Prep for Quantum Like It’s Basic Cyber Hygiene – Because It Is 

Quantum computing’s threat to cryptography makes many cyber experts in the financial services sector nervous. But Jaime Gomez Garcia, Global Head of Santander's Quantum Threat Program and Chair of Europol's Quantum Safe Financial Forum, thinks stoking anxiety around quantum is the wrong approach. He says cyber leaders should pose quantum resilience as “basic cybersecurity hygiene” — because, in reality, it is — prioritize use cases, and invite risk managers to the conversation. But most importantly, the sector must coordinate its efforts because, as Garcia says, we have to do this together.  

Transcription (edited for clarity)   

Elizabeth Heathfield, Chief Corporate Affairs Officer, FS-ISAC: Welcome to FS-ISAC's podcast, FinCyber Today. I'm Elizabeth Heathfield, Chief Corporate Affairs Officer at FS-ISAC.  

Quantum computing is a major buzzword, but given the uncertainty about when it will actually be real and relevant, many in the financial sector put it further down the list of priorities compared to what they need to do to protect their firms and customers today. Jaime Gomez-Garcia, Global Head of Santander's Quantum Threat Program and Chair of Europol's Quantum Safe Financial Forum has another approach — getting risk and compliance managers to buy into a timeline for cryptographic maturity, potentially even leaving the word quantum out altogether.  

Heathfield: Jaime, thank you so much for joining us on our podcast. I'm excited to talk to you. One of the things that I've had a lot of conversations about with experts and CISOs in the industry is PQC and quantum readiness and crypto agility. And one of the things I thought was interesting about what you said, is that if you approach getting buy-in for cryptographic transition from a fear, uncertainty, and doubt perspective, it's going to be a lot harder to get buy-in across the organization for something where we don't know when it's going to happen. It may or may not happen soon. And obviously CISOs have a lot of other very urgent challenges that they need to face. So it often slips down the priority list. What is an effective approach for thinking about a cryptographic transition that needs to happen? 

Jaime Gomez Garcia: Well, first of all, Elizabeth, thank you very much for having me here today. I'm enjoying the FS-ISAC Summit and it's a pleasure sharing this conversation with you and with everybody in the audience. So, yeah, you're right. So far, there has been a lot of messaging about the impact that quantum computers will have on cryptography based on fear. Although the roadmap of quantum computers is evolving and the major vendors are committing to their roadmaps, there's still somehow a certain level of uncertainty, if I may repeat the word, to answer the question when a cryptographically relevant quantum computer is going to exist. 

That poses a very reasonable question: Why should I address a transition in cryptography when I have so many other things to do on top of my table? And I think those are not the right messages. And after 2024, we now have more handles to hold to try a different kind of messaging. So first thing, we already have since August 2024, new standards, new algorithms standardized by NIST. Those are replacement algorithms for the quantum vulnerable cryptography that we use today, like RSA, elliptical cryptography, et cetera.  

More important than that, NIST has already announced its intention to deprecate an important part of the quantum vulnerable algorithms that we use today by 2030 and disallow a lot of them by 2035. So those are no longer uncertain dates. Those are facts. So maybe we should remove the word quantum from the transition to post-quantum cryptography topic. Because in the future, we are not going to call this post-quantum cryptography. We're just going to call this obligated cryptography. And now we are transitioning from one [class of] algorithms that we know are going to have a vulnerability in the future — well, in some sense, they have it now — to other algorithms that are believed not to have that vulnerability. And we have specific deadlines to do that. So it is not about quantum. It is about proper cryptographic management.  

And so about messaging, I think that that is more sensible because the first thing that an organization needs to do is mature its cryptographic management. I compare this a lot with vulnerability management. So if you think about it, 15 years ago, we just patched systems if absolutely needed. And now we do that as BAU [business as usual]. Well, it was tough in the beginning, but today it's all over. It’s just a basic practice in cybersecurity. More or less the same roadmap we're going to have for cryptography. Nobody has managed cryptography in the best way so far because we have trusted cryptography. It was a complex topic. It simply worked so don't worry about it. Now we need to worry about it.  

We need to manage it and make this transition. But most of the things that we need to do are basic cybersecurity management hygiene. And that is something more easy to explain and more easy to sell. And there is a timeline for that. The algorithms that we use today are not going to be compliant to standards somewhere between 2030 and 2035. So can we just risk not being compliant? And that is a very different question than what has happened if enough wake comes in. 

Heathfield: Right, it's not a doomsday scenario anymore. It's a compliance and risk management scenario, which is more familiar to financial firms on how to manage that. And I think that that's very probably a welcome message for a lot of CISOs, right? They know how to talk about that. They know who they need to speak to. And they know that they need to get the buy-in from those people when it's like, ‘no, we just need to be compliant with the NIST standard’. So we say that we're compliant with the NIST standard and it's very like SOP.  

Gomez Garcia: And so if you think about it, and it also provides a message that is closer to risk managers and to compliance managers. So you basically make them embrace the project as well. 

Heathfield: I mean, think that that's very interesting. The one thing that I would say, as somebody who comes on the Comms side is that, you know, when you hear the word quantum, everybody perks up, everybody's ‘but quantum, we have to deal with that!’ or whatever. So would you say, do you think you need to completely remove the word quantum from the conversation? Or do you use [quantum] to grab everybody's attention, but then quickly sort of pivot to ‘well, this is really just our standard risk management and compliance processes that we've been doing for many years. We just now need to apply it to this cryptographic standard.’ 

Gomez Garcia: I think that has happened already in the conversation. So quantum has attracted a lot of interest and in fact it is the origin of this. If we didn't have quantum computers, we would not have this issue. As we mature in the understanding that this is not about quantum computers, that this is about proper cryptographic management, you just go eliminating the word quantum. It is still there because it is the original reason. But it is less relevant. 

One thing I love from DORA, DORA has two articles specifying that financial organizations in Europe need to have proper cryptographic management. And everything that you read, there are the recommendations that are made to do the transition to quantum safe cryptography. But in those requirements, you're not going to find the word quantum anywhere. It doesn't exist. So the word doesn't need to exist. 

Heathfield: You threw out a couple of dates, 2030, 2035. Do you think those are the dates of the NIST standard? Do you think those are the dates that financial firms should be managing to? Or does it vary? How would you advise firms to be thinking about the timelines? 

Gomez Garcia: The discussion of the timeliness in the financial sector is an ongoing discussion topic and we still need to see if we as a sector are going to create our transition timeline. That is going to be hugely useful to provide coordination because we are global companies, the economy is hugely interconnected, there's interoperability everywhere and that interoperability is based on cryptography. So that coordination is a very important topic. I don't know if 2030 and 2035 are the key dates in those timelines, but certainly they are very important measures that we need to consider. 

Heathfield: Different standards have slightly different dates and slightly different emphases. And obviously a lot of the firms in FS-ISAC are operating in multiple jurisdictions. How should firms think about which standards they're focusing on, which timelines, and which priorities? 

Gomez Garcia: So here there is an issue. Different organizations in different countries, national security agencies, et cetera, are providing their timelines. There's difference in scope who they are addressing. But also, you can feel that there is some kind of misalignment between all those recommendations.  

So this creates some level of uncertainty on what should a global organization do. Probably the easiest answer is that you're going to abide by the most strict recommendation that applies to your jurisdictions. Because probably doing a transition at different speeds in different geographical areas inside a single organization might be complex to manage. So, organizations might need to follow all those recommendations in the more strict way. Probably if we as a sector can agree on this is the global time for the financial sector, that would facilitate all of us saying, well, in this respect, the financial sector is not going to be strictly adhering [saying] ‘this one is going to be more relaxed’ for a specific set of use cases.  

Because if you think 2030, it is simply impossible to have made everything by 2030. But if we identify what use cases are critical in the financial sector, maybe we can agree that those are completed or almost completed by 2030. And then we leave some things to 2035. But I think if we as a sector identify the archi-milestones related to the criticality, the risk related to specific use cases, I think we will be able to — 

Heathfield: — mostly adopt it as a sector, right? Prioritize. So can we talk a little bit about this prioritization? Because yes, we're working as a sector, but firms are also pushing ahead on their own. So what would you say are the critical use cases that need to come first, that firms need to be focusing on as their top priority? And what can we do later? Is it internet-facing versus non-internet-facing? How would you advise firms to think about this?  

Gomez Garcia: So you need to identify what are your priorities. I use a model where I identify different use cases that I have, [asking how long] is the validity of that data going to last. For instance, ‘the data in this application is going to be valid and needs to be secure for seven years.’ Or it is just immediate use and you use it and you drop it. Second idea is how available is that data to a third party that might be a threat actor? And the third factor would be what would be the impact if the risk materialized on that use case?  

So if you consider all these three values, you can get a risk score for that use case. That gives you an initial hint of what is more important to address. By the way, when I do that analysis, the answer is that the most critical thing is not, however, decrypt later, despite what everybody's saying. When I look at that, I'm more concerned about digital signatures in contracts.  

So digital signatures are normally in contracts that may be long-lasting. They are available to any third party because you sign them with third parties. And if your signature becomes vulnerable, it means that an attacker could potentially create any document and [it will look] as if it was signed by you.  

Heathfield: So like a mortgage agreement — 

Gomez Garcia: Like a mortgage or whatever. And that would have an operational impact in the sense that every single document that you signed with that signature in the past —  

Heathfield: — would be invalid. Wow. Interesting.  

Gomez Garcia: That's interesting. But then you need to add in another factor, which is what actions can you take? Are you autonomous in doing something about that? Or do you have external dependencies, like from a vendor or whatever? So if you think about detailed contracts, they are in PDFs. Are PDF readers PQC ready today? No, they are not. So you need to understand that roadmap. 

So probably that's one thing that even though it is a high risk, you cannot do anything about it today except planning for it. But you cannot implement it today. Whereas, for instance, web services on the internet, they're also relatively risky. But PQC key exchange in TLS is available. We do it today, even though many people do not know yet. But if you browse to Google.com with any modern browser, you're going to see that your key exchange is quantum safe already.  

So you can work, for instance, today on your web services on internet-facing assets. Probably it is going to be simple to do that as well on your internal web services.  

Heathfield: So you have to make this assessment across these factors, realize what you can do, then prioritize it based on, I guess, a risk score plus, I don't know, actionability. 

Gomez Garcia: Actionability. I think that's the way I call it. 

Heathfield: Who knew? That's interesting because I feel like at least there's a roadmap for what to do, right? And it's actually not — it may be hard to round that up, but what you actually have to do is not terribly difficult. At least you know. What other steps do you think firms need to be taking now to be preparing? Do they need to be briefing their risk and compliance teams about new standards? What are the big, major steps that you think firms should be taking? 

Gomez Garcia: Okay, so probably the very first step is to generate a quantum-safe transition program, or quantum threat, or whatever you want to call it. Because without that program, you are not going to be doing anything.  

Heathfield: Do you call it a quantum-safe transition program or do you call it a cryptographic maturity model or something? 

Gomez Garcia: We called it initially at Santander a quantum threat program. Being more positive, I think we would call it today a quantum-safety program or something like that. I'm not in the mood of changing the name.  

But first thing you need to do is get that buy-in. And so a critical thing to do is not to treat this just as a cyber security topic but also involve, for instance, risk managers. So is quantum safety a part of your global risk management framework in your organization? That's the question you have to do. So you have to go and talk to risk managers. When you do that, maybe they think that this is a long-term risk. And then you need to have a conversation — ‘Yeah, it is a risk that impacts in the future. But your capability to do something about it is only now.’  

Because this is going to be a multi-year project. It's going to be 10 years easily. So you should start now and avoid what I call crypto procrastination. The more you crypto-procrastinate, which is delaying the initiation of the project, the more complex the migration is going to be because you are going to compress this timeline. 

So that's first thing. Once you get that buy-in, you create the project, you do it. You also need to identify who you are going to be working with. So here comes a talent teaching. You're going to need to upskill all your IT and cybersecurity teams so that they understand what they are configuring when they configure cryptography. And they understand why your cryptography standard is updated. My perception is that in many cases, cryptography configurations are just being copied over from older configurations. So you do not update them. And people do not understand what they're doing when they configure it. So there's a need for upskilling.  

And then inventories. There's two kinds of inventories. One, the kind of inventory that everybody talks about is having an inventory of your cryptographic assets. Obviously, you need to have an understanding of what your migration landscape is going to look like. And you need to have that. My opinion is that that needs to sit in your CMDB because your cryptographic assets are IT assets, and so you need to put them in correlation with all the other IT assets. 

But making that inventory is a complex task. It's going to take you a lot of time. Probably you're never going to have it 100% complete. So there is a different kind of inventory that is more important, which is the inventory of use cases — understanding how your business processes leverage cryptography. And that's where you can start doing the prioritization that I mentioned before. Because if I know I got an RSA 2048 key here in that box, well, I know there is a key there. I know if it is compliant with my policies or not. But do I know what that key is doing? 

Heathfield: And you know how critical it is. 

Gomez Garcia: Do I know what is the impact if that key is lost or whatever? I do not have a business perspective on what that key is doing. So I need to first understand what the use case is. 

Heathfield: What else do firms need to know right now? You mentioned that, you still call it a quantum program. But if firms were starting from scratch — 

Gomez Garcia: Quantum safety. 

Heathfield: Quantum safety program, but if firms were starting from now, should they just be calling it a cryptographic maturity program. Or if they really hadn't started at all yet, what would be your advice on like how they should be framing this? 

Gomez Garcia: I love what you just said. I think one needs to be brave today to sell eliminating completely the word quantum. But in fact, it is a cryptographic maturity program. So I invite everybody to call this cryptographic maturity. 

Heathfield: Yes, I'll take the credit for it. It's only from listening to you, though, that that’s what comes to my mind, because actually it's something that we think about in cyber a lot, right? How mature are we at this particular thing — managing DDoS or whatever? So how mature are we if we just adopt that language, then it becomes, as you say, like business as usual. And it may be easier to start the ball rolling. It does still seem like quite a large undertaking. 

Gomez Garcia: The word quantum is a little bit sexy. 

Heathfield: Yeah, it's still sexy. Yeah. So, well, it's up to whoever the initiator is, right, to assess what makes sense. Do you still use quantum to get the attention of the decision makers, or does it actually make more sense in your organization to make it feel like [post quantum cryptography is] just another process that we need to go through the same way that we've been through it with all of our other maturing. 

Gomez Garcia: Yeah, it's maturity. 

Heathfield: Anything else that you want to say? I think it’s a really interesting and fascinating conversation. 

Gomez Garcia: I would like to encourage everybody there in the audience that this is an important topic. And what I see today out there is that despite many people’s concern on the importance of the transition to quantum cryptography, it's a huge complexity. This is going to take a very long time. Awareness is growing, but still we are lacking in engagement. I encourage everybody to engage.  

Also, there is another very important thing. This is not competitive at all. So if anybody thinks this is competitive, it is kind of a cancer for the community, for the sector. If I start transitioning on my own and I do not coordinate with my peers, I will not be able to complete my transition until my peers complete their transition. Because in the end, I use cryptography to interface with peers. So either we go coordinated or this is going to be much more complex. So this is where we should collaborate. We should share experiences. Also, I think that at a global scale, the sector cannot afford having different speeds — large organizations leveraging their capability to do the transition and the rest of the world at another speed — because it would happen the same. Would the big organizations be able to just disconnect from the rest of the world? We have to do this together. So it's something that we have to do together. 

Heathfield: Well, that's very much in line with our FS-ISAC ethos in the first place, but I think in this case specifically. And you know our PQC Working Groups have been really amazing and one of the most active and the most prolific Working Groups that I've ever seen in terms of really trying to gather everybody get the best experts in there and then get out the standards in a public way so that the entire sector, whether they're FS-ISAC members or not, can adopt them. 

Gomez Garcia: And to drive that collaboration, everybody in the audience can join the Post Quantum Cryptography Working Group in FS-ISAC, who's wonderfully led by Mike Silverman, and also the Europol Quantum Safety Financial Forum. I have to say that those Working Groups are not duplicated efforts. We are very closely coordinated. And yeah, join us. 

Heathfield: All right, thank you so much. That was really an interesting, fascinating conversation. 

Gomez Garcia: Thank you very much, Elizabeth.