, including regular key rotation and secure key storage.
Protocol Analysis: Evaluate the cryptographic protocols in use to ensure they are configured correctly and do not use outdated or insecure settings.

Cryptographic Penetration Testing: Cryptographic penetration testing is a proactive approach to identifying vulnerabilities by simulating attacks on cryptographic systems. This method helps uncover weaknesses that may not be evident through static analysis alone. Key elements of cryptographic penetration testing include:

Exploiting Known Vulnerabilities: Test for known vulnerabilities in cryptographic implementations, such as weak algorithms, improper key management, and misconfigured protocols.
Custom Cryptographic Analysis: Assess proprietary or custom cryptographic algorithms and implementations for potential weaknesses.
Dynamic Testing: Conduct tests in a runtime environment to observe how cryptographic systems perform under attack conditions.

Storing and Integrating Assessment Results: To ensure that the findings from cryptographic vulnerability assessments are actionable and integrated into the broader security strategy, it is crucial to store the results alongside the cryptographic inventory. Utilizing a Configuration Management Database (CMDB) or a similar centralized repository can facilitate this integration. Key steps include:

Centralized Data Storage: Store all assessment results in a centralized repository to maintain a single source of truth. This repository should be accessible to relevant stakeholders, including security teams, system administrators, and compliance officers.
Regular Updates and Audits: Continuously update the repository with new assessment results and audit findings. Ensure that any changes to cryptographic implementations are promptly reflected in the repository.
Integration with Inventory: Ensure that the assessment data is linked to the corresponding entries in the cryptographic inventory. This integration allows for comprehensive analysis and informed decision-making regarding vulnerability remediation and prioritization.

4.8.1. Practical Steps for Assessing Cryptographic Vulnerabilities

Preparation and Planning: Clearly outline the systems, applications, and data repositories included in the assessment. Establish the goals of the assessment.
Utilize Static and Dynamic Code Analysis: Apply static analysis to examine code without execution and dynamic analysis to evaluate the behavior of cryptographic systems during runtime. This combination provides a thorough understanding of cryptographic uses and potential weaknesses.
Conduct Cryptographic Health Checks: Perform comprehensive reviews of all cryptographic implementations to identify weaknesses. This includes examining algorithms, key lengths, management practices, and protocol configurations.
Perform Cryptographic Penetration Testing: Simulate attacks on cryptographic systems to uncover vulnerabilities not evident through static analysis. Focus on known vulnerabilities, custom cryptographic implementations, and dynamic testing in runtime environments.
Conduct Configuration Audits: Audit cryptographic configurations across all systems and applications to ensure adherence to best practices and identify misconfigurations that could compromise security.
Update Dependency Maps: Update detailed maps of system dependencies to understand how different components interact and rely on cryptographic functions.
Store and Integrate Assessment Results: Use a centralized repository, such as a CMDB, to store all assessment results. Regularly update the repository with new findings and ensure that any changes to cryptographic implementations are promptly reflected. Integrate the assessment data with the cryptographic inventory for comprehensive analysis and decision-making.

4.9. Sensitive Data Discovery and Classification

This process involves identifying, categorizing, and understanding the sensitivity of the data within an organization. When combined with the outcomes of a cryptographic inventory, it enables more effective and prioritized planning for transitioning to post-quantum cryptography (PQC).

Identifying data sensitivity and value is crucial because different types of data carry varying levels of sensitivity. Personally identifiable information (PII), financial records, intellectual property, and health records are examples of highly sensitive data that require stringent protection measures. Beyond sensitivity, the value of data to the organization and potential attackers should be assessed. This helps determine the level of security needed to protect it.

Regulatory compliance is another significant reason for performing sensitive data discovery and classification. Many industries are subject to regulations that mandate specific data protection measures. For example, GDPR, HIPAA, and PCI DSS have stringent requirements for handling sensitive data. Proper data classification ensures compliance with these regulations, helping to avoid fines and legal consequences.

Effective risk management is also facilitated by sensitive data discovery and classification. Knowing where sensitive data resides and its level of sensitivity allows for targeted security measures, optimizing resource allocation. Quick identification of impacted sensitive data during a breach enhances the efficiency and effectiveness of incident response efforts.

Integrating sensitive data discovery and classification with a cryptographic inventory is essential for contextualizing cryptographic vulnerabilities. Without knowing the sensitivity of the data protected by cryptographic implementations, it’s challenging to prioritize vulnerabilities effectively. Integrating data classification results with cryptographic inventory allows for a clear understanding of which cryptographic weaknesses pose the greatest risk to sensitive data. Understanding the type and sensitivity of data protected by each cryptographic instance helps in assessing the potential impact of a cryptographic failure, guiding more informed decision-making.

4.9.1. Practical Steps for Performing Sensitive Data Discovery and Classifications

Define Data Sensitivity Criteria: Establish criteria for different levels of data sensitivity (e.g., public, internal, confidential, restricted). Develop standards and policies for classifying data based on its sensitivity and value to the organization.
Conduct Data Discovery: Use automated data discovery tools to scan databases, file systems, cloud storage, and endpoints for sensitive data. Tools like Varonis, Digital Guardian, and Symantec Data Loss Prevention (DLP) are effective. Complement automated tools with manual reviews to identify sensitive data that automated tools might miss.
Classify Data: Tag and label data according to its sensitivity and classification criteria. Ensure that all data, whether structured or unstructured, is appropriately classified. Maintain detailed records of data classifications, including the criteria used and the data owners.
Monitor and Update: Implement continuous monitoring to track changes in data sensitivity and cryptographic implementations. Ensure that the classification and inventory remain current. Schedule regular audits to verify the accuracy and completeness of both the data classification and cryptographic inventory.

4.10. Critical Systems and Assets Discovery and Classification

This process involves identifying, cataloging, and understanding the roles and criticality of all IT assets within the organization. When combined with the outcomes of a cryptographic inventory, it enables more effective and prioritized planning for transitioning to post-quantum cryptography (PQC).

Different assets play varying roles within an organization, from critical infrastructure components to less critical auxiliary systems. Understanding these roles helps determine the importance of each asset and the level of protection it requires. For example, servers hosting sensitive customer data are more critical than development servers used for testing.

Properly cataloging and classifying IT assets allows for more efficient management of resources. This includes ensuring that critical systems have the necessary performance, reliability, and security measures in place, and optimizing the deployment of less critical resources.

Knowing the configuration and vulnerabilities of each asset is crucial for maintaining a robust security posture. This information helps in identifying weak points, ensuring that all critical assets are protected against potential threats.

Combining systems and assets discovery with cryptographic inventory helps contextualize where and how cryptographic methods are used within the IT infrastructure. This integration provides a clear understanding of which cryptographic implementations are protecting the most critical systems and data.

Integrating these inventories allows for more accurate risk assessments. By understanding the criticality of each asset and the sensitivity of the data it handles, organizations can prioritize the transition to PQC for the most important and vulnerable systems.

The integration of systems and assets discovery with cryptographic inventory enables strategic planning for post-quantum migration. This comprehensive approach ensures that resources are allocated efficiently and that the most critical systems and data are protected first.

4.10.1. Practical Steps for Performing Systems and Assets Discovery and Classification

Define Asset Classification Criteria: Develop criteria for classifying assets based on their criticality, role, and the data they handle. This may include categories such as critical infrastructure, sensitive data processors, and auxiliary systems. Establish standards and policies for classifying assets to ensure consistency.
Conduct Asset Discovery: Use automated asset management tools to scan the network and identify all connected devices and software applications. Tools like SolarWinds, ManageEngine, and ServiceNow CMDB are effective for this purpose. Complement automated discovery with manual checks to validate and supplement the findings.
Classify Assets: Tag and label assets according to their classification criteria. Ensure that all hardware and software assets, whether physical or virtual, are appropriately classified. Maintain detailed records of asset classifications, including the criteria used and the asset owners.

4.11. Keep Inventories Up to Date

Once an organization has conducted comprehensive cryptographic, sensitive data, and systems and assets inventories, it is essential to keep these inventories constantly up to date. Continuous updates ensure that the organization remains aware of new vulnerabilities, changes in data sensitivity, and modifications in system configurations. This proactive approach is crucial for maintaining robust security and preparedness for quantum computing threats. This chapter outlines strategies and practical steps to maintain these inventories effectively.

4.11.1. Practical Steps to Maintain Up-to-Date Inventories

Continuous Monitoring: Implement tools such as SolarWinds for systems and assets monitoring, Varonis for data discovery and classification, and AppDynamics for cryptographic monitoring. These tools should be configured to provide real-time updates and alerts for any changes. Configure alerts for significant changes or anomalies detected by the monitoring tools. Ensure these alerts are sent to relevant personnel for immediate action.
Regular Audits: Plan for regular audits (e.g., quarterly or bi-annually) to review and verify the inventories. Ensure these audits cover all aspects of cryptographic implementations, data sensitivity, and system configurations. Conduct audits after significant changes, such as system upgrades, data migrations, or new software deployments, to ensure the inventories are updated accordingly.
Continuous Improvement Culture: Provide ongoing training for staff on the importance of maintaining up-to-date inventories and how to report changes or anomalies. Ensure that training materials are updated regularly to reflect the latest best practices and technologies. Run awareness programs to keep inventory maintenance top-of-mind for employees. Use newsletters, posters, and internal communications to reinforce the importance of accurate inventories.
Integration with Change Management: Ensure that any changes to systems, data, or cryptographic implementations are documented as part of the change management process. Use change management tools like ServiceNow to track and manage these changes. Integrate inventory updates into the change management workflow to ensure that all changes are reflected in the inventories promptly. This includes updating asset tags, data classifications, and cryptographic configurations.
Collaboration and Feedback: Facilitate regular meetings between IT, cybersecurity, compliance, and business units to discuss inventory updates and address any discrepancies. Establish feedback mechanisms, such as suggestion boxes or regular check-ins, to gather input from staff on inventory accuracy and comprehensiveness.

Maintaining up-to-date cryptographic, sensitive data, and systems and assets inventories is crucial for effective quantum readiness and overall cybersecurity. By implementing continuous monitoring, scheduling regular audits, fostering a culture of continuous improvement, integrating inventory management into change management processes, and leveraging collaboration and feedback mechanisms, organizations can ensure their inventories remain accurate and comprehensive. This proactive approach not only prepares organizations for quantum threats but also enhances their overall security posture and operational efficiency.

4.12. Perform Risk Assessment and Prioritize for Remediation

With a thorough cryptographic inventory and vulnerability assessment completed, as well as the Sensitive Data Discovery and Classification and Critical Systems and Assets Discovery and Classification, the next key step is to conduct a comprehensive risk assessment. This process will incorporate additional business context and dependencies, ensuring that quantum computing threats are evaluated within a broader organizational framework. By supplementing the above information with business impact assessments (BIAs), IT network maps, and current cybersecurity controls, you can develop a holistic view of their risk landscape.

4.12.1. Practical Steps to Performing Risk Assessment and Prioritization for Remediation

Evaluate Cryptographic Vulnerabilities: Begin by examining the results of your cryptographic vulnerability assessments. Identify which systems are at risk from quantum computing threats and categorize these vulnerabilities based on their severity and potential impact.
Analyze Sensitive Data Exposure: Assess the cryptographic systems protecting sensitive data. Determine the potential consequences if these systems were compromised by quantum attacks. This step is crucial for understanding the broader implications of cryptographic failures.
Review System and Asset Criticality: Evaluate the importance of systems and assets protected by cryptographic functions. Identify which components are critical for business operations and assess the potential disruptions or losses if they were compromised.
Map Network Exposure: Use IT network maps to understand the exposure of vulnerable cryptographic systems. Determine whether these systems are exposed to the internet, exist in semi-trusted zones, or are fully isolated within the internal network. This information is essential for assessing the likelihood of quantum threats exploiting these vulnerabilities.
Integrate Business Impact Assessments (BIA): Incorporate BIA data to understand the broader business impact of potential cryptographic failures. Identify key business processes that rely on at-risk cryptographic systems and assess the operational, financial, and reputational impacts of potential breaches.
Evaluate Existing Cybersecurity Controls: Review the current cybersecurity measures in place that may mitigate some of the identified risks. Assess the effectiveness of these controls in protecting against quantum threats and identify areas where enhancements or additional measures are needed.
Risk Score and Rank: Develop a risk scoring system to rank identified vulnerabilities. Consider factors such as severity, sensitivity of protected data, criticality of systems, and exposure to potential threats.

4.13. Develop Your Cryptographic Strategy

Developing a comprehensive cryptographic strategy is a complex and multi-faceted undertaking. With the results from the risk assessment in hand, it’s now essential to incorporate various other factors to formulate a robust and effective strategy. This process requires a thorough understanding of budget limitations, organizational risk appetite, and risk tolerance, as well as expert understanding of the various remediation and risk reduction options.

Identifying and prioritizing the replacement or upgrade of critical systems is a key aspect of the strategy. Systems that handle the most sensitive data or critical operations should be the first to transition to PQC. This prioritization ensures that the most vulnerable parts of the infrastructure are secured early, reducing overall risk. A replacement or an upgrade might not always be feasible which is why, as part of this strategy development, you have to look at various other compensatory and interim approaches.

Finally, consider leveraging the remediation effort to simultaneously achieve crypto-agility for your organization. Crypto-agility refers to the ability to quickly and efficiently switch between cryptographic algorithms and protocols as needed. This capability is crucial for maintaining robust security in a dynamic post-quantum world where cryptographic standards may change frequently. Implementing a crypto-agile framework ensures organizations can adapt to new threats and standards without significant disruptions. For more information see “Introduction to Crypto-Agility.”

4.13.1. Understanding Risk Mitigation Options

4.13.1.1. Strengthening Cybersecurity Controls

Some systems can have their risk reduced by bolstering the security controls around them. This involves enhancing isolation mechanisms and improving surrounding cybersecurity measures to lower the risk of breaches.

Network Segmentation: Divide the network into segments to limit the spread of an attack. Isolate critical systems to prevent unauthorized access.
Access Controls: Implement stringent access control measures, including multi-factor authentication and role-based access controls, to restrict access to sensitive systems.
Monitoring and Logging: Enhance monitoring and logging to detect and respond to anomalies quickly. Use intrusion detection systems (IDS) and security information and event management (SIEM) solutions to track suspicious activities.

By improving the security posture of dependent systems, the overall risk associated with the primary system is mitigated. This approach can be cost-effective and quicker to implement than replacing or upgrading cryptographic functions.

4.13.1.2. Tokenization

Tokenization replaces sensitive data with unique identifiers (tokens) that retain essential information without exposing the actual data. The actual data is stored separately and securely, reducing the risk if the tokenized data is exposed. This method reduces the risk of data breaches and complements traditional cryptographic techniques. Tokenization is particularly effective in environments where data security is critical, such as payment processing and personal data protection. By tokenizing some sensitive data, the scope of critical cryptographic systems could be reduced.

Tokenization Platform: Deploy a tokenization platform that securely maps sensitive data to tokens.
Secure Storage: Ensure the actual sensitive data is stored in a highly secure environment with robust access controls.
Data Masking: Implement data masking techniques alongside tokenization to further obscure sensitive data during processing and analysis.

Tokenization minimizes the exposure of sensitive data, reducing the potential impact of a breach. It also simplifies compliance with data protection regulations by limiting the scope of data that needs to be protected.

For more information on tokenization, see: Evaluating Tokenization in the Context of Quantum Readiness.

4.13.1.3. Vendor Dependence

For systems reliant on third-party vendors for cryptographic updates, it is crucial to engage these vendors early and ensure they are aligned with your security requirements.

Vendor Communication: Establish clear communication channels with vendors to discuss the necessity and timeline for cryptographic upgrades.
Contracts and SLAs: Update contracts and service level agreements (SLAs) to include requirements for timely cryptographic updates and quantum-resilient solutions.
Vendor Assessments: Regularly assess vendors’ capabilities to ensure they meet security standards and are proactive in addressing quantum threats.

Early engagement with vendors ensures that they are prepared to provide the necessary updates and support. This proactive approach helps avoid delays and ensures that systems remain secure.

4.13.1.4. Direct Upgrades

For systems where cryptographic modules are easily upgradeable, plan and execute these upgrades in a coordinated manner to ensure minimal disruption.

Upgrade Plan: Develop a detailed upgrade plan, including timelines, resource allocation, and testing phases.
Testing and Validation: Conduct thorough testing and validation of new cryptographic implementations to ensure they function correctly and securely.
Deployment: Roll out upgrades in phases, starting with non-critical systems and gradually extending to critical systems to manage risk and complexity.

Direct upgrades to quantum-resistant cryptographic algorithms ensure that systems are protected against future quantum threats. This approach can be systematically planned and executed, reducing long-term security risks.

4.13.1.5. Hybrid Approaches

Hybrid cryptographic approaches combine classical cryptography with PQC algorithms. This method leverages the strengths of both types of cryptography, using classical algorithms for performance-sensitive operations and PQC algorithms for long-term data protection. Hybrid methods allow for a smoother transition to PQC by balancing security and performance needs. It could also serve as interim, temporary measure until a full upgrade is performed. More on this below.

Hybrid Schemes: Implement hybrid cryptographic schemes that use classical algorithms for performance-sensitive operations and PQC algorithms for long-term security.
Evaluation: Continuously evaluate the effectiveness of hybrid approaches to ensure they maintain an acceptable level of security.
Transition Plan: Develop a plan for transitioning from hybrid schemes to fully quantum-resistant algorithms as they mature and become more practical.

Hybrid approaches provide a balanced solution that enhances security without significantly impacting performance. They offer a transitional strategy while full PQC adoption is being planned.

4.13.1.6. Critical Legacy Systems

In the process of mitigating risks associated with quantum threats, you will inevitably encounter systems, often legacy ones, for which no other remediation options are viable. These systems, due to their age, complexity, or bespoke nature, may not be suitable for direct upgrades, tokenization, or the application of hybrid cryptographic methods. As a result, these systems may become candidates for complete replacement. Given the potential scale and expense of such projects, it is crucial to plan for them as early as possible.

Assessment and Identification: Begin by conducting a thorough assessment of your infrastructure to identify legacy systems that are critical to business operations but cannot be feasibly upgraded to support post-quantum cryptographic algorithms. These systems often have outdated hardware and software dependencies, lack vendor support, or are so integrated into the business processes that any change poses significant risks.
Risk Evaluation: Evaluate the specific risks posed by these legacy systems. Determine the potential impact on security, compliance, and operational continuity if these systems remain unprotected against quantum threats. Assess the likelihood of these systems being targeted and the consequences of a breach.
Comprehensive Planning: Developing a replacement strategy for critical legacy systems involves comprehensive planning. This strategy should outline the scope of the replacement, timelines, required resources, and projected costs. Given the complexity and scale of these projects, involve cross-functional teams including IT, security, compliance, finance, and business units from the outset.
Budgeting and Resource Allocation: Secure the necessary funding and resources to support these large-scale projects. Replacement of critical systems can be extremely costly and resource-intensive, often requiring new hardware, software, and significant integration efforts. Early budgeting and allocation ensure that the project does not stall due to financial constraints.
Vendor and Solution Evaluation: Evaluate potential vendors and solutions that can replace the legacy systems. Look for solutions that are not only compatible with your current environment but also offer future-proofing against evolving cryptographic standards. Ensure that chosen vendors have a proven track record in delivering complex system replacements.
Phased Approach: Implement a phased approach to replacing critical legacy systems. If possible. This methodical process helps manage risks and ensures minimal disruption to business operations. It allows for incremental testing and validation of new systems before full-scale deployment.
Integration and Testing: Thoroughly test new systems to ensure they integrate seamlessly with existing infrastructure and business processes. Validate that the new systems meet all security, performance, and compliance requirements. Continuous testing and validation are crucial to identifying and resolving issues early.

Addressing such legacy systems ensures that even the most vulnerable parts of the infrastructure are secured. Planning for their replacement minimizes long-term security risks and aligns with future-proofing the organization’s IT landscape.

4.13.2. Practical Steps for Cryptographic Strategy Development

Assess Budget and Risk Appetite: Understand the financial constraints and risk tolerance of the organization. This understanding will guide prioritization and ensure that the strategy is realistic and aligns with organizational goals.
Evaluate Interdependencies: Carefully consider the business and financial interdependencies, in addition to technical interdependencies evaluted in previous steps. Changes in one area can impact another, and spending limited budget on one initiative might reduce available resources for others. Plan for these interdependencies to avoid unintended consequences.
Categorize Remediation Options: Based on the risk assessment, categorize cryptographic systems into different remediation buckets described above.
Develop a Phased Implementation Plan: Based on comprehensive inventories and the related risk assessment, create a detailed phased implementation plan outlining steps, timelines, and resources required for transitioning to PQC. Begin with pilot projects in non-critical systems to gain insights and gradually extend to more critical systems.
Prioritize Critical Systems: Focus on systems handling the most sensitive data and operations. Develop a roadmap for upgrading or replacing these systems with PQC-ready solutions to minimize risk and ensure data protection.
Implement Hybrid Cryptographic Methods: Balance security and performance by using classical algorithms for real-time, performance-sensitive operations, and PQC algorithms for long-term data protection. This approach helps maintain operational efficiency while enhancing security.
Enhance Data Security Through Tokenization: Replace sensitive data with tokens to reduce the risk of exposure. Tokenization acts as an additional security layer, complementing your overall cryptographic strategy and protecting critical information.
Build a Crypto-Agile Framework: Establish a framework that allows for rapid adoption and deployment of new cryptographic algorithms. Update cryptographic libraries, protocols, and systems to support easy integration and replacement of cryptographic methods, ensuring your organization can quickly adapt to new threats and standards.

4.14. Hybrid and Interim Strategies for Protecting Data Against Quantum Threats Without Implementing Full Post-Quantum Cryptography

While post-quantum cryptography (PQC) is being developed and standardized, some users may be reluctant to adopt these new technologies prematurely due to the risks and complexities associated with non-standardized systems. However, there are strategies available to protect data immediately against future quantum threats without immediately implementing PQC. These approaches should be considered as a part of your comprehensive post-quantum strategy.

4.14.1. Retained Shared Secrets

One such strategy involves the use of retained shared secret data in the key derivation process, supplementing the key material obtained from public key operations. Retained shared secrets approaches, which leverage concepts from from protocols like ZRTP (Zimmermann Real-time Transport Protocol), rely on pre-shared pieces of information that are known only to the communicating parties. Unlike keys derived from public key infrastructure (PKI), which are vulnerable to quantum attacks, retained shared secrets are not exchanged over potentially insecure channels and therefore remain secure even against quantum adversaries. By combining these secrets with the key material obtained through traditional public key operations, users can enhance the security of their cryptographic systems.

The key derivation process involves generating cryptographic keys from a combination of inputs. In this strategy, the derived key is constructed using both the retained shared secret and the key material from a public key operation (e.g., RSA or ECC). This dual-input approach ensures that even if the public key operation is compromised by a quantum computer, the retained shared secret provides an additional layer of security, making it significantly more difficult for an attacker to derive the full cryptographic key.

ZRTP is an example of a Retained Shared Secret approach. It’s a cryptographic key-agreement protocol mostly used in VoIP (Voice over IP) communications, designed by Phil Zimmermann. It establishes a secure communication channel by combining Diffie-Hellman key exchange with retained shared secrets. The protocol is independent of the underlying transport layer and works by exchanging hashed values of the shared secret over the communication channel. Key steps in the protocol include:

Initial Key Exchange: During the initial setup, ZRTP performs a Diffie-Hellman key exchange to establish a session key.
Hash Comparison: The parties compare short authentication strings (SAS) derived from the session key to verify the integrity of the exchange.
Retention of Shared Secret: The protocol allows for the retention of shared secrets between sessions, which are used to strengthen the key exchange in subsequent communications.

Security benefits of the approach include:

Forward Secrecy: ZRTP provides forward secrecy by ensuring that session keys are ephemeral and not stored long-term.
Resistance to Man-in-the-Middle Attacks: The comparison of SAS ensures that any tampering with the key exchange is detected by the communicating parties.
Enhanced Security with Retained Secrets: By retaining shared secrets, ZRTP enhances the security of subsequent sessions, making it more resilient to potential attacks, including those from quantum computers.

4.14.1.1. Retained Shared Secrets: Viable Interim Solution?

The approach provides immediate enhancement of security. Implementing retained shared secrets does not require a complete overhaul of the existing cryptographic infrastructure. Organizations can integrate shared secrets into their current key derivation processes, providing an immediate boost to security.

While not entirely quantum-proof, retained shared secrets add an additional layer of security that quantum computers cannot easily compromise. This approach delays the impact of quantum threats on critical communications and data.

Implementing this strategy comes with specific practical considerations. One major drawback is the need to maintain and securely store pairwise shared secret data. Each pair of communicating entities must have a unique shared secret that they retain over time. This requirement imposes a stateful architecture, where systems must remember and manage previous interactions. Consequently, this approach is best suited for environments with a limited number of peers, such as a closed network of trusted devices or partners, rather than open, large-scale systems with numerous and dynamic connections.

In real-world applications, this strategy can be particularly useful for systems that already maintain state and have relatively stable and limited sets of peers. For instance, within an organization, internal communications between critical systems can employ retained shared secrets to bolster security without needing immediate PQC adoption. Similarly, secure channels between long-term business partners or between a company and its remote offices can benefit from this approach, ensuring that their communications remain secure.

4.14.1.2. Practical Steps to Implement Retained Shared Secrets:

Establish Secure Initial Communication for Key Exchange and Secret Sharing: Use a secure initial communication channel to exchange the shared secrets. This could be done in person, over a secure phone call, or using a pre-existing secure channel. Generate strong shared secrets using a high-entropy random number generator (or a QRNG) to ensure they are difficult to guess or brute-force.
Store Shared Secrets Securely: Store the shared secrets in a secure, encrypted form using a hardware security module (HSM), secure enclave, or a well-protected software solution. Ensure that only authorized entities have access to the shared secrets and implement strict access controls and audit logging.
Integrate Shared Secrets into Key Derivation: Use a robust key derivation function (e.g., HKDF – HMAC-based Extract-and-Expand Key Derivation Function) that can combine the shared secret with the key material from public key operations. Ensure that the KDF is resistant to known cryptographic attacks and follows best practices for security.
Implement Stateful Systems: Design your systems to maintain state, ensuring that the shared secrets are persistently stored and managed. Implement mechanisms to manage the lifecycle of shared secrets, including rotation, expiration, and revocation procedures.
Limit the Set of Peers: Restrict the use of retained shared secrets to a limited set of trusted peers. This reduces complexity and enhances security. Establish policies and procedures for managing the peer group, including adding and removing peers securely.
Regularly Rotate Shared Secrets: Implement regular rotation of shared secrets to minimize the risk of long-term exposure. Automate the rotation process where possible. Ensure that new secrets are securely distributed and stored, replacing the old ones without service interruption.
Monitor and Audit: Continuously monitor the usage of shared secrets and key derivation processes to detect any anomalies or unauthorized access. Conduct regular audits of the system to ensure compliance with security policies and to identify any potential weaknesses.
Educate and Train Staff: Provide training for staff on the importance of secure key management and the specific procedures for handling retained shared secrets. Ensure that all relevant personnel understand the security implications and operational requirements of using shared secrets.

4.14.2. Hybrid Cryptographic Schemes

Hybrid cryptographic schemes combine classical and quantum-resistant algorithms to provide an additional layer of security. By using both types of algorithms together, organizations can ensure that even if one is compromised, the other remains secure. For instance, a hybrid scheme could involve using RSA or ECC for key exchange alongside a quantum-resistant algorithm like lattice-based cryptography. This approach leverages the strengths of both types of cryptography, providing a more robust security framework.

In practical terms, implementing a hybrid scheme involves setting up a key exchange protocol that derives a shared secret from both the classical and quantum-resistant algorithms. This shared secret can then be used for subsequent symmetric encryption, ensuring that the data remains secure even if one of the key exchange methods is broken by a quantum attack.

Hybrid cryptographic schemes are particularly suitable for scenarios where immediate quantum resistance is desired without completely overhauling the existing cryptographic infrastructure. They are ideal for: securing long-term data such as classified government information or long-term financial records; for high-value transactions; for security during a transition period towards PQC.

While hybrid cryptographic schemes offer enhanced security, they also come with several challenges:

Increased Complexity: Combining classical and quantum-resistant algorithms adds complexity to the cryptographic protocols, which can increase the risk of implementation errors.
Performance Overhead: The use of multiple cryptographic algorithms can lead to increased computational overhead, impacting the performance of cryptographic operations.
Compatibility Issues: Ensuring compatibility between classical and quantum-resistant algorithms can be challenging, particularly when integrating with existing systems and protocols.
Cryptographic Key Management: Managing and securely storing multiple cryptographic keys for different algorithms can complicate key management processes.

4.14.2.1. Practical Steps to Implement Hybrid Cryptographic Schemes

Choose Appropriate Algorithms: Select both classical and quantum-resistant algorithms that are well-suited for your specific use case. For instance, pair RSA or ECC (Elliptic Curve Cryptography) with a quantum-resistant algorithm like a lattice-based cryptosystem (e.g., Kyber or NTRU).
Design Key Exchange Protocol: Develop a key exchange protocol that incorporates both classical and quantum-resistant methods. A typical approach is to generate two separate key pairs (one classical and one quantum-resistant) and use them in parallel to derive a shared secret.
Combine Keys: Use a key derivation function (KDF) to combine the keys obtained from both classical and quantum-resistant key exchanges. This combined key can then be used for subsequent encryption operations. For example, you might XOR the two keys or use a more complex KDF to ensure that the resultant key benefits from the security properties of both inputs.
Integrate into Existing Systems: Ensure that the hybrid scheme can be integrated into your existing cryptographic systems and protocols. This might involve modifying existing libraries and applications to support the additional quantum-resistant operations.
Performance Optimization: Optimize the performance of the hybrid cryptographic operations to minimize the impact on system efficiency. This could involve selecting more efficient quantum-resistant algorithms or optimizing the implementation of the hybrid protocol.
Testing and Validation: Rigorously test the hybrid cryptographic scheme to ensure that it meets security requirements and performs as expected. This should include both functional testing to verify correctness and performance testing to assess the impact on system resources.

4.14.3. Ephemeral Key Exchange

Ephemeral key exchange refers to a cryptographic process where temporary keys are generated for each session or transaction. These keys are used only for the duration of the session and then discarded, providing enhanced security by ensuring that even if keys are compromised, they cannot be used to decrypt past communications. This technique is particularly important for ensuring forward secrecy, which means that compromising one key does not affect the security of past sessions. In protocols like TLS (Transport Layer Security), ephemeral Diffie-Hellman (DHE) key exchanges can be employed to ensure forward secrecy.

4.14.3.1. Practical Steps to Implement Ephemeral Key Exchange

Choose a Suitable Protocol: Select a protocol that supports ephemeral key exchange. Common protocols include TLS (Transport Layer Security): Versions 1.2 and 1.3 support ephemeral Diffie-Hellman (DHE) key exchange; SSH (Secure Shell) supports ephemeral key exchanges to secure remote login sessions; IKE (Internet Key Exchange) for IPsec supports ephemeral key exchange for establishing VPN tunnels.
Configure the Protocol for Ephemeral Key Exchange: Ensure your TLS configuration uses cipher suites that support DHE or ECDHE (Elliptic Curve Diffie-Hellman Ephemeral). Example cipher suites include TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.
SSH Configuration: Configure SSH to use ephemeral key exchange methods such as diffie-hellman-group-exchange-sha256. Update the SSH configuration file (/etc/ssh/sshd_config) to include these methods.
IPsec Configuration: Configure the IKE settings to use ephemeral Diffie-Hellman groups. Ensure that the IPsec policy includes options like modp2048 or modp3072 for stronger ephemeral key exchanges.
Implement Key Exchange Mechanism: During the session initiation, generate ephemeral key pairs for each party involved in the communication. Use a secure random number generator to ensure the keys are unique and unpredictable.
Perform Key Exchange: Exchange the public components of the ephemeral keys using the chosen protocol. Both parties use their private keys and the received public key to compute a shared secret.
Derive Session Keys: Use a key derivation function (KDF) to derive session keys from the shared secret. These session keys are then used for encrypting and decrypting the communication for the duration of the session.
Discard Ephemeral Keys After Use: Once the session ends, securely discard the ephemeral keys. Ensure that no ephemeral key material is retained in memory or storage.
Key Management Practices: Regularly update the system’s key management policies to ensure ephemeral keys are handled securely. Conduct periodic audits to verify that ephemeral key exchange practices are followed correctly.
Monitor and Maintain: Monitor the implementation of ephemeral key exchanges to detect any anomalies or security issues. Use intrusion detection systems (IDS) to identify potential breaches related to key management.
Regular Updates: Keep the cryptographic libraries and protocols updated to protect against emerging threats. Ensure that the latest security patches are applied to maintain the integrity of the key exchange mechanisms.

4.14.4. Split Key Encryption

Split key encryption, also known as secret sharing, involves dividing a cryptographic key into multiple parts and distributing these parts among different parties. Each part of the key is useless on its own and requires a certain number of parts to be recombined to reconstruct the original key. This approach ensures that no single entity holds the complete key, making it significantly harder for an attacker to compromise the encryption.

An example of this is Shamir’s Secret Sharing scheme, where a key is split into several pieces, and only a subset of these pieces is needed to reconstruct the key. This method can be used in conjunction with other cryptographic techniques to enhance security and protect against quantum threats.

Like the other schemes here, implementing Split Key Encryption has its challenges. For example, the process of splitting and reconstructing keys adds complexity to the cryptographic system. Securely managing and distributing the key shares requires robust key management practices. And, the additional computational steps involved in splitting and reconstructing keys can impact performance.

4.14.4.1. Practical Steps to Implement Split Key Encryption

Choose a Secret Sharing Scheme: For example, Shamir’s Secret Sharing is one of the most widely used secret sharing schemes. It splits the secret into parts such that any threshold number of parts can be used to reconstruct the secret. Or, Blakley’s Scheme is another method that uses geometric intersections to share secrets.
Define Parameters: Threshold (k) – The minimum number of shares required to reconstruct the secret; and Total Shares (n) – The total number of shares to generate.
Generate Key Shares: For example, using Shamir’s Secret Sharing: Choose a Prime Number (p) larger than the secret. Then construct a polynomial of degree k-1 where the constant term is the secret. Finally, evaluate the polynomial at n different non-zero points to generate the shares.
Distribute Shares Securely: Use secure channels (e.g., encrypted email, secure file transfer) to distribute the shares to different parties. For highly sensitive keys, consider distributing some shares physically (e.g., on USB drives) in secure locations.
Store Shares Securely: Encrypt each share before storage to provide an additional layer of security. Implement strict access controls to ensure that only authorized entities can access the shares.
Reconstruct the Key: To reconstruct the key, any k shares are sufficient. Gather the required (at least k) number of shares. Apply Lagrange interpolation to reconstruct the polynomial and retrieve the secret.
Regular Rotation and Management: Periodically regenerate and redistribute key shares to minimize the risk of long-term exposure. Regularly audit the management and access of key shares to ensure compliance with security policies.

Conclusion

The journey towards quantum resistance is not merely about staying ahead of a theoretical threat but about evolving our cybersecurity practices in line with technological advancements. Starting preparations now ensures that organizations are not caught off guard when the landscape shifts. It’s about being informed, vigilant, and proactive – qualities essential to navigating any future technological shifts.

Quantum Upside & Quantum Risk - Handled

My company - Applied Quantum - helps governments, enterprises, and investors prepare for both the upside and the risk of quantum technologies. We deliver concise board and investor briefings; demystify quantum computing, sensing, and communications; craft national and corporate strategies to capture advantage; and turn plans into delivery. We help you mitigate the cquantum risk by executing crypto‑inventory, crypto‑agility implementation, PQC migration, and broader defenses against the quantum threat. We run vendor due diligence, proof‑of‑value pilots, standards and policy alignment, workforce training, and procurement support, then oversee implementation across your organization. Contact me if you want help.

Talk to me Contact Applied Quantum

Marin November 1, 2021

3 hours read

Table of Contents

1. Introduction

2. Practical Reasons for Preparing Now for the Quantum Threat

2.1. The Inevitability of Technological Progress

2.2. The Complexity of the Transition

2.3. The Longevity of Data

2.4. The Threat to Digital Integrity (Trust Now, Forge Later)

2.5. The Longevity of Digital Infrastructure

2.6. Regulatory and Compliance Pressure

2.7. Maintaining Customer Trust and Competitive Edge

2.8. Enhancing Overall Cybersecurity Maturity Today

2.9. Cyber Insurance and Legal Considerations

2.10. Competitive Advantage and Industry Leadership

2.11. Talent Attraction and Internal Culture

2.12. Opportunities for Innovation

3. The Challenges of Adopting Post-Quantum Cryptography (PQC)

3.1. Algorithm Maturity and Standardization

3.2. Performance and Infrastructure Impact

3.3. Implementation Complexity and Ecosystem Readiness

3.4. Compliance and Certification Uncertainty

3.5. The Sheer Cost and Effort Involved

4. What Not to Do: Common Pitfalls in Quantum Readiness

4.1. Don’t Panic-Buy “Quantum-Safe” Solutions

4.2. Don’t Overreact and “Lock Down” Data Prematurely

4.3. Don’t Assume “The Vendors Will Handle It” for You

4.4. Don’t Treat PQC Migration as “Just Another Patch Tuesday”

5. What You Should Do: A Step-by-Step Quantum Readiness Plan

5.1. Secure Executive Mandate and Budget for the Program

5.1.1. Practical Steps for Engaging Senior Leadership

5.2. Establish a Cross-Functional Quantum Readiness Team

5.2.1. Practical Steps to Build and Structure the Team

5.3. Launch an Organization-Wide Quantum Awareness Campaign

5.3.1. Practical Steps to Execute the Awareness Campaign

5.4. Engage External Entities for Collaboration and Knowledge Sharing

5.4.1. Work with NIST and Standards Organizations

5.4.2. Collaborate with National Cybersecurity Agencies

5.4.3. Engage Academia and Research

5.4.4. Join Industry Consortia and Peer Collaboration

5.5. Notify and Prepare Third Parties (Vendors, Partners) Early

5.5.1. Practical Steps to Manage Third-Party Quantum Risk

5.6. Set Up Governance to Integrate Crypto, Data, and Asset Inventories

5.7. Perform a Comprehensive Cryptographic Inventory

5.7.1. Anticipated Challenges in Cryptographic Inventory

5.7.2. Survey of Useful Cryptographic Inventory Tools

5.7.3. Approach: Combining Automated Tools with Manual Effort

5.7.4. Practical Steps for Performing the Crypto Inventory

5.8. Assess and Prioritize Cryptographic Vulnerabilities

5.8.1. Methods for Vulnerability Assessment of Cryptographic Implementations

5.9. Discover and Classify Sensitive Data

5.9.1. Practical Steps for Sensitive Data Discovery and Classification

5.10. Discover and Catalog Critical Systems and Assets

5.10.1. Practical Steps for Systems and Assets Discovery and Classification

5.11. Maintain Up-to-Date Inventories (Continuous Monitoring)

5.12. Conduct a Quantum Readiness Risk Assessment and Prioritize Remediation

5.12.1. Practical Steps to Perform Risk Assessment and Prioritization

5.13. Develop a Comprehensive Cryptographic Transition Strategy

5.13.1. Understanding Risk Mitigation Options (Key Focus Areas)

5.14. Pilot, Implement, and Iterate – The Roadmap to Quantum Safety

Conclusion and Key Takeaways

1. Introduction

2. Practical Reasons for Preparing Now

2.1. The Inevitability of Technological Progress

2.2. The Complexity of Transition

2.3. The Longevity of Data

2.4. The Longevity of Digital Infrastructure

2.5. Regulatory and Compliance Requirements

2.6. Maintaining Public Trust

2.7. Enhancing Overall Cybersecurity Maturity

2.8. Insurance

2.9. Competitive Advantage

2.10. Cybersecurity Talent Attraction

2.11. Opportunity for Innovation

3. Challenges with Post Quantum Cryptography (PQC)

3.1. Algorithm Maturity and Standardization

3.2. Performance Challenges

3.3. Implementation Complexity

3.4. Compliance and Regulatory Challenges

3.5. Cost

3. What You Shouldn’t Do

3.1. Avoid Panic Buying of Solutions