Our CSO Ben Packman recently joined Alex Hearn of The Economist for a Fireside chat at the 4th Annual Commercialising Quantum event, London on 13-14th May. The theme was – “Unlocking the quantum supply chain: overcoming the chicken and egg impasse” and it certainly sparked an interesting discussion.
Perhaps the biggest take-away and one which resonated the most with our audience was this – Quantum safety starts with your supply chain. Ben explained how the transition to quantum-safe cryptography isn’t just a technical hurdle for individual enterprises; it’s deeply intertwined with the security of their entire supply chain. In fact, for most CISOs and enterprises, a staggering 80% of the cryptography they need to migrate for quantum safety lies outside their direct control, embedded within the products and services provided by their vendors. Think about it – who upgrades the core cryptography in your network devices? Not your internal team, but the vendor.
While this reliance on vendors might seem daunting, it actually plays to a CISO’s existing strengths. Working collaboratively with vendors is a well-honed skill for security teams. The real challenge, however, lies in the widely accepted “step one” of post-quantum cryptography (PQC) migration: crypto discovery and inventory. For many, cryptography remains a “black hole,” and the prospect of meticulously mapping every instance of it across their sprawling digital landscape feels overwhelming.
This brings us to a classic chicken and egg scenario. Enterprises are struggling to understand their cryptographic landscape, and therefore aren’t clearly articulating their PQC needs to vendors. Vendors, in turn, aren’t feeling the pressure to prioritize PQC integration. This lack of progress has a knock-on effect in the boardroom and PQC migration is often then perceived as a “two CEO problem,” too far down the line to require immediate action. If CISO’s come to the table with a tangible plan, starting with a PQC supplier audit at the very least, it then becomes much easier to secure executive support in the long term. “Here’s the problem and the timeline. We have clear visibility on X% of the solution, we’re confident that Y% is already being addressed by our key vendors, and we now need your support to close the remaining gap.” This type of proactive and solution-oriented communication can be a game-changer for securing vital board support.
We need to pivot and adopt a starting point for PQC migration that enterprises can readily grasp and act upon. Ben explained how we should be focusing initial efforts on one of two key areas:
How does the approach change for different vendor types?
To find out more, please get in touch and we would be delighted to talk this through further with you and your organization.
Link to Press Release
Perhaps the biggest take-away and one which resonated the most with our audience was this – Quantum safety starts with your supply chain. Ben explained how the transition to quantum-safe cryptography isn’t just a technical hurdle for individual enterprises; it’s deeply intertwined with the security of their entire supply chain. In fact, for most CISOs and enterprises, a staggering 80% of the cryptography they need to migrate for quantum safety lies outside their direct control, embedded within the products and services provided by their vendors. Think about it – who upgrades the core cryptography in your network devices? Not your internal team, but the vendor.
While this reliance on vendors might seem daunting, it actually plays to a CISO’s existing strengths. Working collaboratively with vendors is a well-honed skill for security teams. The real challenge, however, lies in the widely accepted “step one” of post-quantum cryptography (PQC) migration: crypto discovery and inventory. For many, cryptography remains a “black hole,” and the prospect of meticulously mapping every instance of it across their sprawling digital landscape feels overwhelming.
This brings us to a classic chicken and egg scenario. Enterprises are struggling to understand their cryptographic landscape, and therefore aren’t clearly articulating their PQC needs to vendors. Vendors, in turn, aren’t feeling the pressure to prioritize PQC integration. This lack of progress has a knock-on effect in the boardroom and PQC migration is often then perceived as a “two CEO problem,” too far down the line to require immediate action. If CISO’s come to the table with a tangible plan, starting with a PQC supplier audit at the very least, it then becomes much easier to secure executive support in the long term. “Here’s the problem and the timeline. We have clear visibility on X% of the solution, we’re confident that Y% is already being addressed by our key vendors, and we now need your support to close the remaining gap.” This type of proactive and solution-oriented communication can be a game-changer for securing vital board support.
We need to pivot and adopt a starting point for PQC migration that enterprises can readily grasp and act upon. Ben explained how we should be focusing initial efforts on one of two key areas:
- - Your Crown Jewels Data: Identify the data you care about most deeply, with a long enough lifespan to be vulnerable in the context of quantum computing and “harvest now, decrypt later” (HNDL) attacks. Personally Identifiable Information (PII) is a prime example.
- - Your Most Challenging Scenarios: Pinpoint the scenarios that present the most significant migration hurdles. This could for example include memory and bandwidth-constrained edge devices that are difficult or impossible to upgrade in the field.
How does the approach change for different vendor types?
- - Large Infrastructure Vendors (Cisco, Palo Alto, AWS, Microsoft, etc.): For this group, PQC adoption is a matter of “when,” not “if.” US government mandates are driving their timelines, and everyone else will benefit. Engage with them to understand their timelines and integrate these into your refresh programs and new procurements.
- - SaaS Type Solutions: This is a diverse landscape, but the good news is the presence of multiple competitors and the subscription-based commercial model. You have significant leverage to demand PQC readiness. Once one vendor moves, others will likely follow suit.
- - The “Middle Ground”: These vendors often have longer-term contracts or are medium-sized enterprises in niche or slower-growth industries. They may have less inherent incentive to prioritize PQC. These are the vendors that require the most immediate and focused attention.
To find out more, please get in touch and we would be delighted to talk this through further with you and your organization.
Link to Press Release