Cyber leaders must prepare quantum security now, research finds

FlyD via Unsplash
It is estimated that commercial availability of quantum computers capable of compromising conventional asymmetric cryptography is five to 10 years away. Nevertheless, a new report asserts that security and risk professionals must prepare for it in the present.
According to the report, quantum security consists of a range of technologies, such as:
- Post-quantum or quantum-computing-resistant key exchange
- Digital signatures
- Cryptographic algorithm discovery and inventory
- Cryptographic algorithm change management (cryptoagility)
- Key generation and management
- Quantum key distribution
- Certificate management
The report also suggests that quantum computing will affect all types of security, including authentication, data encryption and digital signatures, certificate and key management, and transport layer security and secure communications.
Below, security leaders share their thoughts on the report as well as the state of quantum computing.
Security leaders weigh in
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck:
The promise of quantum computing to decrypt harvested data may become a reality, but the value that an attacker might get from older harvested data is only justifiable for the most valuable and targeted data. This is one reason why various governments have quantum resilient efforts underway rather than “quantum proof” solutions. Since we are talking about a future state for cryptographic capabilities in applications, performing a risk assessment focused on cryptographic usage within an application should be a priority for any organization working with the most sensitive of personally identifiable information (PII). At a minimum, that risk assessment should focus on what the impact to the system might be if weak encryption were used. Such an assessment would then become a gap analysis covering where sensitive data isn’t being properly managed and help identify where quantum resilient approaches to system design and deployment should be employed.
Tim Callan, Chief Compliance Officer at Sectigo:
The shift to shorter certificate lifespans will certainly help organizations prepare for the next era of postquantum cryptography (PQC). This is why the term cryptographic agility becomes important. Cryptoagility is crucial in today’s fast-evolving digital environment, where new technologies, algorithms and security challenges require constant adaptation. This need for agility will become even more critical as we approach the PQC era, with the potential for rapid algorithm deprecation. IT professionals can no longer rely on the same cryptographic strategies. Shorter certificate lifespans promote cryptographic agility by speeding up the adoption of stronger algorithms and ensuring compliance with evolving security standards. For example, the deprecation of SHA-1 was delayed significantly when certificate lifespans were as long as three years. In the uncertain postquantum era, shorter certificates can help mitigate delays in adopting advanced solutions.
Longer certificate lifespans, on the other hand, tend to encourage complacency. Many businesses and enterprises may not proactively adopt improved cryptographic standards or security practices until forced by certificate expirations to seek stronger certificates through renewal.
This year, we will see the beginning of the death of legacy technology stacks, forced upon organizations by post-quantum cryptographic preparations. Legacy systems often rely on cryptographic algorithms like RSA and ECC but as the push for PQC standards are adopted, these older systems will struggle to integrate new algorithms, leading to obsolescence or requiring a significant overhaul of existing technology. Organizations holding on to legacy technology infrastructures will be forced to confront the limitations of their outdated infrastructures. Organizations need to act now to carefully plan and execute their transition — while challenging — to ensure they remain secure and compliant in the quantum era.
Additionally, we can expect a wave of official statements from the most forward-thinking vendors regarding their PQC capabilities. These announcements will not signify the immediate availability of PQC solutions but rather a pledge to transition towards PQC standards by 2026. With organizations like NIST finalizing PQC deadlines, vendors will need to show their preparedness to implement these standards and help customers transition smoothly. These announcements will serve several strategic purposes, highlighting vendors’ market leadership and differentiation, reinforcing their proactive stance on cybersecurity. By doing so, they are aiming to build customer confidence and ensure compliance with upcoming regulations.
Casey Ellis, Founder at Bugcrowd:
The consensus is five to 10 years for quantum computers capable of breaking RSA-2048, however, I’d argue that’s a conservative estimate. Recent advancements, like Microsoft’s scalable qubit breakthroughs, suggest the timeline could shrink, especially with nation-state investment accelerating progress. The uncertainty itself, combined with the “all or nothing” threat model associated with Q-day, is a reason to act now.
Implementing QRC is a cybersecurity problem which suffers from a unique case of the “Chicken Little” problem. While most systemic changes in support of cyber resilience happen in response to a security trash fire of some sort, the challenge is that post-quantum is an all-or-nothing thing. Pragmatically, The “harvest now, decrypt later” threat is real. Adversaries are already stockpiling encrypted data, knowing it will become readable once quantum decryption is viable. Sensitive information — like state secrets, intellectual property or long-term financial data — retains value well beyond a decade. Waiting to adapt is a gamble with potentially catastrophic consequences.
The biggest hurdles are awareness, cost and complexity. Many organizations underestimate the threat or lack the resources to inventory and update their cryptographic infrastructure. Standards bodies like NIST are making progress with PQC algorithms, but adoption will require significant investment and coordination.
In the short term, quantum readiness builds trust with customers and partners. Medium-term, it reduces the risk of catastrophic breaches. Long-term, it ensures operational continuity in a post-quantum world. The cost of inaction far outweighs the investment in preparation.
Dr. Adam Everspaugh, Cryptography Expert at Keeper Security:
Predicting the arrival of a quantum computer capable of breaking today’s public key cryptography is highly challenging. If technological progress followed a linear trajectory, we could confidently estimate that such systems are still hundreds of years away. However, history has shown that technological breakthroughs often follow an exponential curve, where early progress appears slow but rapidly accelerates as innovations build upon each other.
The recent advancements from Google and Microsoft highlight the reality that quantum development isn’t stagnant — it’s actively progressing. While these announcements don’t provide a definitive timeline, they reinforce the need for vigilance. Powerful quantum computers capable of breaking current cryptology could emerge in the next five to 10 years, or it could take decades more. The uncertainty itself is a risk, making early preparation not just prudent but essential for long-term security.
The risk of quantum computing isn’t just theoretical — it’s already influencing cybercriminal tactics today. The “harvest now, decrypt later” threat means attackers are actively collecting encrypted data, betting that quantum advancements will eventually allow them to decrypt it. Sensitive information sent over public networks like Wi-Fi and WANs is particularly vulnerable. Organizations should act now by integrating hybrid Quantum-Resistant Cryptographic (QRC) solutions into their security frameworks. Transitioning to QRC is a complex, multi-year process, requiring upgrades to protocols, hardware and software across industries.
NIST and the broader cryptographic community have invested years into developing quantum-resistant algorithms, but new cryptography always carries risks. These algorithms, while mathematically promising, haven’t been battle-tested in real-world adversarial environments. History has shown that many cryptographic schemes are eventually broken — not by quantum attacks, but by the ingenuity of mathematicians, cryptographers and researchers exploiting unforeseen weaknesses. This is why deploying QRC in a hybrid approach is critical. Combining quantum-resistant cryptography with established public key cryptography ensures that an attacker must break both, significantly increasing security resilience. Adaptability is key in this evolving landscape.
Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!