All Things Internal Audit Tech: Quantum Is Coming for Your Encryption. Now What?

Quantum computing might sound futuristic, but internal auditors need to prepare now. Bill Truett catches up with Nick Reese to talk about what’s changed in the quantum space — including new cryptography standards — real-world risks, and what internal auditors can do today to get ready.

Host:

Bill Truett, CIA, CISA

Senior Manager, Standards & Guidance, IT, The IIA

Guest:

Nick Reese

Co-founder and Chief Operating Officer, Frontier Foundry
Adjunct Professor, New York University

Key Points

Introduction and What's New in Quantum [00:00-01:34]
What is Quantum Computing? [00:01:34-05:57]
Milestones in Quantum Development [00:05:58-07:50]
Quantum + AI? Not Yet [00:08:12-09:58]
What Auditors Should Know About NIST Standards [00:10:00-11:54]
Immediate Steps for Internal Audit [00:13:15-17:38]
Legislation and Regulatory Outlook [00:20:28-22:19]
Global Threats and Historical Analogies [00:22:20-26:11]
Key Terms Auditors Should Learn [00:26:17-28:34]
Training Resources [00:28:35-31:00]
Opportunities Beyond Risk Management [00:31:00-34:11]
The Five-Year Vision [00:34:16-37:21]

The IIA Related Content

Interested in this topic? Visit the links below for more resources:

Visit The IIA's website or YouTube channel for related topics and more.

View More Episodes

Get the Transcript

00:00:02 Speaker 1

The Institute of Internal Auditors presents all things internal audit tech. Quantum computing might sound futuristic, but internal auditors need to prepare now. We'll true it catches up with Nick Reese to talk about what's changed in the quantum space, including new cryptography standards, real world risks.

00:00:20 Speaker 1

And what internal auditors can do today to get ready?

00:00:25 Speaker 2

Nick, it's great to have you back.

00:00:28 Speaker 2

Since you were last on the podcast, what's changed in the quantum computing landscape that internal auditors should be paying attention to?

00:00:35 Speaker 3

Hey, Bill, it's really great to be back here and I'm really excited to be speaking with the internal auditor community again and I'm really excited that there's been so much interest and curiosity about the quantum computing topic and it's great to be back and and being able to have this conversation. And I'm glad you you started off with that question because.

00:00:55 Speaker 3

A lot has changed, but I'm going to answer your question with a question which is probably gonna be annoying to maybe you and the and.

00:01:01 Speaker 3

Others I would ask, what has the internal audit community been doing since last we talked? Because we gave a good we gave a good introduction. We talked about some threats and some opportunities, but I would love to know what all of you out there have been doing since then.

00:01:17 Speaker 2

That's a very.

00:01:18 Speaker 2

Good question. I think a lot of the internal audit energy lately has been focusing on the new standards as well as a lot of AI artificial intelligence. I I want to say this probably is not as hot a topic as it should.

00:01:34 Speaker 3

Well, I, and that's something that we see across the board just so folks have a have a good sense of who I am. I I'll I'll start off by saying I'm not an internal auditor. I'm not certified as an internal auditor, but I am someone who's been working on quantum computing, specifically policy for a long time, so.

00:01:54 Speaker 3

That used to be the director of emerging tech policy at DHS. Before I started my AI company. I'm also an adjunct professor of emerging technologies at NYU, so this is some this is space. I've been in a long time for a long time, So what I what I first want you and the listeners to know is I want you all to know.

00:02:12 Speaker 3

That I'm a really good husband. Do you know why I know that? Because last year on our anniversary, which is August 13th, I got my wife something really great. You know, I got her.

00:02:24 Speaker 2

No idea.

00:02:25 Speaker 3

I got her brand new quantum cryptography standards.

00:02:29 Speaker 2

Ooh, lucky lady.

00:02:30 Speaker 3

That's right, that's right. Anyone romance is still alive. Anyone out there? Who?

00:02:36 Speaker 3

Has who's gotten their their significant other something like this? Please reach out. Put it in the comments.

00:02:42 Speaker 3

But one of the biggest things that has changed to your question is that NIST, the National Institute for Standards and Technology under the Department of Commerce, has come out with the actual quantum cryptography.

00:02:57 Speaker 3

Standards the post quantum cryptography standards and since that time they've been in the process of creating the standardizing the actual algorithms themselves.

00:03:06 Speaker 3

And communicating with industry and doing things like that so that we can start to bring these algorithms actually into commercially available products. So this was a major milestone and not only was it a a wonderful anniversary for me, but it was.

00:03:22 Speaker 3

Something that the quantum computing computing community and the cybersecurity community should definitely remember because it is one of the milestones that we have been waiting for. And we had actually talked about in the last podcast.

00:03:36 Speaker 2

Awesome. Very interesting. So kind of go back a little for anyone that's pretty enjoy. Just join the conversation, maybe new to quantum computing. Can you give us a a quick explanation on the difference between classical and quantum computing?

00:03:52 Speaker 3

Absolutely. So classical computing is how you're all listening to the melodic sounds of bills voice right now, and this is our traditional computing that it has on your laptops, your phones, things like that. And it's based in binary code. So all those ones and zeros that you, you've heard about bits.

00:04:10 Speaker 3

You know megabits, you know bytes, terabytes, you know, zettabytes. All of that is is related to the deterministic nature of.

00:04:20 Speaker 3

Traditional computing. So those are the ones and zeros, the binary code and what that means is that your computer does calculations in a in a in a very linear deterministic type way. So let's talk about deterministic for a minute. What does that mean? Well, it means that there are a set of rules that kind of govern what's going to happen.

00:04:29 Speaker 3

Kind.

00:04:40 Speaker 3

So if you type into your calculator on your phone, or on your computer, you know 2 + 2 equal.

00:04:48 Speaker 3

How many times is it going to say 4?

00:04:50 Speaker 3

Every time not 90%, not 99 every time, and that's because it's deterministic computing. But there are some limitations to that, and there are certain types of computation that are really hard for classical computers to do, and so quantum computing actually uses different type of computing. So that's that's maybe the biggest take away here is that.

00:05:12 Speaker 3

Classical computing and quantum computing are different. They're not necessarily better or worse, they're different. And what makes quantum computing different is that we use the very weird and quirky properties.

00:05:25 Speaker 3

Of quantum particles, subatomic particles, to represent information. So instead of ones and zeros or pulses inside of your computer, electrical pulses inside of your computer, we actually use these particles and they're they're difficult and their heart, they don't behave the way we want. And all these sorts of things. But what that does is that unlocks new types of computing for us.

00:05:46 Speaker 3

And that new type of computing is really not something that's that is is equivalent to anything that the type of computing that we know, which is why it's so important both from an opportunity and.

00:05:57 Speaker 3

A risk standpoint.

00:05:58 Speaker 2

Thank you very much. Are there any other recent advancements or milestones in quantum computing to kind of signal we're closer to kind of practical everyday, you know, real world applications?

00:06:09 Speaker 3

Absolutely. So there are advancements that are coming out all the time. And I think again, if there was another just kind of singular take away that I would want the audience to to bring with them here is that.

00:06:19 Speaker 3

That quantum computing is moving forward very quickly. There are there's a lot of investment, there's a lot of government funded research, things like that into quantum computing. Now quantum computers exist today. There are quantum computers, but if you can imagine sort of when we had just kind of very tiny like 8 bit or 16 bit.

00:06:39 Speaker 3

You know, computing capabilities sort of a sort of a, you know, you could think of that as an analogy. It's not exact, but it's kind of an analogy where we have these quantum computers, they they work, they function, they they do what we want them to do, but they're not at a big enough kind of capacity yet.

00:06:56 Speaker 3

To really solve the big problems that we're looking at, just like post quantum cryptography, which we discussed in the in last year's.

00:07:05 Speaker 3

Episode.

00:07:06 Speaker 3

Now what we're seeing is a lot of people trying to solve a really kind of core problem in quantum computing. It's called error correction. And so I want to go back to what I was saying.

00:07:17 Speaker 3

Of.

00:07:17 Speaker 3

Or about how in a classical computer, 2 + 2 = 4 every single time. It's not a probability, it's every time. And in a quantum computer we have probabilistic computing, and so 2 + 2 = 4 at some probability, and so there are sometimes.

00:07:37 Speaker 3

Errors that come in when these, you know, quirky little particles don't behave exactly the way we want them to. And when that happens, we get errors in our in our computation.

00:07:48 Speaker 3

But.

00:07:49 Speaker 3

Errors in computations.

00:07:50 Speaker 3

Particularly helpful is that we we need computation to be correct in order to be useful, so this problem of error correction is something that we're seeing a lot of companies really focusing in on. And there's been a lot of movement lately in, in terms of the press and in scientific publications about air correction and quantum computers.

00:08:12 Speaker 2

Very nice. So are we starting to see cases, situations where quantum computing is being used in conjunction with the the current real hot topic in internal audit artificial intelligence?

00:08:25 Speaker 3

That isn't exactly happening yet, because, as I said, right, there's, you know, we're still in the kind of.

00:08:28 Speaker 1

Yes.

00:08:32 Speaker 3

The stage where we're solving some engineering problems and that includes error correction and So what we saw over the last few months is that we had we had a WS, we had Google, we had Microsoft all make big announcements about solving error correction. Now they didn't solve it.

00:08:53 Speaker 3

Exactly. But they came up with kind of like approaches that might solve it. And so it might in the future solve it because it hasn't been proven out just yet.

00:09:02 Speaker 3

But that advancement is something that we should all be paying very close attention to.

00:09:07 Speaker 3

And this.

00:09:07 Speaker 3

Where I think it's important for people. I mean, there's another take away for people to really make sure that they're not just kind of like following the marketing hype because there's a lot of incentive out there for quantum computing companies to say that they solved error correction, that they've done it. And one of those incentives.

00:09:28 Speaker 3

Is AI and so you know, everybody kind of has an idea that once you integrate AI with quantum computing, you'll end up with this kind of like super AI. And that may end up proving true. But that's not something that we're able to do yet. And so I think the the best way to answer your question is that we're certainly.

00:09:48 Speaker 3

Thinking about it, and there's certainly companies and and researchers and things like that that are focusing on.

00:09:55 Speaker 3

But the hardware is not quite ready for that yet.

00:09:58 Speaker 2

I know we touched on the the NIST cryptography standards, so where exactly are we at with that process now? Is it been published? Is it 100% out?

00:10:07 Speaker 3

So it's been published and and by published what I mean there is the actual algorithms, the actual math that we're going to use to underpin the encryption that's been selected.

00:10:19 Speaker 3

And it's out into the world. So they they started the process kind of around 2015. It was a iterative process where they had people submit different algorithms and then they had people basically try to break them and they broke a whole bunch of them right up until they kind of got to the finalists and they figured out, you know, which ones they wanted to use for different types of encryption.

00:10:39 Speaker 3

Those algorithms are chosen, and they're going through the standardization process now. And So what we should expect is for more news to come out on the standardization process, so.

00:10:51 Speaker 3

If there's any news that folks should be listening to, it's.

00:10:55 Speaker 3

That one, because this is the nearest term problem and it's the thing that is the most actionable in the near term. So if we're thinking about implementing a quantum computer from a, we'll call it an opportunity standpoint. Meaning you know what can a quantum computer achieve that maybe classical computers can't that would give you a business advantage?

00:11:15 Speaker 3

Right. That's the opportunity side of things that is going to have to wait until we get to that capacity.

00:11:20 Speaker 3

Facility where these quantum computers become, you know, useful for the types of tasks that we want them to be able to do. But in the much nearer term we have to get ready for post quantum cryptography issues. And So what that means for folks if you missed the last one, that means that quantum computers are going to be able to break.

00:11:41 Speaker 3

The current asymmetric encryption methods that we use that are based on factorization. So once a a quantum computer gets to that capacity, that encryption is.

00:11:54 Speaker 3

Vulnerable. So what we need to do in the interim is replace that vulnerable encryption with new encryption. So what's the difference? Why is, you know, why is 1 vulnerable? The other ones not? Well.

00:12:08 Speaker 3

It's based on different math, so factor a factorization problem is something that is really hard for traditional computer to to solve because of how we talked about it being deterministic and ones and zeros in electric pulses. That makes it really hard to solve. But if you move that over to a quantum computer, a quantum computer using short.

00:12:28 Speaker 3

Rhythm when it's at the right capacity, can actually solve that.

00:12:33 Speaker 3

So what we need is different math and so that's what NIST did is they came up with.

00:12:39 Speaker 3

Different math that a quantum computer does not help you solve, and so that's where we're going. Now, where are we right now? So since August of last year and my lovely anniversary gift to my wife, we are in that standardization process where we expect there to be.

00:12:59 Speaker 3

Some news about maybe adjustments to the algorithms or maybe they find out that one algorithm was actually vulnerable after all, this is something we should expect. We shouldn't look at that and say ohh well they failed, they didn't fail. They're continuing to iterate on this to ensure that they get.

00:13:14 Speaker 3

It right so.

00:13:15 Speaker 3

For folks out there that are, you know, really watching this, I would really recommend.

00:13:20 Speaker 3

Make sure that you're paying close attention to the progress of the NIST standards, because one it might tell you something about how the actual standard is coming out, and two about how it gets integrated into products that you might.

00:13:34 Speaker 2

Very nice. So with that, what are some, maybe some steps internal audit functions should take today to prepare for this post quantum cryptography. You know, the transition into that because in my, you know experience, you know, I've heard of Quantum heard a lot of about of it about it, you know several years ago with the big concern.

00:13:55 Speaker 2

I mean, hey, once we have this, you know 128 bit, 256 bit encryption.

00:14:00 Speaker 2

Is going to be, you know, you might as well just not encrypt it. So you know, other than that, you know what other things should, you know, internal audit, maybe be concerned with with you know, this post quantum cryptography.

00:14:12 Speaker 3

Fortunately, everyone listening to this has already started with my first recommendation, which is education. So it's it's, it's a little boring and you know, maybe not as fun as, hey, we're going to get to actually code a quantum computer, but the bottom line is we need to make quantum computing accessible and some people would say, oh, but it's, you know, it's it's really.

00:14:18

Thank you.

00:14:32 Speaker 3

It's not intuitive and it's quirky and it's hard and there's all this physics and math behind it, and you're right about all of those things.

00:14:38 Speaker 3

But there was also a time where we didn't intuitively understand cell phones. There was a time when we didn't intuitively understand the Internet, but now we do now. I mean, even even young children intuitively understand these things. And how did that happen? It happened over years, and it happened over years of of training and use and and.

00:14:58 Speaker 3

Experience and you know, refinement of the technology itself. And so that's where we need to start. We need to make it accessible. We need to bring the floor of knowledge up and before people start saying, oh goodness, I'm going to have to, you know, go back to physics.

00:15:12 Speaker 3

Class we don't need everyone to be able to do the math. We don't need everyone to be able to code the quantum computer itself. What we need is for people to understand the difference between a bit, the fundamental unit of information in a classical computer, and a qubit, the fundamental unit of information.

00:15:32 Speaker 3

In a quantum computer, and why those two things are different? Because if you know that much, you can really start to understand use cases for how quantum computing can be used and you can understand.

00:15:44 Speaker 3

The threats and so I would highly recommend to anyone listening to consider workforce education, upskilling, you know even like seminars and things like that eventually going to a place where you start to maybe go through things like in a tabletop exercise to really kind of understand what you're doing, what you're not.

00:16:03 Speaker 3

The next thing I would recommend is you need to start doing an inventory and this can be done internally. You don't necessarily need to hire anybody to do it, but.

00:16:12 Speaker 3

Where are your different encryption algorithms and what are they protecting right now in your organization? What encryption are you running and what's sitting behind it?

00:16:22 Speaker 3

And if you can figure that out, you can start to prioritize how you start implementing protections in the new algorithms. And so you might not be able to do it all in one year.

00:16:36 Speaker 3

But maybe you can prioritize it and you can put your PII or SPI or other other sensitive types of data.

00:16:42 Speaker 3

That you have behind the post quantum encryption algorithms. So those two things are really just one is training and one is planning, neither of which are very expensive. But they're things that actions you can take right now. And then the final thing that's maybe a little further out is you need to be able to ask your vendors.

00:17:01 Speaker 3

The right questions.

00:17:03 Speaker 3

And so if you're going to use a cloud or you're going to use kind of any type of service or or software as a service, you should be, you should be asking questions about quantum, you know are are, are the algorithms implemented or is there a plan to implement them? What's the time?

00:17:18 Speaker 3

In line these. These are reasonable questions that we need to get in the habit of asking, and once we do that, I think that you know, the internal audit community already showing a lot of interest in this can really turn and and start to be early implementers to one, improve your security and two be ready when quantum computing is is.

00:17:38 Speaker 3

Available kind of from an opportunity sense to create business advice.

00:17:43 Speaker 2

So to kind of summarize that, you would say you know internal audit should look to upskill, learn more about quantum computing in general, then their next steps would maybe be to kind of look throughout the organization at the your sensitive data, your Crown jewels, things that you currently are using cryptography.

00:18:03 Speaker 2

Protect and kind of have an inventory of that so you know where you need to do your upgrades. Once this you know this quantum cryptography is mainstream and you want to continue to protect these.

00:18:19 Speaker 2

This information adequately, you know, and then you know the last step is, you know start to incorporate some questions related to quantum quantum readiness with your your third party vendors that might be handling some of that data for you.

00:18:37 Speaker 3

Yeah, those are the closest things that are are the most actionable right now and and we could go down the road of starting to talk more about quantum and AI or or how quantum can solve certain certain specific use cases and that's that's all really good and worthwhile conversation.

00:18:50 Speaker 3

Have but I want to make sure that we're leaving folks with real, actionable things that they can take forward. And that's the things that you just listed out are what would would put most organizations miles ahead of a lot of organizations out there who who really aren't kind of looking at this seriously.

00:19:07 Speaker 3

Enough.

00:19:07 Speaker 3

And and I'll tell you, one of the challenges that that I ran into.

00:19:11 Speaker 3

So back in 2020-2021.

00:19:14 Speaker 3

I was leading A-Team at Department of Homeland Security and we put together a post quantum cryptography road map that went out that is still out publiclydhs.gov/quantum you can find it.

00:19:25 Speaker 3

There.

00:19:26 Speaker 3

And one of the problems that I ran into constantly was I would say, you know, we need to do something on quantum computing. You know, DHS owns, you know, through Visa.

00:19:35 Speaker 3

Runsthe.gov domain like we we have to pay attention to this, right? This is a big deal.

00:19:40 Speaker 3

And the gap was always.

00:19:42 Speaker 3

Days that people didn't understand it. And so anytime we ran into a roadblock or we ran into a delay or something, that it was because people didn't understand what it was. And so there, that education gap is really important because it's not an intuitive subject. And when it's going to arrive is not exact. We don't know exactly.

00:20:03 Speaker 3

And that makes it hard for a lot of decision makers to focus on.

00:20:07 Speaker 3

And so the education piece of this really bridges that gap. And if you can accomplish that, you can do a lot of downstream things like preparedness and security, but also identification of opportunities, which is going to.

00:20:19 Speaker 3

Come from your workforce.

00:20:21 Speaker 3

So this is a. This is something that I think is really underappreciated, but you know really critical.

00:20:28 Speaker 2

My next question is, so we have some legislation like the quantum cyber Security Preparedness Act now in the books. Are there any other kind of regulatory ripple effects the internal auditors might expect in the future?

00:20:41 Speaker 3

Yeah. So the the quantum cyber Security Preparedness Act, which was which a great piece of legislation came from previous executive actions. And you know, DHS, I'm proud to say, was a big player at.

00:20:52 Speaker 3

That table so far, there aren't any laws like that, that that kind of apply broadly, so that if you read that law, it's really about the federal governments ability to to prepare for quantum cybersecurity. But across the various regulatory agencies, I I, I don't have visibility into all of that, but I know for for a fact that, for example.

00:21:14 Speaker 3

The you know, even back then in 2021-2022, the, you know banking sector and and financial services, we're looking at you know introducing some quantum requirements into their, you know their their audit procedures and things like that and so.

00:21:31 Speaker 3

So I'm I I I I'm not tracking. I'm not in that world, so I'm not tracking whether that was was implemented. But I think what it clearly shows is that regulators are paying attention and that, you know, this is a big enough threat that we need to really pay attention. And. And I think regulators are going to.

00:21:51 Speaker 3

Start putting things in place that may a day may not be today and we're we're not in a kind of a political environment where I think there's a lot of appetite for additional.

00:21:59 Speaker 3

Regulation, but in in any case, that is something that I think we will see sooner rather than later because and this is another really central point, the.

00:22:10 Speaker 3

From quantum computers to our current asymmetric encryption will be the biggest cyber security challenge that any of us.

00:22:19 Speaker 3

Face in our lifetimes.

00:22:20 Speaker 3

And it's broad. It's worldwide and it's going to take a big effort to change that to protect and and and and create some safety and security in that world. Now, a lot of people will say, yeah, but I there's not even a timeline and that's that's that's right. But.

00:22:39 Speaker 3

If you go back to what we were talking about before in terms of the error correction announcements and then these new frameworks for solving these really complex problems, we're really just one breakthrough away.

00:22:51 Speaker 3

And that might be a little bit frustrating, but it's true. We're, we're one breakthrough away.

00:22:56 Speaker 3

From quantum computing, being something that we have to deal with now.

00:23:00 Speaker 3

And we can take advantage of the timeline of the time we have now or we can wait until we get hit with something and then play from behind. And that's what I hope that the internal audit community will avoid.

00:23:12 Speaker 2

I could imagine it might be one of those situations where it's a bit ignored until there's a series of high profile breaches because because of this, and then we might see a lot of, you know, regulatory action take place.

00:23:29 Speaker 3

Right. And I think that the thing that's the analogy that I think is important here is.

00:23:34 Speaker 3

If you know if we can agree that we live in a world where information is not only valuable, but it's often weaponized, we can agree on that, then we can we can look at things like a quantum computer as something that has the potential to really weaponize information because it can tear down encryption.

00:23:54 Speaker 3

Of things that we need to be encrypted for not just right now, but years and possibly decades into the future. And if that's true, then we're we're looking at a capability that can truly cause considerable damage, not through kind of kinetic means, but through information.

00:24:11 Speaker 3

And there's a useful analogy here. So if the history buffs among us can think back to, you know, their their history classes on World War Two, we know that Bletchley Park was a place in Great Britain where they broke the Enigma code and the Enigma code was so important that.

00:24:31 Speaker 3

There were decisions made to allow attacks to proceed or ships to be sunk or things like that, so there would not be an A a suspicion of the breaking of the code.

00:24:41 Speaker 3

We should think about quantum computers, sort of like that, where?

00:24:45 Speaker 3

If you happen to be, uh, you know, if you were.

00:24:49 Speaker 3

You know, in in an adversarial country and you had a quantum computer available to you, would you hold a giant press release about it? I wouldn't hold a press release. I would keep it to myself and I would use it. And I would make sure that nobody knew that I could use it because it's not like having an aircraft carrier where it's the part of part of the whole thing about having an aircraft carrier that everybody knows you have them.

00:25:11 Speaker 3

This is very.

00:25:12 Speaker 3

Different. And so when we're thinking about how a quantum computer might be used for as a cyber security threat, we have to keep in mind that there are other countries that are doing this. They're the the value, the kind of geopolitical value of this is not lost on them.

00:25:28 Speaker 3

And so.

00:25:29 Speaker 3

As we're thinking about how to approach this and and think about the threat, it's hard because we don't know the timeline. But what we do know is that the math works. We know that quantum computing is possible. We know that we can. We're we're seeing how it can be scaled and we know about what shores algorithm can do. And so as a result.

00:25:50 Speaker 3

We need to.

00:25:51 Speaker 3

Really kind of embrace that this is real and and and we all need to kind of pitch in I guess so to speak. And so as we're thinking about how this is going to continue to play out, we should keep that analogy in mind because that analogy is informative to the threat side of things. But of course I don't want this to just be about the threat.

00:26:11 Speaker 3

But that is kind of the closest thing that folks need to really pay attention to.

00:26:17

Great.

00:26:17 Speaker 2

We've talked earlier about the importance of education with regards to quantum computing, so I guess what kind of core concepts or terminologies should internal auditors understand first when when tackling quantum computing, you know, like a frequently asked questions or common terms that.

00:26:37 Speaker 2

Kind of help help them with getting started with quantum.

00:26:41 Speaker 3

Yeah, that's a great question. And and I think that terminology is, is so important because people can start to feel like it's more accessible when they at least understand some terms and that becomes hard when you know I I might use a term like a Hadamard gate, which is a concept in quantum computing and everybody goes, what is Hadamard gate? That's a really important concept.

00:27:02 Speaker 3

But let's back out of the kind of technical stuff, and let's talk about some of the more important or not more important, but more, I guess, surface level terminology that we can figure out or we can understand.

00:27:12 Speaker 3

Plan. So I would say first is the difference between deterministic and probabilistic computing and those are those are kind of big words. But like you know it's it's not hard to understand if that's something that you know you prioritize and you have someone kind of explain and demonstrate to you. The other is what is the difference between a bit and a qubit. Why does it matter?

00:27:32 Speaker 3

And that's a very succinct way of of of asking a really, really important question. And because fundamentally we're talking about the difference between why a quantum computer computes differently and that.

00:27:46 Speaker 3

Difference in compute?

00:27:48 Speaker 3

Translates into the.

00:27:51 Speaker 3

The opportunities and risks that we're going to see from quantum computing. So those those terms, I, I would say are are really important and then you know next I would, I would say the the concepts of superposition and entanglement, their physics terms. I will tell you right now they don't make any sense.

00:28:11 Speaker 3

At least not in our in our world. But when you really look into it, I mean, these are real properties that these particles really exhibit.

00:28:19 Speaker 3

And.

00:28:20 Speaker 3

The superposition one in in particular is a huge reason why.

00:28:25 Speaker 3

We have these advantages with quantum computing in terms of the type of compute that it does, which is different than our kind of traditional compute.

00:28:34 Speaker 2

Great.

00:28:35 Speaker 2

So we kind of got a starter in the vocabulary. Are there any other tools or resources places where internal audit leaders practitioners can go to learn more, train train their teams on quantum threats and post quantum mitigation strategies?

00:28:52 Speaker 3

Yeah. So there are, there are resources available, dhs.gov has several, NIST has several, depends on your audience though, because you know the DHS stuff is definitely a little more policy kind of work, then this stuff is really great. If you're a cryptographer. If you're not, it might be a little bit tough, you know, so I I would.

00:29:13 Speaker 3

I would recommend actually seeing if you can kind of partner with someone or you know a vendor or or a you know a trusted partner who can kind of come in and really talk about this with you and and.

00:29:24 Speaker 3

Because I think that's the best way to learn it's it's it's hard at this point in quantum computing to say, hey, here's the 20 minute video.

00:29:32 Speaker 3

It'll all make sense after that. That's just, that's just not really where our kind of floor is when we understand this technology. So I think that you know the, the training, the kind of online trainings in person trainings, things that you can ask questions to people that are experts and you know a good trainer would have someone that not only can kind of communicate the information well but also.

00:29:52 Speaker 3

The technical people who can.

00:29:53 Speaker 3

And really double and triple click into hey, This is why.

00:29:58 Speaker 3

You know this this concept matters and and this is the the real physics that's that underpins this, because most of the time that I've, you know, ever talked to folks about this, I at NYU, I teach a class and and we cover quantum in it and.

00:30:16 Speaker 3

Almost every time that we have these conversations, I don't get people coming back to me and saying.

00:30:22 Speaker 3

Well, you know, I I just, I have no interest in learning this. It's usually. Hey, I actually I feel like I need to know a little bit more you know is there more out there and that's exactly the right response. But it's also incumbent on the trainer to to kind of create that. So I think my advice would be to you know look at.

00:30:42 Speaker 3

Partners that can really communicate well but also have the technical background to be able to communicate to, you know, your technical folks, whether you have a you know, CTO achieve innovation, you know, so things like that, you need someone that can really get into that depth as well.

00:31:00 Speaker 2

Great. So we often talk about risks, but are there potential opportunities for internal audit to leverage quantum computing and simulations or maybe perhaps in advanced risk modeling?

00:31:13 Speaker 3

Oh yeah.

00:31:13 Speaker 3

So for everyone listening, whether you're in your car or at your house or wherever you are, I want you to raise your hand. If you are getting.

00:31:21 Speaker 3

Less data than your job is the amount of data that you're getting less than you.

00:31:26 Speaker 3

Getting and I think the answer for everybody is no, you're getting more data. Everybody's getting more data and to an extent, you know we some of the artificial intelligence applications can can help with that. But when you really start to scale up and you really start to analyze real intricacies and I am confident that there are a lot of.

00:31:47 Speaker 3

Very serious intricacies in internal audit practices. When you really start to get into that you you actually the the compute that you can run on your traditional computer. You you run out of the ability to kind of compute at that level.

00:32:01 Speaker 3

And so if you're looking at anything that has a large data set and I see, I mean a really large data set.

00:32:08 Speaker 3

And is.

00:32:09 Speaker 3

Incredibly, incredibly complex. That's a place where you're going to be able to implement quantum computing. So let me give you some examples from outside of internal audit.

00:32:20 Speaker 3

So, for example, pharmaceutical research where there are so many different variables and and combinations of things and how it might affect you know you different than me, that's different than other people.

00:32:33 Speaker 3

Well.

00:32:35 Speaker 3

That those intricacies and and those interdependencies and things like that are are things that we we can't do with traditional computing.

00:32:42 Speaker 3

But we could do to great effect with a quantum computer. Another one is complex global supply chains, so much incredible complexity within these supply chains.

00:32:55 Speaker 3

But you could actually analyze run simulations on a quantum computer. That would give you insights that you could never get close to.

00:33:04 Speaker 3

And then you know another one that's, you know, I I think is personally really.

00:33:08 Speaker 3

Interesting.

00:33:08 Speaker 3

Is you can't actually simulate a quantum system, not a quantum computer. I'm talking about an actual like a quantum level particle system on a classical computer. You need a quantum computer to do that. So that is that's another place where, you know, there's.

00:33:24 Speaker 3

There's really real opportunities. And then the last one that I think is is also really interesting is.

00:33:29 Speaker 3

Folks might have heard of used random number generators.

00:33:34 Speaker 3

Well, there's no such thing as a random number generator in a traditional or classical computer, because if you watch it long enough, you can figure out what the repeat pattern is. But you can get actual true random number generation using a quantum computer because of quantum states because of superposition and a lot of other reasons. But that's a really important.

00:33:55 Speaker 3

Concept as well, so hopefully that gives an idea of.

00:33:58 Speaker 3

The types of problems that you would not normally approach with a classical computer that might actually be accessible to you with a quantum computer, and I would of course leave it to the internal audit experts to figure out what those exact use cases are.

00:34:11 Speaker 2

Very, very informative. So this will be I think this be our last.

00:34:14 Speaker 2

Question.

00:34:16 Speaker 2

So let's Fast forward five years, we're five years in the future.

00:34:20 Speaker 2

What's the the quantum aware internal audit function look like? What are we using quantum computing for? You know what? What? What does the future look like for us?

00:34:30 Speaker 3

Well, my first hope for the quantum computing or for the for the internal audit function is that I can continue to come and contribute because this is a great time and I always appreciate being able to to speak to you and to your audience. But second, what I hope is that, you know, internal audit can be one of the industries that.

00:34:51 Speaker 3

Does not walk toward an unforced error, and that's that's kind of what's happening right now. And and people might think that that's alarmist and.

00:34:59 Speaker 3

But we have a finite amount of time to get the cryptographic transition done, and it's shorter than people think it is. And what I hope is that if we can get the message across and we can show people that they're really kind of inexpensive ways to at least get the preparation.

00:35:19 Speaker 3

One so the inventory, the training, you know, asking the questions of the vendors.

00:35:25 Speaker 3

This is all.

00:35:26 Speaker 3

Stuff that is really accessible for most most organizations, but the preparation value of that is so much more than any kind of investment you might make because.

00:35:37 Speaker 3

Day one here is not, you know, once the once, once a quantum computer is online that's not day one day one was August 14th, right. August 13th is when the IS when the algorithms were announced. Day one was August 14th and so that's where the count that's where the countdown started so.

00:35:57 Speaker 3

I'll kind of go back to where we were. We were at the top where?

00:36:00 Speaker 3

You asked me what what had changed since the last time you've been here and my response was.

00:36:05 Speaker 3

What has the internal audit done since the last time I was here?

00:36:09 Speaker 3

And I'm not asking that to be flippant. I'm. I'm asking that because.

00:36:12 Speaker 3

There's a there's a limited amount of time and we do have to be ready to make these changes to to at least do the preparation so that when there are products out there available.

00:36:24 Speaker 3

People's internal audit moves toward those products and is safe, so that's that's my first wish for internal audit. My second wish is that across the board, internal audit brings up kind of the floor of quantum knowledge and accessibility and takes that seriously because I think a lot of the best use cases are going to come from.

00:36:44 Speaker 3

That workforce, but that only happens.

00:36:47 Speaker 3

If they know what they're looking at or what they're supposed to be thinking about, and so I would love to see internal audit as not only a real kind of bastion of security in the quantum space, given the sensitivity of information that you all deal with, but also to be.

00:37:07 Speaker 3

Kind of early adopters because we can all find ways to be more efficient and to and to find new insights and things like that. And I think that, you know, you all would probably agree that your job is, you know, complex enough data rich enough that you could really find some interesting use.

00:37:21 Speaker 3

Places, and I think that is where I would love to see the industry in five years.

00:37:28 Speaker 2

So.

00:37:29 Speaker 2

Great conversation. Really. Really. Thank you, nick. I really appreciate your time and you know I look forward to us talking again in the future or about more about quantum computing.

00:37:39 Speaker 3

I really appreciate being here and let's make sure that that next conversation is after my next anniversary so I can tell you what I got. My wife this year.

00:37:46 Speaker 2

Oh, I can't wait to hear that.

00:37:48 Speaker 3

Thanks bill.

00:37:50 Speaker 1

Want fresh ideas and real takeaways for your GRC role? Join the 2025 GRC conference from August 18th to the 20th in New York or or virtually packed with informative sessions and useful tools. The conference offers up to 24 CPE's snag your spot now with theia.org.

00:38:11 Speaker 1

If you like this podcast, please subscribe and rate US. You can subscribe wherever you get your podcasts. You can also catch other episodes on YouTube or at theia.org. That's theia.org.