COMMENTARY

One of cybersecurity’s major pitfalls is assuming that risks will always stay the same. Failing to consider emerging threats has caused detriment in the security field. When varied threats already exist that are time-tested and successful, like ransomware, phishing, or business email compromise, security professionals often don’t consider that new risks arise daily.

The Quantum Computing Risk Assessment Conundrum

A quantum computing risk assessment is challenging to conduct because no professional in the security space has been able to identify, with precision, how many years it will take until an algorithm like AES-256 (a popular symmetric model which is often the topic during encryption resiliency debates) is found to have flaws. Instead, the field has relied on very vague definitions and estimates, ranging from 10 years to 30 years down the road. Industries and legislators are postponing the goal of becoming cryptographically agile by decades, using both excuses that "we have time" and "we do not know when this risk will be realized." Nevertheless, the time to prepare with cryptographic agile legislation is now — and even without it, businesses that adopt the model have a distinct competitive advantage.

The Importance of Preparation

The cybersecurity field is fortunate to have adequate notice; they must prepare before quantum computing emerges and alters the trusted algorithms technology has relied on.