The Security Implications of Quantum Computing: What CISOs Need to Know

CISOs possess a wide range of skill sets, but there are two in which we have been conditioned to excel. First, we're adept at understanding genuine risks that can impact our organizations. We are all used to assessing and navigating the risks posed by rapid digital transformation, the adoption of AI, the increasing attack surface, threat actors, and ransomware. Second, we're skilled at seeing through the latest overhyped issues and bandwagon-jumping technologies with the promise to fix all your problems that in actuality burn valuable cycles.

On the horizon is a topic that many CISOs struggle to quantify and accept as a risk: the incredibly complex and potentially disruptive technology of quantum computing. This technology promises revolutionary breakthroughs in science and industry, but at the same time, it also presents profound cybersecurity risks because of its potential to break today's encryption capabilities.

This begs the question: Why is this not triggering the alarm bells for CISOs?

Three reasons come to mind:

• Quantum computing is complex and based on science that is difficult to understand. As Richard Feynman said, "I think I can safely say that nobody understands quantum mechanics." If a theoretical physicist and Nobel laureate thought this, what chance do we mere mortals have?
• This new technology promises an almost unbelievable impact that could wipe out the foundations of modern digital security. Many of us are naturally disbelieving of such claims, particularly those who were around during other "foundational" risks such as Y2K. Those of us who are jaded from this and other similar past experiences may assume this issue is being overhyped.
• There is no quantum computer that exists today that's powerful enough to decrypt modern encryption. Because it's not an immediate threat, we can deal with this later, right?

The reality, though, is that post-quantum world planning needs to begin now.

What Is Quantum Computing, and How Does it Impact Cybersecurity?

Quantum computing leverages the principles of quantum mechanics, such as superposition and entanglement, to perform computations exponentially faster than classical computers.

In practical terms, this means that quantum computers can perform multiple calculations simultaneously which could, in the future, solve problems in seconds that would normally take traditional systems centuries.

This is good news for computational modeling, which is used in various activities, including pharmaceutical drug discovery, logistics, financial modeling, and research and development. But for the cybersecurity industry, quantum computers have the potential to break the encryption algorithms that secure today's digital infrastructure.

The Quantum Threat: Breaking Public Key Cryptography

The core risk of quantum computing lies in its potential to break the cryptographywe use to protect many types of data, such as:

• Web traffic (TLS/SSL)
• Virtual private networks (VPNs) and secure communication channels (IPsec, SSL)
• Email encryption (PGP)
• Banking and digital identities

A sufficiently powerful quantum computer running Shor's algorithm could break the underlying algorithms like Rivest-Shamir-Adleman (RSA), Elliptic Curve Cryptography (ECC), and Diffie-Hellman (DH), rendering most existing secure communications vulnerable to decryption.

This isn't a theoretical risk-major nation-states and technology giants are investing billions in quantum computing. What is harder to prove are claims, such as the one made by Robert Hannigan, former director of the Government Communications Headquarters, that data is being harvested for later decryption once quantum computer power becomes a reality.

There are definitely unusual incidents that suggest it could be happening:

• A Border Gateway Protocol rerouting incident, where traffic from Canada to South Korea was rerouted via China.¹
• An incident in which data from Google, Amazon, Facebook, and more than 200 networks was redirected through Russia.²
• Undersea cables being tapped to intercept data.³

While there is no smoking gun here, these incidents pose real and growing concerns, especially for organizations with long-term data confidentiality requirements, as well as regulated industries and any business that stores intellectual property or personally identifiable information.

What Should CISOs Be Doing Today?

While organizations should absolutely be aware of and educated about quantum computing, there is no need to panic. A quantum computer capable of factoring RSA-2048 is thought by experts to be optimistically between eight and 15 years from viability.

That may sound distant-until you consider:

• Many organizations store data that must remain secure for decades (such as health records, legal contracts, intellectual property, and national security data).
• Replacing cryptographic systems at scale requires a significant amount of time.
• Many software applications, devices, and embedded systems have long life cycles and operate in environments that are difficult to patch.
• Innovations are happening at a rapid rate, and a new development in computing or algorithms may accelerate that growth at any time.

Preparing for Tomorrow's Quantum Computing Challenges Today

Although quantum computers capable of breaking encryption are realistically still years away, security leaders cannot afford to wait. Strategic preparation must begin now. Here are three steps organizations should take now to prepare for the post-quantum reality:

1. Understand your cryptographic assets

Start with a crypto-agility assessment. Inventory where and how cryptography is used across your systems, including:

• Internal applications
• Vendor products
• APIs and protocols
• Certificates and key stores

Gaining this visibility is essential for crypto-agility and planning for future migrations to quantum-safe alternatives.

2. Engage with vendors early

Seek out vendors who proactively implement post-quantum cryptography, as this will become a critical trust differentiator as quantum computing technology advances. It's encouraging to see that many hardware and software vendors are beginning to offer quantum-resistant options or are at least sharing roadmaps for related offerings that they plan to develop.

Engage your vendors in discussions with questions like:

• Do you support post-quantum cryptography (PQC) today?
• Do your roadmaps include PQC?
• Will new hardware be required?

Make PQC support part of your procurement and vendor risk assessment criteria.

3. Educate your leadership and board of directors

Communicate the strategic nature of the quantum threat to executive leadership and the board. This isn't fearmongering; it's about managing a long-term, high-impact risk with potential multi-year mitigation requirements to ensure that these stakeholders understand:

• The timeline of the quantum threat
• The potential impact on data confidentiality and compliance
• The importance of proactive planning
• Quantum computing considerations must be part of all procurements to avoid being locked into legacy technologies

Use this as an opportunity to align your organization's cybersecurity program more closely with the company's technology and innovation strategies.

Prepare. Don't Panic.

Quantum computing won't break your encryption tomorrow. But the steps you take today will determine your future resilience. As CISO, your role is to lead your organization toward quantum readinesswith a clear understanding of the threat, a roadmap for adopting post-quantum solutions, and a commitment to crypto-agility.

The quantum era is coming. Security leaders who prepare now will future-proof their defenses, while others will be stuck playing catch-up.

Learn more about how Fortinet can support you in your quantum computing journey with a post-quantum cryptography-enabled solution today.

References:

¹ "Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide," Cyberdefense Magazine, November 12, 2018,https://www.cyberdefensemagazine.com/experts-detailed-how-china-telecom-used-bgp-hijacking-to-redirect-traffic-worldwide/
² "Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others,"April 5, 2020,https://www.zdnet.com/article/russian-telco-hijacks-internet-traffic-for-google-aws-cloudflare-and-others/
³ "Undersea Internet Cables: Vulnerabilities and Espionage Risks for U.S. Security?," August 12, 2025, https://www.archyde.com/undersea-internet-cables-vulnerabilities-and-espionage-risks-for-u-s-security/#espionage-risks-tapping-into-the-data-stream