Quantum Readiness Indexes provide organisations with a means to compare their progress against industry peers and prepare for the future. With several such indexes already in place, they help organisations adopt consistent approaches to assess quantum security risks, inform strategic and board-level decisions, and benchmark against others in their sector. Accenture, IBM, and the Cyber Security Agency of Singapore are making significant efforts on this front. Beyond their direct purpose, these indexes reveal much about the state of the industry.

1. Indexes' existence highlights both the lack of standardisation and the demand within the industry

Cybersecurity space is full of "indexes"; they are just called differently. Combined with maturity models (like CMMI) designed to measure progress in implementing cyber capabilities, frameworks (like the NIST Cybersecurity Framework (CSF) or the CIS Critical Security Controls) can be considered indexes of a sort.

Standardisation is essential and offers numerous benefits, but it is inherently slow. Current frameworks do not address many of the emerging risks. In the case of the quantum risk, it leads to double negative effects.

• You are not protected against the threat until you have measures to reduce the associated risk. Luckily, most threats, except for quantum-related ones, are effectively reduced once appropriate capabilities are in place; thus, the risk is only during the period before implementation. In quantum security, however, the situation is worse.

• With regards to a quantum security risk, you remain unprotected even after capabilities implementation. Attacks like the "harvest now, decrypt later" attack expose organisations to risk even after measures are implemented. Waiting for standardisation before taking action can result in continued exposure because data that has already left the premises remains beyond control.

1. The demand for indexes also indicates challenges in communication between technical teams and management

   
   

Technical owners, such as PKI service owners or directors of infrastructure, may struggle to convey the scale and essence of the problem to management. While it may be obvious to them that significant investment is needed to mitigate enormous risks, their efforts may not resonate. If direct communication is unsuccessful, referring to industry peers becomes a natural next step, but without an index (or benchmark), this is difficult. Hence, the efforts and interest in developing indexes.

1. Indexes serve to measure industry maturity, but more work and coordination needs to happen

Taking the most recent publication from IBM, in which survey data was presented, results of organisations' readiness for quantum security. Unsurprisingly, most companies are at the beginning of the journey, with efforts primarily focused on discovering capabilities. Surprisingly, many project that it will take 12 years to rebuild their environment, but given the quantum risk timeline and standardisation announcements yet, they are still just starting off the journey.

Unfortunately, the report lacks a clear outline of how the index operates, offering only high-level topics that constitute the index. It also doesn't specify how many organisations have not started or are just at the very beginning stages. While it would be tempting to state that 500 organisations have already begun (which is the number surveyed), there is no data to support this claim.  

Accenture is developing the Quantum Security Maturity Index, aiming to provide more clarity on calculation methods and leveraging the cybersecurity capability maturity model to guide work in a commonly understood direction within cybersecurity. This work has yet to be made public, but Accenture isactively engaging with industry peers to test and fine-tune the approach. You can sign-up here.

Additionally, the CSA is working on a Quantum Readiness Index, although they have yet to fully launch their efforts.

There are probably other index efforts that I am not aware of. Post in the comments if you know where other similar activities are underway.

Overall, the emergence of indexes is a positive development. It helps increase awareness, bring the issue to the board level and emphasise that others are taking action while some are not. Simultaneously, it helps to outline the strategic plan. The existence of such indexes underscores the importance of taking action; for organisations that have not yet started, this could serve as a warning sign.