Quantum computing and the board: Managing risk, migration and opportunity

Intro: Welcome to the Corporate Director Podcast, where we discuss the experiences and ideas behind what's working in corporate board governance in our digital tech-fueled world. Here, you'll discover new insights from corporate leaders and governance researchers with compelling stories about corporate governance, strategy, board culture, risk management, digital transformation, and more.

Meghan Day: Hello, and welcome back to the Corporate Director Podcast, the voice of modern governance. My name is Megan Day, strategy leader at Diligent, and I'm joined by Kira Ciccarelli, senior manager of research at Diligent Institute. Kira, how are you today?

Kira Ciccarelli: I'm pretty good, Megan. Happy to be here with you.

Meghan Day: Well, we're gonna dive right into it because we have...

I mean, meaty is an understatement in terms of the topic today. We have a topic today that frankly, I know nothing about, which is why I made you do this interview. And that topic is quantum computing.

Kira Ciccarelli: Well, I'm afraid we maybe weren't that much better off with me doing it- ... because I, I also know next to nothing, and I made that very clear to Aaron Kemp, who we got the chance to interview about it.

He, thankfully, knows a lot more.

Meghan Day: Well, I think the reason why we wanted to talk about this and have Aaron on the show today is that there is some board-level conversations starting to percolate around quantum computing, but I think boards are probably a lot like us. They're trying to understand what they need to know, what they need to know today versus what they might need to know three, four, five years down the line.

Kira Ciccarelli: Yeah, absolutely. I remember several years ago we got a request from a Diligent friendly to ask some questions about quantum computing as part of our Director Confidence Index, which is our quarterly pulse survey of US public company directors. I wanna say this was 2022 or 2023, and at the time I was like, "I don't even know what that is.

I doubt any directors do, and I don't know that we should even be asking about it." And it seems like that is changing, uh, in a big way. Well, let's give this interview a listen. Sounds good.

Joining us on the Corporate Director podcast today is Dr. Aaron Kemp, US Quantum Leader for KPMG. Aaron, welcome to the show.

Aaron Kemp: Thank you for having me. It's great to be here.

Kira Ciccarelli: To start off, before we get into our interview topic for the day, could you introduce yourself to our listeners and tell us a little bit more about your background and your current role?

Aaron Kemp: Absolutely. Uh, Aaron Kemp. I'm a senior director in our enterprise innovation emerging tech group. So we are responsible for figuring out what's coming down the line next and what boards and the C-suite need to be thinking about technology-wise. Uh, currently, I am leading our US quantum computing group, uh, both in quantum security and quantum research.

We are, uh, actively pursuing what's coming for the NIST migration, um, and kind of the post-quantum security requirements, and also looking at what quantum computing is going to afford organizations as the computers come into their own. My background is very much in the cybersecurity realm. I spent a lot of time doing classified cybersecurity.

I'm also a retired naval aviator, so I spent some time flying anti-submarine helicopters before I found my way to quantum computing about eight years ago.

Kira Ciccarelli: So for our audience who might not be familiar, um, maybe we should start by talking a little bit about what quantum computing actually is and how is it different from the types of computing that underpins most corporate technology today?

Aaron Kemp: Yeah, that's a great question. I think it really is something to distinguish about quantum computing. I know there's a lot of hype in the market about what quantum is going to do. It's going to replace all our computers, and that's really not true. Quantum computing is a new modality of computing leveraging how physics work at the quantum scale, and it is a new way of processing from what we traditionally call classical computing.

So if you think bits that we're all used to, those zeros and ones that we've built everything around, a quantum computer is fundamentally different. It has what we call a qubit, a quantum bit, and that becomes the methodology for processing. But those qubits have some really unique properties imbued on them from physics of they can be in a superposition, which is where they're in a state where they can be zero, one, or probabilistically anything in between those two.

They can also be entangled with each other, so they ef- one affects another. And that kind of superposition combined with entanglement provides us a different kind of compute power where the quantum computer is able to accomplish things that a classical computer theoretically can't. We interestingly just had quantum advantage, which is when a quantum computer does something that a classical computer cannot do, supposedly happen.

Uh, IBM and another organization called Q-CTRL announced that a couple weeks ago. So we are in this interesting area now where these computers with those kind of physics powers are pr- doing a, doing work that a classical system cannot. But this does not mean that a, uh, that a classical computer is going away.

You're not gonna be replacing your phone with a quantum phone. You're not gonna be replacing your laptop with a quantum computer. Quantum computers are very good for niche problems, for very small subsets of problems, things like portfolio optimization, uh Drug research, chemical research, material science.

Uh, the traveling salesman problem is actually one of the big ones that they think it's gonna be good at. So not gonna replace everything, but is really gonna afford organizations the opportunity to perhaps move into areas where their current classical optimizations can't go any further because you run out of computing power.

Um, so long-winded answer to a very different computer.

Kira Ciccarelli: So you mentioned, um, there's maybe a lot of hype around quantum computing, both as an opportunity and a threat, and you're kind of saying, "Look, it's not gonna replace all of the classical computing that we see currently." So where are we actually on the quantum timeline, and what are some of the key developments in your mind over the next few years that boards should be watching the most closely?

Aaron Kemp: So I think you have to divide quantum into two pieces when you talk about this. You've got the quantum security aspects of this, which is the post-quantum cryptography and the current migration that a lot of organizations are beginning, and then you've got quantum computing. So on the quantum computing side, we are seeing algorithmic jumps.

We're seeing that initial quantum advantage, and we're really starting to see the research move into an actionable place where organizations can see gains by using a quantum computer. Probably still not mainstream enough to make it a part of a day-to-day organization, uh, how they process, but really more of a it's time to begin researching and exploring because the early adopters will have advantage when those quantum computers get here.

On the security side, it's a much different story. So our current cryptography, things like RSA, ECC, are susceptible to a quantum computer through something called Shor's algorithm. We've known about that algorithm since 1994, but we didn't have the computers to actually implement it, and we are just beginning to move into the phase where our computers are at scale where we can do that Organizations think that's going to happen sometime between 2028 and 2033, and that kind of puts a large amount of pressure on the board to go through this migration.

Um, we're seeing some key indicators from big players. Uh, in the last few weeks we've seen Cloudflare and Google come out and say what was in originally a 2035 timeline mi- for migration needs to now be 2029. Uh, and that is because of improvements in the error correction on the computers, improvements in our algorithms and how we implement them as we begin to explore a new compute space, and really a convergence of the technologies.

So I think the pressing issue for boards when you say quantum will be on the security side first, because this is going to be a risk that organizations are going to have to handle. It's going to affect things like cybersecurity and cyber insurance for your organizations. But there's also something called harvest now, decrypt later, where internet traffic, traffic that's flying, flying around right now that is encrypted with the current standards, is being captured and taken offline.

Um, and that's being done by nation states with the intention to decrypt it at a later date when the computers catch up and we're able to see that power. So if you have long shelf life data at an organization, things like your IP or HIPAA or PII, that data, if it's being emailed around or sent around the internet, is being taken offline and you can't get it back.

So we do have kind of imperative because of some data leakage and what's going on to begin the migration. NIST has finalized the three standards already. Uh, there will be more to follow, and those standards allow organizations to start exploring how they're gonna function in this new post-quantum world.

So you've kind of got this security aspect that's gonna be driven by mandates and governance, uh, over the next few years. And then you've got this opportunity with quantum computing where organizations will be able to optimize better and explore new compute areas.

Kira Ciccarelli: Okay. A lot to unpack in there, and I've definitely got some follow-up questions.

So you touched on it briefly, but maybe just talk a little bit more about why quantum computing is emerging as a risk issue specifically for the board. And then again, I think you touched on it briefly, but what kinds of business models or sectors do you think are the most exposed to quantum-related disruption?

Aaron Kemp: That's a great question. I think for boards it's going to come down to the costs of breaches. If you look at the breaches that we've seen over the last few years, I think the last number I saw is between $450 and $500 per file in a breach. With quantum able to break the cryptography that we're using to protect a lot of that, that puts a clear and present danger on that data now.

And as boards are looking at the data they're controlling, that key information to the organization, that's gonna become a big problem if they're losing that. We're also starting to see the mandates catch up to that. There is some federal government mandates beginning for the Department of War and Federal Civilian where they're gonna have some timelines to migrate.

We've got CISA starting to put out some timelines for migration. So we think there's gonna be a drive from the government side to really begin to get this migration underway and get these risks secured. Um, and obviously once the government starts moving, anybody that does business with the government will need to migrate as well so they can continue to do that and be compliant with how the military and how the federal government is doing security.

Um, because eventually it'll become a, you won't be able to connect and talk with each other 'cause you won't have the appropriate algorithms to decrypt. So it'll be something that is driven over the next couple years. But I think cyber insurance plays a big part of this too. There's going to be a point where cyber insurance companies begin to say, "Hey, if you haven't done this post-quantum migration and you're breached, we're not gonna be responsible for that."

There's been ample warning that this is coming. There's been ample standards put out there, so you need to begin these migrations. Your next question about which groups I think are most susceptible, I think you have to take that in two positions. I think you've got a What data is the most susceptible?

Where I see financial data, uh, internet transactions with credit cards, that kind of data is usually the key stuff that people want to get ahold of. They want to get ahold of those transactions, the credit card numbers, et cetera, and leverage that for whatever reason. Um, but the flip side of that is those organizations that have a lot of technical debt, where we've kept those older computers, those older mainframes, um, where we're running outdated software, outdated hardware.

That could put significant strain onto an organization as they try to upgrade, as they realize how much equipment they're going to have to replace to get this migration done if it's not capable of being migrated. So I think boards are gonna have the risk aspect of the data and what they're losing combined with mandates, and then on the other side, they're gonna have this hardware issue of how much do we have to get rid of?

How much do we have to upgrade? What is that gonna cost, and how do we balance all this? Um, and I think the hard part about PQC is the, the date is not set. We don't know when that cryptographically relevant quantum computer's actually going to come onto the market. We don't know when it's gonna be there, and we may not know.

If it's a foreign adversary, that may be something we are never told, uh, and we find out at a later date. So there's, there's a lot of risk, there's a lot of opportunity, but it's something boards are gonna have to really begin to prioritize of how long are we... I, I know nobody wants to be early, but how long are we willing to wait to begin to protect our data?

And if we do have a lot of infrastructure that needs to be replaced, and everybody decides to replace all their infrastructure in 2028, 2029, how long does it take you to get a firewall or a load balancer or a VPN, um, if all of a sudden the supply chain is inundated with requests? So there's a lot going on that boards need to begin piecing together and understanding what a roadmap looks like through this.

Kira Ciccarelli: One of the bigger concerns that you mentioned is the potential for quantum computers to break today's encryption. What are some of the practical implications for boards to think about in terms of data protection and confidentiality?

Aaron Kemp: Yeah, so this is an interesting one of we d- we have two algorithms. We have Shor's algorithm and Grover's algorithms, and both of these algorithms are-- They need a quantum computer to work.

So the good news is we've got quantum computers, yes, but we don't have them at a scale big enough to implement these algorithms to where our data's at risk yet. Um, that harvest now, decrypt later threat puts current data at risk that is offline, but as that data runs out, if it expires or it doesn't have to be secured for five years, you're probably okay.

It's that longer shelf life data. But it's also a day-to-day operations then as these computers come online, we know this cryptography is susceptible to attack. We know how it works mathematically. We just need the computer to implement it. It's actually been described as no longer a theoretical problem, it's just an engineering problem.

So as we get over these engineering humps, and that is rapidly accelerating, uh, there are some roadmaps out there for some com- quantum computing companies right now that show us hitting the threshold we need qubit-wise in 2028 I think most people agree RSA will probably be broken somewhere between 2029 and 2033.

Now, that doesn't mean everything's broken at once. This isn't a key to everything. That'll be a, a long process. It'll probably take two, three days to break a single email, but that's that proof of concept that the algorithm works, and then it becomes an issue of scalability. So there is this ticking clock that boards need to kinda have an understanding of, of, you know, what we think is gonna happen in the future is now something we're having to plan for.

If you'd asked me 10 years ago how many qubits we were gonna need, it was gonna be over a billion. And if you ask me how many qubits we need now, through some recent Google papers and some other people, um, doing some research, we're under 100,000 qubits. So we've had this significant decrease in the requirements, um, what we're gonna need out of the computers, and this is all still theoretical.

I think that's important to, uh, highlight of. This all works mathematically, but we've not done it on a quantum computer, but it's that risk coming of if you need to migrate, you know it's gonna take a large organization between 10 and 12 years to migrate, and you don't start until the computer's here.

That's 10 to 12 years of risk that you're living daily. So beginning now, starting to understand what it's gonna take, getting a roadmap in place l- allows you to move at a slower pace, be more direct in how you do things, more intentional, and really get the roadmap built out correctly so the organization is acquiring the right equipment, doing the right steps, and ending secure at the end of this.

Kira Ciccarelli: So this is kind of a dizzying concept to wrap your brain around, I think, and the majority of people and the majority of directors are not quantum experts, right? So what are the most important questions you think boards should be asking management and the CISO today about quantum risk, and what does good oversight look like at this point?

Aaron Kemp: I think a board needs to ask what is the strategy? I think the CISOs have got their strategies. They're beginning to lay that out of what is our strategy to get from where we are today to what PQC resistant looks like in three, five, seven years, whatever that migration timeline ends up looking. Um, boards are gonna obviously hold the oversight on that.

They're gonna need the updates, but they're also gonna need to be proactive in funding what the CISOs are gonna need. Um, and I also think it's important boards understand this is not just a security problem. This is going to touch your data governance. This touches your CIO, this touches your legal, this touches contracts, it touches your third-party vendors.

Um, it's a much bigger thing when you start thinking about everywhere cryptography is in our day-to-day lives and in our systems. It's something we really need to be proactive in, and the boards are gonna need to understand that this may be bigger than they understand at first. But starting to get familiar with the vernacular, starting to understand the terms that are being used with this, starting to understand why your CISO is asking you for that additional funding, why they're looking for bodies to begin this migration.

Um, one of the hard parts of this migration is going to be, for forty-five years cryptography has existed in the background. It is something we make the key bigger, um, the computer gets bigger, we make the key bigger, everything's fine and we move forward. And this is the first time we're really gonna have to migrate cryptography at this scale in a world where we've got Internet of Things, where we've got OT, where we've got our classical systems.

And this is not a simple process. It's amazing all the cryptography that's out there, and it's very much akin, and you may have heard or somebody may have heard it said Y2Q. Um, they are very much associating this with the Y2K, and I think that's a great association because this is a technical problem. We understand the problem, we understand how to do it.

It's just getting the organization moving, committing to a very big project that you don't have proof of an end date is hard. Um, you know, there are a lot of challenges with AI and AI security and all the things we have going on in that space. So to get a board to dedicate resources, money, time, personnel to this project can sometimes be a hard sell as it doesn't seem as pressing, but it is real, it's coming.

Um, I think you're gonna see the governance and the mandates follow very soon, and that will drive that. So the boards are gonna have to be aware of both the governance structure requirements, um, especially international. We're seeing a lot of governance that's conflicting, uh, different timelines, different dates.

So if you're an international organization, you may also have conflicting regional and global challenges

Kira Ciccarelli: So before we, um, pivot to our final three questions here, do you have any best and final thoughts for corporate directors on quantum computing?

Aaron Kemp: For me, it's start. Go ask the questions. Where is your organization?

Have you done a cryptographic baseline? Have you started to talk about what our strategy's gonna look like? Um, there's a lot of, lot of good guidance out there, uh, that has been put out on what this migration's gonna look like, where are the first steps. Uh, big companies really starting to come together and say, "Hey, this is what we think are gonna be the challenges.

This is where we're seeing problems." Get involved with some of these working groups that are out there where you can come and put your hand up and say, "We found these problems. How are you addressing them? Is it unique to us? Is this an industry issue?" Financial services has some great stuff out there now.

They've put a lot of really good guidances. They are probably gonna be one of the key attackees. They will be seeing a lot of the attacks coming their way. So I think just getting into the space, starting to understand the timelines, getting an idea of what's changing in quantum, making that a part of your weekly or monthly discussion of what is the status of quantum, where are we at on the migration, what is NIST guidance, what is federal guidance, uh, and making sure that you're moving along with it.

There's gonna be challenges. There's gonna be timeline slips, jumps. We've seen the 2035 timeline, now we've got organizations saying 2029. Um, you know, so everybody that thought they had seven, eight years, now all of a sudden you've got three. So those breakthroughs could change really quickly, and I think getting into the space and starting is gonna be key.

Kira Ciccarelli: Yeah. I think that's great advice. I am struck by how neatly this fits into one of the things we've been hearing a lot from directors this year at Diligent, and that's this idea that the quarterly board meeting isn't gonna cut it anymore, and we need to maybe move to more continuous modes of governance and oversight, and this definitely seems like one of those areas where it would behoove directors to move to that sort of system.

Aaron Kemp: Agreed.

Kira Ciccarelli: We've got a, a couple questions here that we like to ask all of our guests before we end the show. First one I'll ask you, what do you think will be the biggest difference between boardrooms today and 10 years from now?

Aaron Kemp: I think boards are gonna have to have a level of agility they do not have now.

Um, the technology is changing too fast. We're seeing new AI updates almost monthly. We're seeing new breakthroughs monthly, agentic AI, uh, quantum computing coming online. We've got neuromorphics coming down the road. There's thermodynamic computing. There's all these new methodologies coming, and the cycle is getting so rapid that, like you just said, meeting quarterly is no longer gonna be enough to keep up with the tech change cycle of something that may have not been a problem six weeks ago is now a problem just because of a breakthrough.

So I think they've gotta become more agile and understand that the technology's almost driving faster than we can react.

Kira Ciccarelli: Right. Uh, what was the last thing you read, watched, or listened to that made you think about governance in a new light?

Aaron Kemp: Uh, the paper that came out recently really made me think about the governance coming up on moving that date from 2035 to 2029, and the recommendations coming from big players out in the space of we don't have the governance in play right now to mandate that organizations begin the migration.

So we are in a almost governance vacuum. We have lots of guidance, but no governance. Uh, and cryptography, because it has always been kind of a back room thing, has never been out in the open and had a governance program built around it, and that's going to be something it needs going forward, of what does your cryptography program look like?

How do you become cryptographically agile, and what does that mean to your organization? So there's a lot of design to be done, and a lot of new roles and new things that need to be thought through for an organization to be secure.

Kira Ciccarelli: We'll be sure to link to that paper in the podcast notes for this episode.

Aaron Kemp: Excellent.

Kira Ciccarelli: Final question, what is your current passion project?

Aaron Kemp: I have been working a lot in the quantum computing side recently, um, and we are beginning to tailor one of our-- We did some work with enhanced satellite recognition use- or enhanced data recognition from satellite imagery using multi-spectral data.

Uh, and we think that's gonna be adaptable to cancer research. So we are trying to adapt that research to be able to identify cancer markers in pictures, um, which I think is just amazing. If we can go down that road and really take quantum and solve a problem, I think it would be phenomenal. Um, there's a lot of negative hype around quantum right now with the quantum risk, and I think everybody forgets there's a lot of opportunity on the other side of this.

Yes, we're gonna go through 10 years of migration and difficulty and costs and new governance and all these things, but on the end, we're also gonna end up with a new compute mal- m- modality that opens up a lot of things for us, and I wanna keep people's eyes focused on the good part of this as well.

Kira Ciccarelli: Yeah, like with any technological advancement, and that's fascinating.

Aaron Kemp: Yeah. Anything can be good. Anything can be bad. This is one where I think the bad we're aware of. We work through it. We solve it as a problem. It is a technical problem. Build a roadmap, solve it, and then we can get into what can we do with this to make things better.

Kira Ciccarelli: Great. Well, that wraps up this episode. Aaron, thanks so much for joining us.

Aaron Kemp: Thank you for having me. It was a pleasure

Meghan Day: All right. Thanks for that, Kira. I feel slightly smarter about quantum computing, but man, just shows the scope, uh, a breadth, depth of what board members need to grapple with today.

Kira Ciccarelli: Yeah, absolutely. I left that interview, um, and my head felt very physically heavy. There was a lot of new information to consider.

And I mean, to me, the quantum computing issue, specifically for the board, is just the definition of a gray rhino- Mm-hmm ... where you can see it, and it's a couple years out into the future. One of the things that Aaron said that scared me a little bit was this idea that the timelines for these capabilities being scaled and broadly available to folks has been shortened from, like, a 2035 timeline out to 2028 or 2029.

So the fact that it's shortening sort of exponentially and it might be here a lot quicker than we think was definitely cause for pause.

Meghan Day: Yeah, and I do think it gives... Again, though, it, it opens up a bigger conversation just about how boards need to think about risk and preparedness in a world in which truly disruption is happening at every corner.

And so whether it's quantum computing or something else, how do you ask the right questions and frame conversations in the boardroom so that you feel like you not only necessarily a good understanding, um, it's not necessarily about the physics of it all, but that, again, you are framing risks in the right way and protecting what needs to be protected without maybe even losing some of the upside that comes along with some of this new technology.

Kira Ciccarelli: Yeah, definitely. And I think, though, the catch-22 is that this is something where Aaron pointed out they know how the math is going to work. I think theoretically what quantum computing can do, we know that part of it, or at least we have a pretty good understanding of what it's going to be able to do.

The problem is just having the actual computers themselves and the equipment catch up with what we now know is theoretically possible. Yes. Um, that's still a little bit of a ways away it sounds like, and I think what my big takeaway from this interview was is the idea that I don't know that given the environment we're currently in, if boards are going to have the luxury to take the sort of- preparedness steps that they need to be taking right now.

It's a luxury to be able to look at something that we know is not gonna be a problem for another two or three years and start thinking about it now. There are so many other issues that are so urgent and so pressing, and I think we've seen that a lot in the last few years that I think while the advice is good, and it's something the boards probably should be starting to think about and ask questions about now, I don't know that they have the time.

Meghan Day: That's a really, really great point. It, it might be worth framing as part of a broader, uh, you know, annual risk review or semi-annual risk review, you know, just to think about a number of different things in this space and understanding just the strategic implications if things mature faster than already expected

Kira Ciccarelli: Yeah.

And I think also looking at how quantum then hooks into a lot of the other issues that are super pressing for directors right now might be a good way to do it. So things like geopolitical risk, things like the current cybersecurity landscape, because obviously quantum capabilities are going to play into that.

How does it kind of hook in with AI deployment, things like that.

Meghan Day: Yeah. It might be also a great topic to have an outside expert come in and spend, you know, a half a day, a couple of hours with the board thinking about how it relates to your particular sector or industry and your organization in a deeper way.

Kira Ciccarelli: Yeah. I think that's a really practical point. Um, part of me just felt really bad by the end of the interview- ... saying to our audience, "And here's one more thing that you now have to think about," um, just as if the current agenda wasn't really- Right ... quite challenging enough for you.

Meghan Day: Well, let's see if the next, uh, the next, uh, conversation we have in, uh, a year or so is do you need a quantum computing expert on your board of directors?

Kira Ciccarelli: I was thinking that same thing. We've seen it cycle so many times. And I guess in, in a way, it might look a little bit like the conversation about do you need a cyber expert on your board? Absolutely. 'Cause I do think the quantum question really ties the most closely to cybersecurity implications, but yeah, I'm sure that'll be the next thing.

Meghan Day: Oh, man. Well, that wraps up another episode of the Corporate Director Podcast, the voice of modern governance. We'd like to s- say a couple of special thank yous, first to our quantum computing expert, Dr. Erin Kemp. You gave us a lot to think about. Podcast producers and today's great interview, uh, Kira Ciccarelli, Steve Claydon, and Terry Thierry.

Our sponsors, KPMG, Wilson Sonsini, and Meridian Compensation Partners, and most especially to Diligent. If you also serve on a nonprofit or public sector board, tune into our sister Diligent podcast, Leading with Purpose, for expert conversations on governance, risk, and compliance that makes an impact for mission-driven organizations.

Thanks for listening.

Intro: You've been listening to the Corporate Director Podcast. To ensure that you never miss an episode, subscribe to the show in your favorite podcast player. If you'd like to learn more about corporate governance and tools to help directors do their job better, visit www.diligent.com.

Thank you so much for listening. Until next time.