The National Association of Corporate Directors (NACD) in partnership with the with the Internet Security Alliance (ISA) released today their “tool-kit” for board oversight transition to quantum computing. The release is to coincide with the Trump Administration’s release of Executive Order 14411on June 22..
NACD President Gleason and ISA President Cliton are also sending a letter to each congressional and Senate office suggesting the Members of Congress share the tool-kit on Quantum preparation with organizations in their districts to assist in preparing for “Q- day when Quantum systems may undermine all current cybersecurity technologies. “Q-Day is anticipated by the end of the decade.
The tool-kit is part of the larger update of the fifth edition of NACD-ISA Cyber Risk Oversight Handbook which was released in April. The tool-kit is jointly authored by Gen. (Ret) Greg Tuhill who is currently the Director of the Software Engineering Institute at Carnegie Mellon University and formerly the Chief Information Security Officer for the US federal government and Larry Clinton who is President and CEO of the Internet Security Alliance.
According to the Quantum tool-kit “The pertinent question for board members is not, when will quantum arrive, but will your organization be ready when quantum arrives?”
The tool-kit provides compelling statistics on the general lack of preparedness in the corporate community for the coming quantum transition and lays out the majors risks associated with lack of preparation. It also highlights some major opportunities available to organizations who engage in pro-active quantum preparation as is called for the Presidential EO
The tool-kit advises that “boards cannot afford to ignore quantum risk until the technology is fully realized. Transitioning a reasonably sophisticated IT system to accommodate for quantum impacts could take years and substantial expense. It may cost several million dollars just to do the review and discovery of needed alterations and as much as twice that for planning and testing. Doing this transition retrospectively may cost many times these amounts.
Not only will delayed preparation for “Q-Day” substantially increase costs, waiting could also make adequate and timely transition impractical due to the lack of qualified technical staff.”
Much of the tool-kit consists of providing a set of questions for the Board to Consider in assessing its Understanding of Quantum including:
- Do we thoroughly understand the implications of this potentially market-disrupting technology and its impacts on our business and its strategy?
- Do we understand the risks and opportunities to our business and how quantum technology impacts our business strategy and ultimately its long-term growth and viability?
- Are we able to effectively interpret and assess management and third-party presentations on quantum technologies, as well as their answers to our questions?
The tool-kit also provides an extensive list of questions for Directors to Ask Management including:
- What’s our risk exposure if all our data can be decrypted by quantum computers? How much will it cost in time and resources to implement post-quantum cryptography?
- What decisions do we need to make to remain competitive in a quantum-enabled marketplace?
- Do we have the right talent to be successful?
- What effect will the introduction of practical quantum technologies into the marketplace have on our business? What is the impact on our business if a quantum computer can decrypt all our data?
The tool-kit is integrated with the six core principles which provide the context for the NACD-ISA handbooks. These principles have been previously been independently assessed by entities including MIT, the World Economic Forum and PwC and found to generate significant pro-security outcomes.
The full tool-kit is available, free of charge at NACDonline.org and ISAlliance.org. It is also available as a blog post on our website: The NACD-ISA Cyber Risk Oversight Handbook: Toolkit M – Internet Security Alliance