For an organisation to thrive, quantum-in-cyber risks must not only be identified and tracked but also assigned to the right owners – and it isn't always the IT department.

Remember Y2K? For some, it's nostalgia; for others, it's a perplexing chapter of the past. The US shelled out an impressive $100 billion to brace for this ambiguous event. Even though the anticipated chaos didn't unfold, the Y2K saga demonstrated the world's readiness for unprecedented threats. Today, we're confronted with the quantum-in-cyber risk, also known as Y2Q. It is simmilar to Y2K in terms of its widespread but brings much higher consequences if not remediated. This isn't a typical IT vulnerability confined to an application or a process; it's a pervasive threat with business-wide implications.

Quantum-in-cyber risk represents a legacy problem but a very specific one. Addressing such risks isn't just about the availability of better technology solutions – in this context, post-quantum encryption algorithms. Equally, if not more critical, it is about business decisions and overarching risk management strategies.

Effective risk management is often thought of as identifying and tracking risks, seamless integration with reporting systems, continuous scrutiny by auditors, and engagement with the organisation's second line of defence. Is it enough? The cornerstone is determining the #owner of the risk. Ownership is paramount in numerous processes, with risk management being no exception. Without a clear owner, strategies often derail, projects are delayed, and implementations fail. In terms of ownership, it's vital to differentiate between responsibility and ownership. For instance, a Subject Matter Expert (SME) might be tasked with mitigating a quantum risk in a specific system, but that doesn't necessarily make them accountable for the broader quantum-in-cyber risk across the organisation.

Here's a handy rule to check the appropriateness of the ownership. It originates from common sense, which states that if someone is given a task, they should have the authority and resources to do it. In the realm of risks, this translates to having the autonomy to make decisions, whether that means avoiding, transferring, reducing or accepting the risk. If an individual cannot make such determinations, they're likely just responsible, not the actual owner. Looking at the most challenging decision, often involving #avoidance, can be a genuine time-saver in finding the right owner.

For a more comprehensive discussion, please consult our extended publication - https://www.ey.com/en_au/cybersecurity/quantum-in-cyber-risk-is-real-inaction-is-no-longer-an-option

I appreciate Robert Martin efforts in helping me put this article together.