The Quantum era is fast approaching. Within the next few years to a decade, advances in quantum technology will see the introduction of powerful machines that can break encryption methods (including RSA security encryption), in mere seconds or hours, speeds we’ve never seen before.
By being able to bypass conventional cryptography methods, Quantum also threatens to upend the security infrastructure of our digital economy entirely.
How excited or worried should we be about Quantum computing? What must we change, and how can we leverage Quantum in our cyber security? How, and what are the practical ways we can make Quantum operationally viable?
To answer these questions, iTNews Asia chats with Bernard Soo, Chief Commercial Officer (CCO) of Aires Applied Quantum Technology, a Singapore start-up aiming to strengthen the country’s homegrown quantum capabilities by helping firms upgrade their encryption for the Quantum era.
Soo shares his advice and tips on the opportunities enterprises in our region can leverage from Quantum, discusses how we can overcome issues that may hold back the frontier technology’s deployment and what it will take for Quantum to succeed.
iTNews Asia: In your perspective, what are the existing challenges (holding back Quantum from becoming mainstream)?
Soo: There are five major challenges.
First, hardware maturity: Quantum hardware is progressing, but enterprise-grade deployment still depends on better stability, error correction, reliability, benchmarking and scalability. Many organisations are interested, but the hardware is not yet at the point where most CIOs can treat it like a conventional cloud or data centre resource.
Second, integration: Even though quantum capabilities become available through cloud or specialist platforms, enterprises still need to connect them to existing applications, data pipelines, identity systems, security controls, governance processes and compliance frameworks. This “last mile” is usually underestimated.
Third, talent: Quantum adoption is not just about hiring physicists. Enterprises need people who can bridge quantum concepts with cybersecurity, enterprise architecture, cloud, software engineering, compliance and business operations. Quantum talent is not only a skills issue, but a strategic one because quantum companies are competing with adjacent sectors like AI, semiconductors, aerospace and advanced computing.
Fourth, unclear ROI: Many leaders believe quantum is strategically important, but struggle to identify near-term use cases with measurable outcomes. This is why pilots often stall. If a pilot is not linked to a real business problem, a clear success metric and a path to scaling, it becomes a science project rather than an enterprise investment.
Fifth, security migration is complex: Post-quantum Cryptography (PQC) migration is not a simple product upgrade. It requires cryptographic discovery, asset prioritisation, vendor coordination, testing, performance evaluation, compliance alignment and phased implementation. Our 2026 report found that 57 percent of respondents rated their PQC readiness as low, which shows a gap between awareness and operational preparedness.
iTNews Asia: How are these issues being addressed or corrected? For instance, if you’re a CIO looking at Quantum, how or where can you start?
Soo: A practical starting point is not to buy a quantum computer. It is to identify where quantum affects your existing technology roadmap.
I would suggest four steps.
- Build a cryptographic inventory. Most enterprises do not have full visibility of where encryption is used. It sits inside applications, databases, APIs, certificates, identity systems, VPNs, endpoints, backups, IoT devices, payment systems and third-party services. Without that inventory, it is impossible to plan PQC migration properly.
- Classify data by lifespan and sensitivity. Not all data requires the same level of urgency. The priority should be data that must remain confidential for many years: financial records, health records, government data, intellectual property, customer identity data, defence-related information, legal records and critical infrastructure data. If the data has long-term value, it is exposed.
- Design for crypto-agility. CIOs should avoid locking themselves into architectures where cryptography is hard-coded, difficult to replace or dependent on a single vendor path. Crypto-agility means being able to swap, layer or update cryptographic methods without rewriting the entire environment.
- Start with contained but scalable deployments. A good starting point is not necessarily the whole enterprise. It could be a high-value workflow, a sensitive data store, a regulated business unit, supplier-facing systems, or a specific class of long-lived data.
The pilot should be designed from day one with the question: “What would it take to scale this?”
This is how CIOs can justify their investment. It is not about ‘joining the quantum trend’, but reducing future migration risk, avoiding rushed compliance deadlines, protecting long-lived data, and building security architecture that can adapt as standards and threats evolve.
- Bernard Soo, Chief Commercial Officer (CCO) of Aires Applied Quantum Technology.
For sure there are challenges, but there are ways to overcome it by bypassing some of the capital-intensive stages. We have built an entire business on quantum safe software-based applications that are not dependent on capital-intensive hardware. It works in the simple tap of a button, but provides a high level of security against quantum threats. The idea is to co-exist with existing solutions rather than trying to replace them.
iTNews Asia: What are the opportunities here in APAC? From an enterprise perspective, how should organisations think about quantum readiness as part of current cybersecurity architecture, rather than a future upgrade? Are there any examples you can share?
Soo: APAC has a strong opportunity because many organisations in the region are still modernising their digital infrastructure. That creates a window to build quantum-safe thinking into current architecture, rather than bolting it on later.
For CIOs, quantum readiness should sit inside their cybersecurity roadmap, connected to these key areas:
· Data classification
· Identity and access management
· Cloud security
· Endpoint security
· Secure file sharing
· API security
· Vendor risk management
· Compliance and audit
· Business continuity
· Supply chain security
They are especially relevant in APAC because many companies operate inside larger regional or global supply chains. Even if a smaller company is not directly regulated today, it may soon face stronger requirements from enterprise customers, banks, government-linked organisations or multinational partners.
One of our customers, Asia Technical Gas (ATG), is an industrial gas manufacturer whose end users are in shipbuilding, offshore engineering and semiconductor-related sectors. Larger enterprise customers are raising expectations around data security and eventually quantum-safe protocols. ATG is taking a proactive approach to encryption and quantum-resistant future-proofing rather than waiting for requirements to become mandatory.
iTNews Asia: What does it take to integrate quantum-safe capabilities into existing systems without adding complexity?
Soo: The key is to avoid treating quantum-safe security as a separate layer that sits outside normal IT operations.
For enterprise adoption, quantum-safe capabilities need to be delivered through familiar integration points: APIs, SDKs, agents, endpoint applications, cloud connectors and workflow-level encryption. They should work with existing environments such as email, file storage, databases, HRMS, CRM, payroll systems, cloud platforms and mobile devices.
It should feel boring to the enterprise user - plugged into existing workflows, protect the right data, and give IT teams control without forcing a full rebuild.
CIOs already have too much complexity, adding another security tool that creates operational overhead, breaks workflows or requires a specialised quantum team to maintain it.
iTNews Asia: You’ve mentioned that pilots often stall. How can enterprises avoid the ‘pilot trap’ and move toward scalable deployment with measurable outcomes?
Soo: The ‘pilot trap’ happens when quantum is treated as an innovation experiment rather than an operational programme, like what we did with AI in the early stages.
Rather, we need to pilot it against the business as a whole.
Key questions to ask include “What risk or business problem are we solving?” For PQC, this could be long-lived data exposure, regulatory readiness, customer trust, supplier requirements or protection of sensitive files.
“What is the measurable success metric?” This could include the percentage of sensitive data protected, reduction in unencrypted file transfers, number of systems assessed for cryptographic exposure, integration time, latency impact, user adoption, or compliance readiness
We also need to ask, “What does this need to integrate with?” The pilot must consider our existing systems and operational workflows; and “What is the path to scaling?”, if the pilot works, the next step is identifying which business units, data sets, regions or systems come next.
As an example, we can look into what Asia Technical Gas is doing. The point is not simply that they are “trying PQC”, rather they are using it as part of a broader security upgrade to meet current data protection needs and prepare for future quantum-related expectations in enterprise supply chains, especially in the volatile trade environment we are experiencing currently.
iTNews Asia: What are the next steps to Quantum? Will there be a ready ecosystem?
Soo: A ready ecosystem needs six things:
- Standards and governance: Enterprises need clarity on migration timelines, accepted algorithms, procurement expectations, audit requirements and risk frameworks
- Integration pathways: Quantum cannot remain a lab or cloud-demo environment. It needs to connect into enterprise architecture, cloud platforms, security operations, data environments and business applications.
- Talent pool: The market needs more people who can translate quantum into enterprise action: quantum-aware cybersecurity professionals, architects, developers, compliance leaders and risk teams.
- Commercial use cases: Visible results of how quantum solves defined problems better, faster, more securely or more efficiently.
- Vendor diversity and interoperability: CIOs will not want to depend on one vendor, one algorithmic family, or one infrastructure path. The ecosystem needs room for standards-based approaches, complementary proprietary layers, software-led models and hardware-led models.
- Sovereign and regional capability: This is particularly important for Singapore and Southeast Asia. As quantum becomes more strategic, countries and enterprises will care about where IP is developed, how dependent they are on foreign-controlled technologies, and whether they have local companies capable of commercial delivery.
iTNews Asia: Going forward, what do you feel will be key to Quantum’s success?
Soo: For me, the most important factor is whether quantum becomes operationally usable for enterprises.
The science is advancing, but the ecosystem will only work if CIOs, CISOs, architects, vendors, regulators and business leaders can translate it into real deployment.
What could delay the ecosystem is not just hardware. It is the surrounding readiness gap with unclear ROIs, limited talent, integration complexity, fragmented standards, procurement hesitation and the tendency to stop at pilots, which has happened with many frontier technologies before.
Geopolitics and export controls may also shape access to talent, hardware and partnerships, so enterprises need to treat quantum strategy as part of technology resilience, not just innovation planning.
What will accelerate the ecosystem is practical adoption, i.e. starting with areas where the need is already clear. Cybersecurity is one of them. Post-quantum cryptography is not dependent on waiting for a future quantum breakthrough, but a transition organisation can begin preparing for now.
My advice to CIOs is to start with visibility. Know where cryptography sits in your organisation, know which data must remain protected for years, and build crypto-agility into your architecture.
Quantum readiness should not be seen as a future upgrade. It should become part of how enterprises design a secure and resilient infrastructure today.
