As quantum computing advances from theoretical research to practical applications, Chief Information Security Officers (CISOs) across the ASEAN region face an unprecedented cryptographic challenge. The established public-key infrastructure that secures today’s digital communications will become vulnerable once large-scale quantum computers become operational—an eventuality that experts now measure in years, not decades. This ‘harvest now, decrypt later’ threat means adversaries are already collecting encrypted data, anticipating the day when quantum capabilities will break current cryptographic protections.
For ASEAN organizations—spanning Singapore’s financial hub to Indonesia’s burgeoning digital economy and Vietnam’s manufacturing sector—the imperative to migrate to post-quantum cryptography (PQC) represents both a technical challenge and a strategic opportunity. The region’s digital economy, projected to reach $1 trillion by 2030, hinges on maintaining secure digital infrastructure even as quantum computing reshapes the threat landscape.
This blueprint offers ASEAN CISOs a comprehensive framework for navigating the complex transition to quantum-resistant cryptography. We’ll explore regional regulatory considerations, practical implementation timelines, and strategic approaches that balance security needs with operational realities—equipping security leaders with actionable insights to protect their organizations in the coming quantum era.
Quantum computers pose an unprecedented threat to current cryptographic systems. The ‘harvest now, decrypt later’ strategy means adversaries are already collecting encrypted data for future decryption when quantum capabilities mature.
A phased approach to PQC implementation
→ Performance implications requiring acceleration strategies
→ Limited regional expertise necessitating capability investments
→ Supply chain complexity requiring enhanced vendor management
→ Operational disruption risks managed through phased deployments
CSA & MAS leading with quantum-aware critical infrastructure requirements
NACSA incorporating quantum readiness in security frameworks
Cybersecurity Act developing sector-specific cryptographic requirements
BSSN emphasizing sovereign technology development approaches
Prepare your organization for the quantum era at:
Singapore • September 23-25, 2025
Practical workshops & expert-led sessions on post-quantum implementation
Post-quantum cryptography encompasses cryptographic algorithms designed to withstand attacks from both conventional and quantum computers. Unlike today’s widely deployed algorithms such as RSA and Elliptic Curve Cryptography (ECC), which rely on mathematical problems that quantum computers can solve efficiently using Shor’s algorithm, PQC alternatives use computational problems that remain difficult even for quantum systems.
The U.S. National Institute of Standards and Technology (NIST) has led global standardization efforts, recently selecting a portfolio of quantum-resistant algorithms. The primary candidates include lattice-based cryptography (CRYSTALS-Kyber for key encapsulation), hash-based signatures (SPHINCS+), and structured lattices (CRYSTALS-Dilithium for digital signatures). These algorithms represent different approaches to achieving quantum resistance while maintaining reasonable performance characteristics.
For ASEAN CISOs, understanding these algorithms’ implications goes beyond cryptography theory. The transition affects every layer of the security stack—from hardware security modules and VPNs to digital certificates and secure messaging. The migration requires not just new algorithms, but new ways of thinking about cryptographic implementation, key management, and the balance between security and operational performance.
Importantly, post-quantum migrations aren’t merely technical upgrades but require strategic business alignment. Security leaders must articulate how quantum threats connect to business risks while balancing immediate security needs against the substantial resource investments that post-quantum readiness demands. This challenge is particularly acute in the diverse ASEAN technology landscape, where organizations operate varying levels of legacy infrastructure alongside cutting-edge systems.
The ASEAN region presents unique considerations when addressing quantum computing threats. As a global manufacturing hub, technology development center, and financial nexus, the region faces multi-faceted quantum security challenges:
Singapore, as ASEAN’s financial and technological leader, manages vast quantities of sensitive financial data protected by current public key infrastructure. Its position as a global financial hub makes its institutions prime targets for sophisticated threat actors employing harvest-now-decrypt-later strategies. The Monetary Authority of Singapore has already begun addressing quantum risks in its technology risk management guidelines, signaling regulatory movement that will likely influence regional standards.
Malaysia and Thailand, with rapidly digitalizing economies and significant manufacturing sectors, face supply chain cryptography challenges. As manufacturing becomes increasingly connected through IoT and digital twins, quantum vulnerabilities in industrial systems create potential risks to operational technology environments previously isolated from traditional cyber threats.
Indonesia, the region’s largest economy with over 270 million citizens, faces scale challenges in any cryptographic transition. Its rapidly expanding digital economy, heavily dependent on mobile and online banking, means quantum vulnerabilities potentially affect millions of digital transactions daily across thousands of islands.
Vietnam and the Philippines, with their growing technology outsourcing sectors, manage valuable intellectual property that requires long-term protection. Data with multi-decade confidentiality requirements faces particular risk from quantum decryption capabilities.
Across all ASEAN nations, overlapping regulatory frameworks add complexity to PQC implementations. Organizations must navigate national cybersecurity requirements, sector-specific regulations, and international standards simultaneously. This regulatory complexity demands strategic planning that places compliance considerations at the core of PQC roadmaps.
Post-quantum migration isn’t a single project but a multi-year journey that requires careful planning and phased implementation. For ASEAN CISOs, we recommend structuring this journey across four strategic phases, each with specific objectives and deliverables:
The foundation of effective PQC migration is comprehensive discovery of cryptographic assets and dependencies. ASEAN organizations should begin by:
Creating a cryptographic inventory that identifies all instances of vulnerable algorithms across the enterprise. This includes applications, infrastructure, third-party systems, hardware security modules, and cryptographic libraries. The inventory should classify assets based on risk factors including data sensitivity, expected protection lifetime, and system exposure.
Conducting impact assessments to determine how post-quantum algorithms will affect system performance, compatibility, and user experience. This is particularly important in ASEAN contexts where bandwidth constraints or legacy systems may struggle with the increased computational demands of some PQC algorithms.
Developing a prioritization framework that identifies critical systems requiring early migration. Financial transaction systems, identity infrastructure, and long-term data storage typically demand priority attention.
Engaging with regulators and industry groups within the ASEAN context. Singapore-based organizations should align with MAS guidance, while organizations operating across multiple ASEAN jurisdictions should map regulatory requirements across countries to ensure compliance planning is incorporated from the start.
Before implementing specific post-quantum algorithms, organizations need cryptographic flexibility to manage transitions smoothly. This phase focuses on:
Developing crypto-agility capabilities that decouple cryptographic implementations from applications. This architectural approach enables organizations to swap algorithms without major system changes, creating essential flexibility for both the current transition and future cryptographic evolutions.
Implementing hybrid cryptographic approaches that combine classical and post-quantum algorithms. This provides defense-in-depth by ensuring systems remain secure even if vulnerabilities are discovered in emerging PQC standards.
Creating test environments that allow security teams to validate PQC implementations before production deployment. These environments should simulate the diversity of the ASEAN technology landscape, including various mobile platforms common in Southeast Asian markets.
Beginning education and awareness programs for development teams, focusing on secure implementation practices for post-quantum algorithms. This knowledge-building is particularly important in ASEAN’s dynamic technology talent marketplace, where competition for specialized security skills is intense.
With foundations established, organizations can begin the systematic implementation of post-quantum algorithms:
Starting with lower-risk, internally-facing systems to gain implementation experience before addressing customer-facing applications. This approach allows teams to develop expertise while minimizing potential disruption to critical business operations.
Implementing NIST-approved algorithms as they reach final standardization, beginning with key encapsulation mechanisms and digital signatures. Priority should be given to systems protecting data with long-term security requirements.
Coordinating with vendors and partners across the ASEAN ecosystem to ensure compatible implementations. This ecosystem approach is particularly important given the interconnected nature of digital services across Southeast Asian economies.
Developing fallback mechanisms that can rapidly revert to previous cryptographic implementations if problems arise. These safety systems are essential risk management tools during the transition period.
The final phase establishes ongoing governance to maintain quantum resistance:
Implementing continuous cryptographic monitoring to identify algorithm implementations that may have been missed during initial assessment phases. Organizations should establish cryptographic visibility across all environments, including cloud deployments increasingly common in ASEAN’s digital transformation initiatives.
Developing compliance validation frameworks that document post-quantum readiness for regulators across ASEAN jurisdictions. These frameworks should align with emerging standards from influential bodies such as the Cyber Security Agency of Singapore (CSA) and Bank Negara Malaysia.
Creating ongoing cryptographic governance processes that keep organizations aligned with evolving standards. This includes regular reviews of cryptographic implementations and clear policies for algorithm selection and deprecation.
Engaging with regional cybersecurity initiatives such as the ASEAN-Singapore Cybersecurity Centre of Excellence to share implementation experiences and contribute to regional resilience against quantum threats.
ASEAN’s regulatory environment for cybersecurity and cryptography is evolving rapidly, with important implications for post-quantum migration planning:
Singapore’s approach, led by the Cyber Security Agency and Monetary Authority of Singapore, increasingly recognizes quantum risks in critical infrastructure protection requirements. The country’s Cybersecurity Act and Technology Risk Management Guidelines now include considerations that will necessitate quantum-resistant controls for designated Critical Information Infrastructure (CII) operators.
Malaysia’s National Cyber Security Agency (NACSA) has begun incorporating quantum readiness in its security assessment frameworks, particularly for financial institutions and government systems. Organizations operating in Malaysia should monitor NACSA guidance as PQC standards evolve.
Thailand’s Cybersecurity Act implementation continues to develop sector-specific requirements that will eventually include cryptographic standards. Organizations in regulated industries should anticipate requirements for cryptographic inventory and transition planning.
Indonesia’s approach through BSSN (National Cyber and Crypto Agency) places particular emphasis on sovereign technology development, potentially influencing how post-quantum standards are adopted and implemented within its jurisdiction.
Cross-border data flows within ASEAN add complexity to cryptographic implementations. Organizations must consider how encrypted data moving between jurisdictions meets varying regulatory requirements while maintaining interoperability. The ASEAN Framework on Digital Data Governance will increasingly influence these considerations.
Beyond strictly regulatory considerations, ASEAN organizations should also track regional standardization efforts, including work by the Singapore Standards Council and various industry-specific initiatives that may influence PQC adoption timelines and technical approaches.
Post-quantum migration presents several implementation challenges that ASEAN CISOs should proactively address:
Performance implications require careful management. Most post-quantum algorithms involve larger key sizes and more intensive computational requirements than current approaches. This creates particular challenges in environments with limited resources—including IoT deployments in manufacturing contexts and mobile applications that dominate Southeast Asian digital experiences. Organizations should conduct extensive performance testing across representative environments, potentially implementing hardware acceleration where necessary.
Limited regional expertise in post-quantum implementation necessitates investment in capability development. ASEAN organizations should consider establishing centers of excellence for quantum security, potentially in partnership with academic institutions in Singapore, Malaysia, and Thailand that have active quantum research programs.
Supply chain complexity creates significant discovery challenges. Many ASEAN organizations operate in complex digital supply chains where cryptographic implementations may be several layers deep in vendor products. Addressing this requires enhanced vendor management processes that specifically assess quantum readiness among technology providers.
Operational disruption risks must be carefully managed through phased deployments and robust testing. Organizations should implement strong change management protocols that include cryptographic transitions in broader organizational risk assessments.
Budget constraints in a challenging economic environment may limit migration resources. Security leaders should develop business cases that emphasize both risk management and potential competitive advantages from early quantum readiness, particularly in regulated industries where compliance requirements will eventually mandate transitions.
A leading Singapore-based financial institution with operations across ASEAN provides instructive lessons in effective PQC migration planning. The organization began its quantum readiness journey in 2022, well in advance of regulatory requirements:
Their approach began with a comprehensive cryptographic inventory using automated discovery tools supplemented by manual verification. This process identified over 300 distinct cryptographic implementations across their enterprise environment, with approximately 60% using vulnerable algorithms. The discovery process itself took eight months, substantially longer than initially estimated, highlighting the complexity of cryptographic asset management.
The institution established a cross-functional quantum security task force that included not just security personnel but also application owners, compliance specialists, and business stakeholders. This governance approach ensured business alignment throughout the process. The task force developed a risk-based prioritization framework that considered data sensitivity, protection lifetime requirements, and system exposure.
For initial implementation, they focused on their digital certificate infrastructure, implementing hybrid certificates that included both traditional and post-quantum algorithms. This approach maintained compatibility with existing systems while building quantum resistance. Significantly, they also built a cryptographic monitoring capability that continually scans for unauthorized or vulnerable algorithm uses across their environment.
The institution’s approach to regulatory engagement provides particularly valuable lessons. They proactively consulted with the Monetary Authority of Singapore, helping shape the regulator’s understanding of implementation challenges while ensuring their approach would satisfy emerging requirements. This collaborative approach has positioned them favorably as formal guidance evolves.
Their lessons learned emphasized the importance of crypto-agility as a foundational capability and the need for extensive education across technology teams. The institution ultimately created a dedicated cryptographic services team that centralizes expertise and provides implementation guidance across their organization—a model that other ASEAN enterprises might consider.
The transition to post-quantum cryptography represents a defining challenge for ASEAN’s cybersecurity leaders. The region’s digital ambitions—from Singapore’s Smart Nation initiatives to Indonesia’s growing digital economy and Vietnam’s manufacturing innovation—all depend on maintaining cryptographic security in the quantum computing era.
While the timeline for quantum computers capable of breaking current encryption remains uncertain, the need for preparation is immediate. Organizations that begin systematic planning now gain not just security advantages but potential competitive differentiation as quantum readiness becomes a consideration in vendor assessment, regulatory compliance, and customer trust.
For ASEAN CISOs, the path forward requires balanced investment in technical capabilities, organizational processes, and strategic planning. By developing crypto-agility foundations, conducting thorough cryptographic discovery, and implementing phased migration plans, organizations can navigate the transition while managing operational and business impacts.
The quantum security challenge ultimately transcends individual organizations. Regional collaboration—through industry groups, regulatory harmonization, and knowledge sharing—will be essential to building ASEAN’s collective resilience against quantum threats. By working together while implementing organization-specific plans, the region can maintain its digital security even as quantum computing reshapes the technological landscape.
Want to learn more about post-quantum cryptography implementation and connect with leading experts in quantum security? Join us at the World Quantum Summit 2025 in Singapore, September 23-25, 2025, where we’ll feature dedicated sessions on quantum-resistant cryptography with live demonstrations and expert panels.
Register Now Explore Sponsorship
Visit wqs.events for more information.
Comments are closed
World Quantum Summit 2025
Sheraton Towers Singapore
39 Scotts Road, Singapore 228230
23rd - 25th September 2025
