Post-Quantum Encryption Creates New Business for the Cybersecurity Industry
(Blog.InsideQuantumTechnology) Inside Quantum Technology’s new report on the market for post-quantum cryptography, “Post-Quantum Cryptography: A Revenue Assessment,” (https://www.insidequantumtechnology.com/product/post-quantum-cryptography-pqc-a-revenue-assessment/) indicates that the emergence of quantum safe encryption will be big business for the cybersecurity industry leading to more than $340 million in revenues for the industry by 2023 then growing to $1.6 billion. As the accompanying chart shows, this money will flow from a number of different end-user segments.
PQC as a Service
• Several companies already offer well-known “as-a-Service” products with novel post-quantum algorithms: email encryption, VPNs, Identity-as-a-Service, and others. At their earlier stages, we expect that these will be more popular among businesses in comparison to crypto libraries because of lower maintenance.
• Initially, we expect that PQC will be marketed with the “post-quantum” keyword and attract people with its novelty, but as time goes on PQC will just become a standard piece in broader service offerings. The companies that start with providing PQC-as-a-Service will likely either evolve into a regular security vendor with a rich portfolio of different services or be acquired by a larger company for their expertise in the post-quantum field. A thought: Will service providers sell both QKD and PQC services?
Software Recommendation, Development and Acquisition
• Both specialized cybersecurity firms and IT firms more generally are likely to see a healthy business recommending and developing PQC software for clients. This may include developing customized software, recommending a commercial package and possibly purchasing it on behalf of a customer.
• Currently, there isn’t much variety in the PQC products available—most often these are libraries, firmware updates, hardware modules, and the occasional services providing security like email encryption. However, as time goes on these products will become more diverse and niche-specific, which is why consulting will also have to include advice on which product to choose.
• The variety also stems from the nature of the current NIST selection process for PQC. In previous cases, one cryptographic algorithm would be the winner of such a contest. This time NIST specifically stated that a few different candidates would make it to the end, each to serve their own purpose. One expected candidate will likely be chosen based on its low computational requirements so that it could work on low-power devices like those that we are seeing in the IoT.
Design and Implementation of PQC
• Cybersecurity firms are also involved in consulting on—and actual implementation of—PQC. This may involve merely explaining to management where the pain points are and how PQC can alleviate that pain and/or actually installing the PQC software.
• We expect this opportunity to be popular at the start of PQC adoption, while it is still a novelty and it makes sense to purchase separate services. As time goes on and PQC becomes the norm, firms that appeared will likely be acquired by larger security vendors and become a part of larger security establishing programs.
Note that while Inside Quantum sees PQC as providing very substantial new business for the cybersecurity industry, this industry itself is huge. Different sources give different global figures for revenues from the entire cybersecurity industry. But they are all in the $150 billion range and the cybersecurity industry has been growing rapidly because of the persistence of cybercrime. In other words, PQC means more business for the cybersecurity industry, but it isn’t enough to transform the industry.