Quantum Security: The Clock is Already Ticking

ยท
Listen to this article~5 min

Quantum computing is no longer a future riskโ€”it's a present threat. Learn why 'harvest now, decrypt later' is real, how NIST's 2024 standards signal urgency, and what you can do today to protect long-lived data.

There's a particular kind of risk that keeps me up at night: the kind we don't feel day to day because it's easy to label it "later." Quantum computing, the technology that harnesses quantum mechanics to solve problems classical computers can't touch, has been sitting in that folder for years. I'm convinced we're running out of time to keep it there. Not because I want to be dramatic, but because the work required to respond is measured in years, not quarters. And once you see the timeline clearly, you can't unsee it. ### What's actually happening Let me be plain about the threat model. "Harvest now, decrypt later" isn't a sci-fi slogan. It's a rational strategy. If an adversary steals encrypted data today, they can store it and attempt decryption later when capabilities improve. That's why agencies like the UK's National Cyber Security Centre (NCSC) and the U.S. national security community are pushing organizations to plan now, not when "Q-day" arrives. That's the hypothetical milestone when quantum computers become more powerful than today's public-key encryption. Here's where executives often underestimate the risk: the target isn't all data. It's the data that remains valuable years from now. Strategic plans, proprietary IP, legal files, identity records, health data, defense and infrastructure information. If you hold information with a long shelf life, delays matter. The question I ask leaders isn't "When will quantum break encryption?" It's more uncomfortable than that: what are we collecting and retaining today that we'd regret losing five or ten years from now? ### The timeline most boardrooms are misreading I've had this conversation in boardrooms more times than I can count. It follows a predictable arc: acknowledgement, real curiosity, and then a quiet conclusion of "important, but not urgent." I understand the instinct. Everyone is navigating finite attention against an infinite list of priorities. But a few signals are getting harder to wave away. In 2024, the National Institute of Standards and Technology (NIST) finalized its first post-quantum cryptography standards after years of evaluation. That alone should tell any serious risk committee something: standards bodies don't spend that kind of time on a purely academic exercise. At the same time, major vendors are publishing roadmaps and technical milestones pointing toward accelerating capability. These aren't guarantees. But when multiple credible groups converge on roughly the same decade, it's prudent to treat that as a planning horizon, not a debate topic. When you ask security practitioners what they believe will happen, you don't get comfort. A KPMG survey found that a substantial share of experts expect conventional public-key crypto to be broken within a timeframe that overlaps with typical enterprise migration cycles. Surveys aren't certain, but they're a warning light, especially when they align with government guidance. Here's the arithmetic that bothers me: if you have data that must remain confidential for five years, and a realistic migration takes several years in a complex environment, then "we'll start later" is not a neutral choice. It's a decision to compress the transition into a crisis. ### The scale of migration is what most underestimate I want to be clear about something often overlooked: this is not a simple software upgrade. RSA and ECC, the two widely used types of security technology that protect online communications and verify digital identities, are built into many core systems. They support: - Secure web connections - Digital certificates - Login and identity systems - Software signing - Remote access - Device authentication Replacing or augmenting that reality requires a fact base: where cryptography actually lives across your environment and supply chain. In practice, that means inventorying every system, application, and device that uses encryption. It's a massive undertaking. "But here's the thing," one CISO told me recently, "we don't even know where all our keys are." That's the honest truth for many organizations. And you can't protect what you can't find. ### What you can do today Start with a crypto inventory. Map where RSA and ECC live in your environment. Identify data with long shelf lives. Prioritize migration for systems handling that data. Engage with NIST's post-quantum cryptography standards. Begin testing in sandbox environments. Build internal expertise now, because the talent pool will only get tighter as Q-day approaches. The clock is ticking. But you don't have to panic. You just have to start.