The danger to cryptography posed by next-generation large-scale, fault-tolerant quantum computers is widely understood. Although current encryption methods, which are used to secure everything from banking to communications, are based on mathematical algorithms that the everyday PC is unable to crack, a new era of incredibly fast quantum computers is just a few years away, poised to revolutionize problem-solving, communication, and computation.
Modern cryptography relies on algorithms specifically designed to be as difficult to break as possible. For instance, today’s public key algorithms—such as RSA, Diffie-Hellman, and Elliptic Curve—are used to help communicating parties establish cryptographic keys or to generate and verify digital signatures.
However, many experts worry that fully functional quantum machines could also render even the most robust encryption obsolete, potentially disrupting the internet as we know it. For this reason, shifting to post-quantum cryptography (PQC) will help organizations stay one step ahead of this threat by adopting quantum-resistant algorithms before would-be attackers can exploit weaknesses.
In essence, PQC is an initiative that acknowledges the risks posed by current algorithms, the goal of which is to develop new algorithms based on structures that cannot be easily processed by quantum computers.
Ten Years Away
With this in mind, the National Cyber Security Centre (NCSC), has published new guidance that outlines a three-phase timeline for businesses to transition to quantum-resistant encryption methods by 2035.
Analyst Forrester believes that the commercial availability of quantum computers that could crack traditional asymmetric cryptography is still five to ten years away, but security and risk (S&R) practitioners need to assess and prepare for that eventuality now.
Quantum security should consist of several technologies, says Forrester. These include post-quantum or quantum-computing-resistant key exchange, digital signatures, key generation and management, cryptographic algorithm discovery and inventory, certificate management, cryptographic algorithm change management (cryptoagility), and quantum key distribution.
A Conservative Estimate
Casey Ellis, Founder of Bugcrowd, argues that Forrester’s five to ten-year estimate is conservative. “Recent advancements, like Microsoft’s scalable qubit breakthroughs, suggest the timeline could shrink, especially with nation-state investment accelerating progress. The uncertainty itself, combined with the “all or nothing” threat model associated with Q-day, is a reason to act now.
Implementing QRC is a cybersecurity problem that suffers from a unique case of the “Chicken Little” problem, adds Ellis. Although most systemic changes in support of cyber resilience happen in response to a major incident of some sort, the challenge is that post-quantum is an all-or-nothing thing.
“Pragmatically, the “harvest now, decrypt later” threat is real. Adversaries are already stockpiling encrypted data, knowing it will become readable once quantum decryption is viable. Sensitive information—like state secrets, intellectual property, or long-term financial data—retains value well beyond a decade. Waiting to adapt is a gamble with potentially catastrophic consequences,” says Ellis.
Awareness, Cost, Complexity
Quantum will force firms to embrace cryptoagility—essentially, the ability to swap out cryptographic algorithms quickly and efficiently. People write algorithms and software, and just as cryptographic algorithms seen as unbreakable 30 years ago have since been found to be flawed, it’s reasonable to assume that this trend will exist in QRC algorithms, too. “This isn’t just a quantum problem, it’s a broader resilience strategy. The shift to post-quantum cryptography (PQC) will highlight the importance of flexible, automated cryptographic management systems,” says Ellis.
He believes the biggest hurdles are awareness, cost, and complexity. “Many organizations underestimate the threat or lack the resources to inventory and update their cryptographic infrastructure. Standards bodies like NIST are making progress with PQC algorithms, but adoption will require significant investment and coordination. In the short term, quantum readiness builds trust with customers and partners. Medium-term, it reduces the risk of catastrophic breaches. Long-term, it ensures operational continuity in a post-quantum world. The cost of inaction far outweighs the investment in preparation.”
Take Inventory of Cryptographic Assets
This guidance is very similar to what has been said by others, comments Jason Soroko, Senior Fellow at Sectigo. “Taking inventory of your cryptographic assets is a critical step. You cannot manage what you don’t know you have. Part of this inventory also needs to be the most important secrets that you are transmitting over an encrypted session using RSA or ECC cryptographic algorithms. That ensures that you know how to prioritize your mitigation strategy. All of the above will require a top-down driven approach that will need a cross-disciplinary team. In other words, we require the C-Level risk owners to drive this work to completion, and it will take more than just your technical people to solve it.”
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, says developing a quantum-resilient cryptographic strategy requires holders of data to understand how the data they’ve collected or been entrusted with is accessed, stored, managed, and modified. “Since the starting point is an inventory of systems that interact with data and the cryptographic operations those systems perform, organizations should identify whether cryptographic operations occur within software their team authored, systems or devices that were procured, or software from third parties – including open-source and AI-generated code, or via contracted development. Once this segmentation occurs, the organization can determine who is responsible for addressing each instance of cryptographic use and triage their efforts to prepare for a quantum-resilient future.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.