Post-quantum cybersecurity is more urgent than most people think

Post-quantum cybersecurity is often framed as a future problem. That’s been outdated for years — and it’s already led to an accumulation of cryptographic risk that cannot be reversed. The best organizations can hope for is to limit the impacts going forward.

Not just about confidentiality

Cryptography underpins how systems establish trust, validatesoftware, and maintain operational integrity. If it fails, those systems don’tdegrade gracefully. They fail in ways that are difficult to detect and evenharder to recover from.

A quantum-enabled cryptographic failure would not only compromise the confidentiality of information but also affect authentication, software integrity and system trust. That means the risk is not limited to data exposure: it could include forged software updates, compromised identities, and loss of control in connected and AI-driven systems.

Post-quantum risk is already here

Post-quantum risk is not a future event. It is an accumulating condition that’s building today. And every day that organizations delay taking action increases their exposure and reduces the time available for a safe and controlled transition.

Part of the risk comes from adversarial strategies such as “harvest now, decrypt later” (HNDL), where encrypted data stolen today can be decrypted once quantum capabilities mature. But that is only one component.

More broadly, risk accumulates because data often outlives its protection, and the cryptographic mechanisms embedded in systems are long-lived, deeply integrated, and slow to change. Systems being deployed today will still be operating when post-quantum threats materialize, making today’s design decisions tomorrow’s vulnerabilities.

Uncertainty increases urgency

Breakthroughs rarely arrive on predictable schedules. And when they do arrive, they tend to have immediate and asymmetric impacts.

While timelines for cryptographically relevant quantum computing remain uncertain, a few hard cold facts are crystal clear. First, transitioning to quantum-safe cryptography will take years. Second, the systems and data being deployed today will still matter when that transition is required

In risk-management terms, uncertainty increases urgency. It does not justify delay.

Accumulating risk reduces both security and control

Because post-quantum risk accumulates over time, it has two compounding effects:

• Increased exposure: Sensitive data, identities, and systems become progressively more vulnerable as data outlives its protection and deployed cryptography remains in use.

• Eroding the ability to migrate safely: Cryptographic mechanisms are deeply embedded, long-lived, and slow to change, reducing the time and flexibility for a controlled, orderly transition.

In other words, delay doesn’t just increase risk but also reduces the ability to manage that risk effectively. Organizations that wait may think they’re avoiding disruption, but really they’re just giving up the conditions required to navigate it safely.

Why this decade matters

Governments and standards bodies are already signaling the need for action. NIST published its first post-quantum cryptography standards in 2024, with more to come. Protocol standards such as hybrid TLS are evolving, and many national strategies target migration completion by the early-to-mid 2030s.

These timelines are not safety guarantees. They are estimates of how long migration will take. If quantum capabilities arrive sooner, even organizations that are “on schedule” may face significant exposure. Those that have not yet begun may find themselves without a viable path to respond in time.

Who needs to act—and how

Responsibility for post-quantum security is broad: enterprises, governments, and critical infrastructure operators all have a role to play.

Early action is especially critical for protocol bodies, software platforms, and infrastructure providers, given their foundational role in the ecosystem.

The priority is not to complete migration immediately, but to begin it deliberately: gaining visibility into cryptographic dependencies and enabling appropriate crypto-agility where change is necessary, feasible, and risk-justified. The right forms of defence-in-depth need to be introduced where cryptographic failure would create unacceptable risk.

This is not about maximizing agility everywhere or deploying redundant controls indiscriminately. It is about making targeted, risk-informed decisions so that systems can adapt where needed and remain robust where change is hardest.

Done well, this is an opportunity to build long-term cryptographic resilience, balancing agility, stability, and security in a way that reflects real operational constraints.

Move now to stay in control

Most organizations have already begun exploring post-quantum risk. The priority now is to accelerate—turning early assessments and pilots into coordinated, risk-driven action.

Those that move decisively retain control over their transition. Those that don’t risk being forced into it under time pressure, with higher costs and greater operational risk.

Catch up with us in San Francisco

If you’d like to discuss practical approaches to post-quantum migration, we’ll be onsite at RSAC in San Francisco from March 23 to 26. I’ll be delivering the keynote at Thales’ PQC Palooza on March 25 at 5PM PDT and will be part of the Evolving PKI: Trust Models for the Quantum Era panel on March 26 at 10:50AM PDT.