Tech giants like Google, Microsoft, and IBM agree: quantum computing is coming fast – and with it, a new class of security threats. While the full impact of quantum may be years away, organizations that delay planning will find themselves unprepared for a future where today’s encryption standards no longer hold. Future-proofing your cyber resilience strategy means starting your post-quantum cryptography (PQC) transition today – not tomorrow.
The State of Post-Quantum Preparedness
While 61% of organizations say they plan to migrate to PQC within the next five years, only 41% are actively preparing for the transition today. With NIST stating they plan to deprecate RSA and ECC by 2030, completing the migration within that timeframe is essential.
This disconnect between intention and execution is alarming. Even more concerning, a recent ISACA report revealed just 5% of organizations currently have a strategy in place to defend against post-quantum-enabled threats. That means the vast majority remain highly exposed to potential future attacks enabled by quantum computing – even if that impact is still years away.
Too many organizations remain either unmotivated or unprepared, often citing challenges around skills, education, and access to the right technologies. These challenges are also echoed at the national level, with the U.S. Chamber of Commerce recently calling out the urgent need for faster action on quantum technology commercialization, cybersecurity readiness, and workforce development to ensure American competitiveness on the global stage.
While it’s encouraging that security leaders are beginning to consider quantum threats, the gap between awareness and action remains wide and dangerous.
Common Pitfalls in PQC Planning
As organizations embark on their post-quantum journeys, many stumble over the same foundational obstacles.
One of the most common challenges in post-quantum planning is a disconnect between IT and business leadership. CIOs and other security leaders frequently struggle to convey the urgency of PQC transition to their peers and board members. Without clear understanding at the top, initiatives stall or fail to secure the resources they need.
Another key hurdle is the lack of ownership and in-house expertise. Many organizations lack a dedicated person or team to lead a quantum readiness initiative. These issues may seem daunting, but with the right structure and strategic focus, organizations can position themselves to transition successfully – and securely – into a quantum-ready future.
The Missing Piece of an Organization’s Cyber Resilience Strategy
There is no one-size-fits-all approach to PQC migration. But there are certain steps organizations can take to ensure they are on the right track:
• Get started now: CISA, NSA, and NIST are urging organizations to prepare now, with other jurisdictions not far behind.
• Designate a lead: In November 2022, the White House issued a PQC migration memorandum to all heads of executive departments and agencies, tasking them to designate a lead for the collection of cryptographic information within 30 days. This ensures an orderly and organized transition.
• Develop a quantum-readiness roadmap: Once a lead has been designated, CISA encourages organizations to establish a quantum-readiness project team to plan and scope the transition to PQC.
• Perform a cryptographic inventory: The first task for the quantum-readiness project team is to proactively identify all cryptography within their organization, including hardware, software, keys, certificates, and secrets. This inventory provides critical visibility into the cryptographic systems across the organization, and helps assess whether the company is crypto-agile enough to implement PQC at scale, and helps to prioritize where to start.
• Engage vendors: Ensure your vendors have a PQC-readiness roadmap. This should include everything from new products with PQC built into legacy products that have a timeline for PQC upgrades.
Conclusion
Cryptography is the cornerstone of modern cybersecurity, and the rise of quantum computing poses a significant risk to that foundation. With the potential for quantum machines to break current encryption methods in just a few years, the time to act is now. Security leaders must begin the process of preparing for PQC – not as a future task but as a critical part of today’s resilience strategy. Those who start early will not only protect their organization from emerging threats but also gain a strategic edge in a rapidly evolving security landscape.
Join our LinkedIn group Information Security Community!
