More than half of all quantum-safe programs are now led by the CTO office or heads of technology transformation, rather than security teams, signaling a fundamental shift in how organizations are approaching the coming threat of quantum computing. This is not simply a matter of swapping algorithms; an IBM study reveals a parallel to the early, often failed, strategies of cloud adoption, where architectural needs were overlooked. “The data is never complete,” observes Antti Ropponen, Global Quantum Safe Transformation Leader at IBM Consulting, noting that system inventories rapidly become outdated, changing within two weeks. Instead of striving for a perfect assessment, organizations are urged to prioritize a risk-based approach to this transformation, integrating quantum-safe standards into existing IT cycles to avoid accruing further technical debt.
Inventory Paralysis Mirrors Early Cloud “Lift and Shift” Approaches
This shift in ownership reflects the scale of the undertaking, demanding coordination across numerous application and platform teams, and moving beyond the limitations of a siloed security approach. The current struggle with quantum-safe migration, according to Antti Ropponen of IBM Consulting, closely resembles the pitfalls of early cloud adoption in the early 2000s. Organizations then frequently pursued strategies of simply migrating workloads without addressing fundamental architectural flaws. A key obstacle currently facing enterprises is a condition exacerbated by the sheer volume of interconnected systems, tens of thousands in many cases, and the ephemeral nature of accurate data. Rather than striving for a perfect, static inventory, Ropponen advocates a risk-based approach, prioritizing areas of greatest concern. This pragmatic strategy acknowledges the dynamic environment and allows organizations to focus resources where they matter most. The parallels to early cloud migrations are striking; simply swapping algorithms, without redesigning underlying frameworks for crypto agility, is a flawed strategy.
CTO-Led Ownership Reflects Enterprise Transformation Scope
The evolving ownership of quantum-safe programs signals a fundamental re-evaluation of organizational security strategies; an IBM study reveals that only 11% of these initiatives are currently led by Chief Information Security Officers. A decisive majority, over half, now reside within the purview of Chief Technology Officers or heads of technology transformation, demonstrating a shift from viewing quantum security as a purely defensive measure to recognizing it as a broad architectural undertaking. Organizations frequently pursued strategies of simply swapping algorithms, a pattern Antti Ropponen of IBM Consulting identifies as repeating itself. He explains that this approach disregards the critical need for crypto agility and redesigned frameworks capable of adapting to evolving standards. “You want to get funding for something small now, which avoids the future rework cost,” he notes, highlighting the long-term financial benefits of proactive implementation.
You want to get funding for something small now, which avoids the future rework cost.
Quantified Risk Reduction Drives Multi-Year Migration Funding
Antti Ropponen, IBM Consulting’s Global Quantum Safe Transformation Leader, observed a critical turning point during a risk assessment for a South European bank, realizing the challenge extended far beyond mathematical complexities to encompass organizational and architectural shifts. Ropponen explains that the current approach to quantum-safe migration often repeats this mistake, overlooking the necessity for crypto agility and adaptable frameworks capable of evolving alongside emerging standards. Ownership of these programs is also undergoing a notable transition, with an IBM study revealing that only 11% are led by the CISO, while over half now reside within the CTO office or technology transformation teams. Securing multi-year funding requires a shift in justification, moving away from abstract counts of potential threats toward quantifiable metrics demonstrating risk reduction over time.
It seems to be that the data is never complete.
