As the National Institute of Standards and Technology (NIST) prepares to release its long-awaited post-quantum cryptography (PQC) standards in the next few weeks, IT leaders should develop a clear strategy and lay out a multi-year roadmap to upgrade their organizations’ cryptography infrastructure and strengthen their post-quantum security posture.

“The issuance of the NIST FIPs [Federal Information Processing Standards] ... is an extremely critical milestone,” Colin Soutar, managing director of risk and financial advisory at Deloitte, told SDxCentral.

The release is expected to bring a nuanced change in the way the organization perceives the “harvest now, decrypt later” attacks and data protection. “If an organization understands or is aware that data are being stolen, even though it's not vulnerable today from a cryptographically relevant quantum computer, as soon as the standards ... are issued, there is a better way to protect it,” Soutar said.

“When we have the standards in the next few weeks, what it's doing is helping organizations to understand that there's remediation that can be done against this threat of quantum computer, in the future becoming a cryptographically relevant quantum computer, and attacking a lot of the current day asymmetric cryptography,” Soutar added. “Once the standards are out, then there's an understanding. We can start to use these to mitigate against that future attack.”

What actions should IT leaders take upon the release of NIST PQC standards? Soutar emphasized the importance of proactive measures, even before the quantum threat fully materializes.

“We still remain in this sort of uncertainty [of] when is it going to happen? It seems to be popular opinion now [it could be] five to 10 years,” Soutar said.

Laying out a post-quantum security strategy is a multi-year process.

“How long is it going to take you to take the standards [and] the algorithms, as they're published, and do all your upgrades throughout the infrastructure, your third-party dependencies, your suppliers, and so on? There are still so many aspects to that that we are still advocating the organization should be looking to address this as a risk management approach,” Soutar said.

To address quantum threats as part of an overall risk management strategy, Soutar recommends the organization take the following actions:

  • Conduct a cryptography inventory: Discover where cryptography is used throughout the organization.
  • Identify critical data/“crown jewels”: Determine the most important data and transactions that need prioritization.
  • Prioritize upgrades: Decide which cryptographic upgrades are most critical and which can be addressed later.
  • Conduct detailed discovery and look for the right tools: Select appropriate tools to upgrade the infrastructure, third parties, and suppliers.
  • Integrate strategy with organizational mission: Align cryptographic upgrades with the company's broader objectives to ensure coherent planning and execution.
“It's going to take many years to get these all upgraded,” Soutar said.

Deloitte advocates for a voluntary update Soutar notes two emerging themes based on common questions from Deloitte's clients: the need for clear guidance and “guardrails” on definition, funding, and adoption; and the importance of understanding the real-world impact of quantum threats.

“We're starting to see a little bit more now around … confidentiality, integrity, and availability,” Soutar said. “I think there'll probably be more use case stories to help people understand what this really means.”

That’s part of the reason why Deloitte advocates that the adoption of PQC standards should initially be voluntary and self-govern risk management updates, rather than mandated compliance.

“I hope that it will be more of a voluntary risk management approach that will be taken, in an ideal world … this should really be a boring, perfunctory upgrade to cryptography,” Soutar said. “But I think to get there it needs to get maybe some additional board-level attention.”