While at the RSA Conference in April, the agenda and talk in the expo halls was abuzz with artificial intelligence. Yet by June, when I attended Gartner’s Security and Risk Management Summit, the focus was much different. The dominant theme was Post-Quantum Cryptography (PQC).
No doubt, the progress of quantum computing has accelerated. Late in 2024, Google reported details about Willow. This 105-qubit chip ran a benchmark computation in under five minutes. By comparison, it would have taken a classical supercomputer more than ten septillion years to carry out. That’s not a typo.
Then in mid-June, IBM announced Starling, which is expected to process 200 logical qubits and perform around 100 million quantum gates—orders of magnitude beyond today’s quantum systems. IBM plans to launch the system in 2029.
Around the same time, Microsoft unveiled Majorana 1. It is the first quantum processor powered by its “Topological Core” architecture and is built on novel topoconductors that harness zero modes to produce intrinsically error‑resistant qubits. This breakthrough paves a path to scaling systems with millions of qubits.
AES 256 symmetric algorithms are relatively safe in the near-term future as long as we use large keys.However, cryptographic standards like RSA and ECC are vulnerable, and this poses serious implications for sectors like healthcare, finance, and government where data is sensitive and must be secured for long periodsof time. Delaying action is no longer an option.
The Realities of PQC
In the quantum computing community, the term “Q-Day” (also known as Y2Q or Q‑Date) marks a critical threshold: the moment when quantum machines become powerful enough to crack today’s standard public-key cryptography. Last year, the consensus was that this might be 15 years off. But as progress in quantum hardware and algorithms continues to accelerate, some researchers now believe that window has narrowed significantly—to as little as 5 to 7 years.
The compression of the timeline is certainly worrisome, particularly in light of a tactic known as “harvest now, decrypt later.” This is where attackers siphon off encrypted data today and then archive it. The expectation is that future quantum capabilities will allow for unlocking the contents.
The defense against this looming threat lies in a complex but necessary shift to PQC—a new class of algorithms designed to withstand quantum attacks. But retrofitting our digital infrastructure for a quantum-resilient future is no small feat. It means rethinking and upgrading encryption protocols across systems, networks, and devices. Just as importantly, it requires building in crypto-agility. This is the ability to pivot quickly, adapt. and implement when new cryptographic standards emerge or when flaws in current ones are discovered.
Essential Steps to Prepare for a Quantum-Secure Tomorrow
Enterprises that fail to act now may find themselves scrambling to respond when Q-Day arrives. For those looking to get ahead of the curve, the following roadmap outlines the steps organizations should be taking today to prepare for a quantum-secure tomorrow.
Inventorying Assets
An enterprise needs to inventory servers, endpoints, and cloud applications, along with keys, certificates, algorithms, libraries, and protocols. But there also needs to be an understanding of how everything fits together—that is, how cryptographic elements support specific processes, how data flows through various systems, and where those systems intersect. In today’s enterprise environments, that’s no small feat. Years of digital transformation, layered with SaaS adoption and third-party integrations, have left most organizations with a patchwork of technologies.
Once those interdependencies are clarified, teams can begin to prioritize. Which systems are mission-critical? Which data must remain protected at all costs? Defining a baseline of essential business functions helps set a minimum viability threshold—what must stay operational and secure, even in the face of cryptographic disruption. This, in turn, informs which cryptographic assets should be addressed first.
Understanding Vendor Roadmaps
PQC impacts a vast ecosystem of vendors, each with their own approaches and timelines. This is why there must be in-depth assessments of their current capabilities and roadmaps. What cryptographic standards are your vendors focused on? When do they plan to implement quantum-resistant algorithms? Are they engaged in relevant industry coalitions or certification efforts?
This kind of vendor due diligence does more than inform procurement decisions—it helps shape an organization’s broader PQC strategy.
Training & Reskilling
Given the complexities of quantum computing, there is a need for IT and security professionals to change their mindset. This requires investing in quantum education, which will allow teams to better identify vulnerabilities and understand how systems can be transformed. Skill sets that align with the crypto-agility of an organization is a key requirement.
Leveraging Standards
Anchoring your strategy to established frameworks is critical. NIST’s PQC suite—now formalized under FIPS 203 through 205—and the NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) provide a well-defined foundation. More than just compliance guides, these standards support crypto-agility.
This is especially important given the performance trade-offs that come with the new quantum-resistant algorithms. Larger key sizes and signature lengths can strain system resources, affecting everything from network performance to the responsiveness of constrained devices, like those in IoT environments, and even impact the storage consumption compared to the sizes of traditional systems for storing metadata such as signatures and key materials.
This is where standards-driven design pays dividends. Embracing modular cryptographic libraries and hybrid protocols—those that combine classical and quantum-safe methods—enables organizations to optimize forboth resilience and efficiency. By building in flexibility from the start, you position your infrastructure to evolve without expensive overhauls.
The Time to Act is Now
Quantum computing is no longer speculation. For enterprises, they need to inventory assets and map the dependencies, evaluate vendors, invest in training and reskilling, and align with evolving standards. The transition to PQC won’t happen overnight—but the time to act is now. Because when Q-Day arrives, the organizations that planned ahead will be the ones that stay secure.
