Quantum Safe Cybersecurity: What CISOs Need to Know [2025 Edition]

Much ado about quantum computing?

With back to back news about significant breakthroughs in quantum computing last year, the ongoing race between our current cryptographic standards and super power computers that can decrypt them in minutes is inching closer than ever before.

In fact, according to cybersecurity experts, quantum computers with capacity to break current security algorithms such as RSA and Elliptic Curve Cryptography, are predicted to exist within the decade.

But what is important for this upcoming year?

In this guide, we review updates, NIST framework tips, and recommendations for security leaders (as well as security teams) to read and keep in mind.

Interested in reading more threat intelligence? Read about supply chain threats here.

Quantum computing v. classical encryption algorithms

Our current digital security infrastructure is largely based on the private-public key model, wherein one public key is derived from a private key using complex mathematical problems that take classical computers years to solve.

However, with advancements in quantum computing, these complex mathematical problems could potentially be solved in hours. However, this leaves a large part of our security systems, such as digital signatures, digital certificates, and encrypted communications exposed to quantum attacks by hackers and ransomware groups with access to such technology.

For cybersecurity professionals, this means legacy systems that run on asymmetric encryption could become obsolete, requiring a large scale overhaul of fundamental technologies our businesses are based upon.

Hackers who currently use the ‘Store Now, Decrypt Later (SNDL)’, a form of attack that aims at capturing and storing as much encrypted sensitive data as possible, spell trouble in a future when quantum attacks are a more pernicious threat.

Is quantum key distribution (QKD) the answer?

Can anything proactively be done when it comes to mitigating these types of cyber threats?

For one, replacing our current key distribution systems with quantum key distribution may be a worthy solution.

This is a system that uses the unique properties of quantum mechanics such as entanglement and superposition in order to generate and distribute cryptographic keys, which can detect the presence of an eavesdropper.

However, it is not all smooth sailing.

The security of quantum keys are derived from unique physical layers of communication and would require special purpose equipment. Though this might be crucial for highly sensitive data, the question of practicality and expense to implement it at scale, means it is not a widely accepted solution.

Another complication is a much beloved feature- the ability to detected eavesdroppers and inform the key owner to prep their incident response. This leads to potentially higher risks of denial of service attacks.

How to Prevent DDoS Attacks

Read up on our DDoS prevention guide here.

But for most organizations, a hybrid protection system or Post Quantum Cryptography (PQC) may be more useful.

Important NIST guidelines to note: Post Quantum Cryptography

In this transitional era, diving deep into quantum cryptography is not practical or cost effective for most organizations. However, most must work towards future-proofing their cybersecurity strategy, post quantum cryptography presents an interim solution.

Why is this the case?

QPC uses encryption algorithms that are resistant to quantum attacks but are executable with classical computers.

In August 2024, the US-based National Institute of Standards and Technology (NIST) published four post quantum algorithms that are to be considered the national standard. NIST is leading efforts to develop and standardize post-quantum cryptography, which aims to create cryptographic systems secure against both quantum and classical computers

These four algorithms include:

• CRYSTALS-Kyber
• CRYSTALS-Dilithium
• Sphincs+
• FALCON

These were published after over eight years of efforts and studies, focus primarily on securing digital signatures and key exchange algorithms, the bedrock of secure digital communication and data transmission.

Beyond NIST, the French national cybersecurity agency, ANSSI, has also published their views on post quantum cryptography.

Their primary recommendations for both short and medium term, focuses on hybridation.

Hybridation is a security process that combines asymmetric post-quantum algorithms with classical pre-quantum cryptography. Their research suggests despite its popularity, post-quantum cryptography has not attained the maturity required for it to be the sole basis of organization cybersecurity infrastructures.

However, the strategy of combining classical public keys with post quantum keys allows for more comprehensive cybersecurity.

Implementing PQC involves compliance and supply chain alignment

The complexity of quantum computing is only matched by the difficulties of transitioning organizations, industries and interconnected supply chain ecosystems to a quantum resistant cryptographic system.

The US Office of Management and Budget has estimated that transitioning prioritized sensitive information within the US government to post-quantum encryption will cost approximately $7.1 billion between 2025 and 2035. This extensive transition plan will require not only significant financial investment but also substantial human resources, specialized skills, and top-down leadership initiatives to implement effectively. The process is expected to be time and resource-intensive, involving the replacement of hardware, software, and digital systems that are not compliant with post-quantum cryptography standards

White House Report: U.S. Federal Agencies Brace for $7.1 Billion Post-Quantum Cryptography Migration

The finalisation of the NIST post quantum algorithms earlier this year shifted the conversation around PQC from theory to practice, giving organization a starting point to work towards. In 2025 more regulations and compliance requirements from NIST and other national cybersecurity agencies are expected to lead the charge for cross-sectoral transition. Industries which produce key components in the supply chain, such as semi-conductors, chips etc., are expected to release quantum-proof firmware in the coming year.

Further, highly regulated and sensitive industries such as the defence and banking sectors will be the first impacted by compliance requirements. Since 2022 in the United States, stakeholders in national security systems have been expected to switch to the Commercial National Security Algorithm Suite 2.0, a suite of quantum resistant algorithms by 2030.

A quick look at European roadmap coordination

Similarly, European cybersecurity agencies too are working together to implement a roadmap to foster a coordinated transition across the EU.

A work stream on PQC, co-chaired by France, Germany, and the Netherlands have been established to lead these efforts. As part of its second phase, the French security visa, a cybersecurity certification awarded to cybersecurity companies by the French government to indicate reliability and quality, will also include a metric for post-quantum cryptography.

But despite government led regulations, the private sector still faces numerous challenges.

Implementing changes will require a long term perspective, and methodological approach from Chief Information Security Officers and their teams.

What is involved in this approach?

Firstly, CISOs who want to protect their organizations against quantum threats will have to build teams that are skilled enough. They must also work within a complex supply chain ecosystem to ensure interoperability across a variety of different systems and protocols. Additionally, implementing automation and conducting thorough risk assessments will be crucial in preparing for and mitigating quantum-related vulnerabilities.

Why challenges lie ahead?

This is especially challenging as so far there are no drop-in solutions to replace classical encryption systems. over the course of the decade many organizations will be forced to invest in special quantum resistant materials (like Lattice-based, Code-based, Hash-based, Isogeny-based and Multivariate polynomial cryptography). This also means an overhaul of protocols, standards, libraries and products across these digital infrastructures.

Cybersecurity faces a critical challenge in the next decade with the “Store Now, Decrypt Later” quantum threat. Long migration periods between classical and post-quantum encryption algorithms will create significant vulnerabilities during the transition.

Despite the complexity of the matter, waiting for industry alignment to begin the transition to Post-Quantum Cryptography (PQC) is complicated.

The question of “who first?” when it comes to quantum threats is key. It should not be answered with “hackers” and “malicious actors” deploying quantum-resistant malware or targeting critical infrastructure. Organizations, lead by CIOs must proactively prepare to protect their assets and data security against these emerging risks.

Four recommendations to get started

Think of these pointers when you sit down to review things at base level.

1. Assess and prioritise your organizations critical systems and sensitive data.
2. Stay aware of evolutions in cryptography standards and regulations that might impact you or your industry.
3. Start PQC initiatives early in order to spread the financial burden over time and to stay ahead of enthusiastic hackers.
4. Initiate conversations about your providers post-quantum cryptography roadmap.

Is Crypto-agility for risk management and future proofing the only solution?

Cryptographic agility—the ability of a security system to seamlessly switch between algorithms, cryptographic primitives, and encryption mechanisms without significantly impacting the rest of the system—will become crucial as we transition to a quantum-resistant era and beyond. This flexibility will enable organizations to rapidly adapt to emerging threats and evolving cryptographic standards. It will also ensure long-term security and resilience in the face of advancing quantum technologies.

This approach allows an organization to possess control over all the components in a security system. It also helps them to understand how cryptographic algorithms are implemented. What is more is that considers how the evolution of the quantum threat is important for cybersecurity teams and beyond. But we should encourage a more granular, flexible and dynamically scalable design in security processes. Crypto-agility ensures higher levels of control and responsiveness inbuilt into internal security.

Though achieving crypto-agility may be the dream of many cybersecurity practitioners and CISOs, it is not easy. Especially considering the financial and time costs involved. The transition to a quantum resistant system may be the perfect opportunity to hardwire this strategy within your security processes. It will also help you to prep for more radical evolutions in the future.

Wrapping Up

Here are some key takeaways for better understanding Quantum Safe Cybersecurity in 2025.

• Quantum threats to cybersecurity are inevitable. Be future forward by aligning with your organizations cybersecurity strategy.
• Threats like “Store Now, Decrypt Later” can compromise sensitive data during encryption migration, creating significant cybersecurity vulnerabilities.
• Though Quantum Key Distribution may seem like the obvious answer, it may not be practical. This is due to the high financial cost and special purpose hardware needs.
• NIST along with other national and international cybersecurity agencies are leading the way through industry standardisation efforts. The four NIST-approved post-quantum algorithms are a good starting point. They cover how to protect critical systems and sensitive data from the quantum threat.
• Beyond financial costs, top-down initiative and industry alignment is necessary for the transition.
• This transition is also an opportunity to integrate crypto-agility to future proof security systems within your company.

That is it for this blog. Interested in more great technical content? Check out our latest article, What’s On the Dark Web? Your Guide to the Biggest Players in 2025.