Spotlight Interview: Colin Soutar, Managing Director & Global Quantum Cyber Readiness Leader, Deloitte

Quantum computers are expected to bring big changes to cybersecurity, and organizations need to start preparing now. In this interview, Deloitte’s Global Quantum Cyber Readiness Leader explains what his team does, why quantum risk matters, and how companies can begin to protect their data and systems. He also shares practical steps for getting started and how this fits into broader cybersecurity efforts.

Please give us a little introduction on your current role and what you do

I am Deloitte’s Global Quantum Cyber Readiness (QCR) Leader. I lead a team of skilled practitioners that help clients mitigate the risk future quantum computers will pose to their cryptography. For about five years, we have been looking at this topic, and have been participating in discussions with industry, government, and regulators about how to achieve an orderly, industry-wide transition to post-quantum cryptography (PQC). Since then, we have seen meaningful progress with organizations starting to understand and address this risk, with a significant increase in action in the financial sector over the past year.

What do you mean with Quantum Cyber Readiness?

Quantum Cyber Readiness covers the range of actions required to prepare organizations, their systems, and data for the risks posed by a cryptanalytically relevant quantum computer (CRQC). And while this sounds very future-oriented, many of the underlying tasks to mitigate quantum risk are basic cyber hygiene. To effectively mitigate quantum risk and be cryptographically resilient, it is important to understand that this is not just a one-off implementation of PQC algorithms, but rather an opportunity to bolster cryptography management in general. That means conducting cryptographic discovery, reviewing your cryptographic policies, educating your leadership, and engaging your vendors. We believe that seeing this as merely a technical PQC implementation is likely to result in a faulty transition.

What are other drivers for organizations to mitigate quantum risk?

Understandably, many organizations think of the risk of a cryptanalytically relevant quantum computer as their core driver, which experts typically expect to arrive in at least the next 10 – 15 years. Other drivers that we see, and that we have covered in our report in collaboration with the World Economic Forum, Transitioning to a Quantum-Secure Economy, include: regulatory pressures, competitive pressures, and a focus on general cryptographic cyber hygiene. I think that these other drivers will become more and more important throughout various sectors and will also start to play out much sooner than the quantum threat. After all, an important step in understanding quantum risk is by inventorying vulnerable cryptography, which can help you reduce risks today.

What role does QCR play in relation to other cybersecurity efforts, such as PKI, ICAM, Cloud, & ZeroTrust?

Quantum Cyber Readiness is relevant to the better part of cybersecurity modernization efforts underway today as cryptographic security is the bedrock to all the layers of IT security. Threats to cryptography present significant risks to the achievements of Zero Trust (ZT), Public Key Infrastructure (PKI), Identity, Credential, and Access Management (ICAM), and Cloud initiatives. If quantum risk is not accounted for as part of current ZT efforts, much of the ZT and IT modernization efforts underway at organizations may be undermined at the most basic level. On the flip side, the visibility into dependencies and interoperability patterns provided by cryptographic inventory development can facilitate the re-architecting and verification management needed for resilient ZT, PKI, Cloud, and ICAM efforts. As such, the question to organizations is not whether to prioritize QCR, but how it can be incorporated into existing modernization and cybersecurity efforts for prudent use of resources and coordinated cybersecurity.

Cryptography is complicated and as you’ve said, Quantum Cyber Readiness is multifaceted. So, how can organizations new to this topic begin to gauge their current readiness posture?

Of course, quantum risk will have a different impact on, for example, a global bank than a medium-sized business and, as such, their quantum readiness journey will be very different. Nevertheless, we suggest that organizations at least understand the possible impact of quantum risk in their organization. This can be in the form of a cryptographic inventory, but also through assessment of your reliance on vendors for IT management and good conversations with their security teams.

For those organizations that will have a more significant quantum readiness journey, we typically assist them by creating an initial cryptographic inventory that is representative of the overall enterprise, which can translate into a strategic roadmap. This roadmap should then guide the orderly transition to PQC as well as initiatives to strengthen cryptography management in general in line with existing enterprise IT transformations ongoing.

What capabilities to focus on in a quantum readiness roadmap have not yet crystallized sufficiently in industry conversations. We believe that a standardized perspective in the industry on how to assess and mitigate quantum risk can accelerate action, especially if it is in line with existing cyber security frameworks. To that end, we recently published a NIST CSF Community Profile on Quantum Cyber Readiness, which demonstrates how quantum risk can be operationalized as part of ongoing cyber security framework improvements. We encourage security leaders to review this document and reach out to us with any feedback or questions.

To connect with Quantum leaders like Colin Soutar this September book your free expo pass today.

BOOK YOUR FREE EXPO PASS