If Quantum Computing is going to have such a profound effect on our lives why do just 5% of organisations have a defined quantum strategy in place?
That was one of the major findings in ISACA’s inaugural Quantum Computing Pulse Poll which surveyed more than 2,600 professionals globally in digital trust, cybersecurity, IT audit, governance and risk on the perceptions and preparations around Quantum Computing. The findings suggest that while the potential of Quantum Computing to disrupt algorithms that secure nearly all online transactions, including digital signatures, websites, utilities and medical records, action remains stagnant.
Jamie Norton, ISACA Board Director, said Quantum Computing “just hasn’t had the ground swell of noise that something like AI has had.
“It is as revolutionary as AI and it has the potential to completely change the way we do things with its additional computing power. We know it is not there yet and perhaps one of the reasons organisations aren’t doing anything is they can’t see it.
“There is no mini version of Quantum that they can look at to get a sense of its power. I don’t think the industry is paying enough attention to it. The real concern is this “harvest now, decrypt later” approach which is about grabbing information now and waiting for the technology to catch up. When the first
Quantum Computing does come along organisations that will need to be in a good position to at least have their critical data protected.”
He said Quantum Computing is accelerating fast, and the implications for digital trust, particularly in data-rich sectors like finance, health and government, are enormous.
“Too many Australian and New Zealand organisations remain in reactive mode and underestimate Quantum Computing’s potential to break existing encryption,” said Mr Norton. “Now is the time to assess whether you have the expertise to implement post-quantum cryptography solutions and start building internal capability. This is essential to mitigate its impact and protect sensitive data, maintain customer trust and ensure long-term business resilience.”
Transformational potential - if risk is addressed
Many respondents believe quantum technology has revolutionary potential and promises major breakthroughs with 63% expecting it to significantly accelerate computational tasks or data analysis;
- 46% anticipating revolutionary innovation; and 48% very or somewhat optimistic about its impact in their sector. Yet many also foresee new challenges:
- 63% say quantum will increase or shift cybersecurity risks
- 57% say it will create new business risks
- 52% say it will change the skills needs of businesses
- 50% say it will present regulatory and compliance challenges
Among a smaller group of Oceania respondents, all of those data points were higher by at least 10 percentage points, indicating that digital trust professionals in Australia are even more concerned about the changes and challenges quantum will bring.
Poll respondents (62%) are worried about Quantum Computing breaking today’s internet encryption before browsers and websites fully implement the new post quantum cryptography algorithms approved by the US National Institute of Standards and Technology (NIST). There’s also significant worry around the “harvest now, decrypt later” threat, where encrypted data is stolen now to be unlocked in the quantum future - 56% of respondents cited this as a concern.
Lack of awareness slowing progress
Despite 25% of respondents believing the industry-wide impact of Quantum Computing will be felt within the next five years and 39% feeling it will happen in six to 10 years, 41% say they do not plan to address quantum computing at this time and 40% are not aware of their company’s plans.
When asked how their organisation views Quantum Computing within its current technology or innovation strategy:
- 5% consider it a high priority for near-term planning
- 15% say it is on their long-term roadmap but not a near-term priority
- 19% say they have discussed it but not made any formal plans
- 37% have not discussed it at all
- 24% are unsure
Knowledge gaps are also evident. Only 7% of respondents say they have a strong understanding of the new post-quantum cryptography standards from the NIST despite the NIST working on them for over a decade; 44% had never heard of the standards.
Taking early action
More than half (55%) of enterprises have not taken steps to prepare for Quantum Computing. Of those that have, their actions include:
- Assessing regulatory or compliance implications of quantum (46%)
- Exploring quantum-safe cryptography (38%)
- Collaborating with quantum hardware/software providers or consortia (28%)
- Providing staff training and upskilling on quantum computing (27%)
- Investing in research and development or proof-of-concepts (27%)
Still, 30% of global cyber and IT professionals admit they do not have a good understanding of Quantum Computing’s capabilities, indicating the need for education and skill development.
Mr Norton said not everyone was sitting back and waiting. “There are organisations such as Telstra that are looking quite heavily at Quantum Computing.”
The Australian and Queensland governments have also invested heavily – nearly $1 billion into Silicon Valley Quantum Computing start-up PsiQuantum. The company is attempting to build the world’s first quantum computer for commercial use in Brisbane.
Mr Norton said education is key to people understanding the challenge and at least being aware of the context. “It needs to be something that an organisation has a view on and that starts at the executive level so there is sponsorship required. It is about having a plan.
“At this stage I think it is a risked based view where companies are trying to work through their strategies. Planning needs to start today so by the time 2030 or whenever it is we are at least somewhat prepared.”
ISACA’s advice on the steps to take now are:
- Educate and raise awareness.
- Inform stakeholders about the opportunities and threats of quantum computing.
- Highlight the risks of compromised data, digital signatures, transactions and communications.
- Communicate the urgency of adopting quantum-resistant encryption before it is too late and harms people and organisations.
- Develop a quantum computing encryption strategy for new and existing data.
- Update security, risk, audit and compliance policies.
- Align policies with the NIST (National Institute of Standards and Technology) post-quantum cryptographic (PQC) algorithms.
- Integrate quantum threats into existing risk assessments and security frameworks.
- Start now, as re-encryption will take time—some organisations generate or store exabytes of data
Learn more about ISACA’S Quantum Computing Pulse Poll at www.isaca.org/quantum-pulse-poll.