The quantum clock is ticking: How quantum safe is your organization?

Over the next several years, quantum computing capabilities will jeopardize widespread public-key cryptography (PKC) algorithms such as RSA and Diffie-Hellman. In fact, any classically encrypted communication is already vulnerable to exfiltration. That’s because threat actors are already harvesting encrypted communications with the intention of decrypting that data once quantum decryption solutions are available—a technique known as “harvest now, decrypt later” attacks.

The digital economy is dependent on cryptography for establishing and maintaining safe, secure exchanges of value. Once quantum computers become cryptographically relevant, sensitive data—such as financial information, personally identifiable information, phone data, network communications, and intellectual property—could be compromised. The result? Significant financial losses—and worse, a critical loss of trust with customers, partners, and stakeholders. In other words, trust itself is now under threat.

“Adopting new technologies like generative AI involves balancing enablement with inherent risks. It's important for all organizations to recognize that exposure to quantum threats exists independently of their adoption of quantum computing.”

—Sujith Surendranathan, Director, Database Security and Data Protection at Sun Life 

In short, implementing quantum-safe cryptography is not just sound in terms of security practices. Given our growing dependency on cryptography for the security and safety of our digital world, transitioning to quantum-safe cryptography is essential to preserving the integrity of digital trust mechanisms as a whole.

Recognizing this challenge, the IBM Institute for Business Value (IBM IBV), in partnership with Oxford Economics, surveyed 565 CxOs across 15 countries and 13 industries—all representing organizations with a minimum $250 million in annual revenue. The IBM IBV then analyzed these responses to develop a Quantum-Safe Readiness Index. This index is based on a systematic assessment of organizations’ quantum-safe readiness. Assessment outcomes are intended to inform and guide strategic stakeholders about the timeliness and urgency of their quantum-safe transformation efforts.
 

Perspective: Understanding the IBM Quantum-Safe Readiness Index The IBM Quantum-Safe Readiness Index (QSRI) assesses the global state of readiness for security in the quantum era, as measured by the readiness of individual organizations. The QSRI is intended to help leaders and stakeholders understand how their organizations are progressing in their quantum-safe initiatives. The QSRI evaluates 14 activities, or indicators, across three key areas: quantum-safe discovery, observability, and transformation. Scores provide an indication of the organization’s relative progress in their journey to becoming a quantum-safe organization. These 14 indicators are grouped into the three categories below and weighted based on IBM’s subject-matter expertise and experience with clients. Scores are calculated based upon a 100-point index, with 100 representing the maximum possible score. The QSRI is intended to assess (and re-assess) the quantum-safe readiness of an organization, industry, or region over time. Quantum-Safe Readiness Index As of the date of this study, global organizations average a score of 21 on a 100-point scale—in other words, they are currently at a low level of quantum-safe readiness. We have designated organizations with the highest QSRI scores—the top 10%—as Quantum-Safe Champions (QSCs). QSCs scored 33 or above, with 44 being the highest score attained by any organization. Given quantum safety is only now gaining more visibility—with many organizations still in the planning stages—the quantum-safe readiness score is most influenced by early-stage activities such as the organization’s discovery capabilities. Over the past 18 months, IBM subject-matter experts have noted a distinct rise in the awareness and importance leaders are placing in quantum-safe transformation. Our expectation is that Quantum-Safe Readiness Index scores will rise as awareness continues to grow. As well, the Index itself with evolve as the technology matures. The average quantum-safe readiness score: 21 out of 100 Measuring progress toward quantum-safe readiness

Overall, organizations in our survey expect that, when starting from their current levels of quantum preparedness, it will take 12 years to fully integrate quantum-safe standards into their business. In fact, national security guidance requires full compliance with Post-Quantum Cryptography for National Security Systems by 2035. When considering those requirements—along with the lead time needed to identify cryptographic assets and dependencies, implement new standards, and align with partners—the time to begin quantum-safe initiatives is now.

In this report, we explore how Quantum-Safe Champions are driving not only outperformance overall, but a forward-looking mindset that’s innately attuned to establishing a quantum-safe culture. We highlight how QSCs cultivate a thriving talent ecosystem. Then, we dive into how, when compared to their counterparts, QSCs report more resilient operations now—and anticipate greater resilience against quantum-enabled security risks. We include steps at the end of each section outlining how organizations can bolster their cybersecurity defenses, as they make plans to implement pending quantum-safe standards. We explain some of the ancillary benefits associated with quantum safety, and how they can position quantum safety as a strategic differentiator.