The quantum computing era is rapidly approaching, and with it comes the inevitable disruption of current cryptographic systems. We now stand on the brink where action is no longer hypothetical but essential.
However, the inherent complexity of the technology means we have seen many quantum procrastinators avoid tackling the challenge. A common excuse has been to wait for more structured, official guidelines on quantum security.
Well, that’s now arrived in the form of new post-quantum cryptography guidelines by NIST — so it’s time to stop delaying and get on with it.
There is still a common tendency to treat quantum encryption as a nice-to-have that can be addressed later. The hesitation to act is creating significant and potentially catastrophic security gaps, as future quantum threats become increasingly real.
NIST guidelines: A call to action ignored?
The release of NIST’s guidelines earlier this year should have been a turning point for organisations to begin their transition to quantum-safe cryptography. However, a cycle of procrastination is stalling progress.
Many businesses have delayed taking steps, using the absence of official standards as a flimsy excuse to avoid addressing cryptographic vulnerabilities. Quantum is commonly seen as a distant problem, and solving it now doesn’t provide an immediately recognisable ROI, so CISOs fighting for budget feel justified in delaying action.
Now that these guidelines are in place, the industry should be moving decisively. However, vendors are hesitant to innovate without explicit customer demand. Put simply, customers are waiting for vendors to lead.
This deadlock is more than an operational inconvenience — it’s a looming risk. Companies cannot afford to wait for vendors to catch up. The threat of quantum computing is real, and organisations need to start planning now to avoid being caught unprepared.
READ MORE: British post-quantum cryptography startup raises £37m
The consequences of inaction
The two most widely used cryptographic systems, RSA (Rivest–Shamir–Adleman) and ECC (Elliptic Curve Cryptography), rely on the difficulty of factoring large prime numbers and solving discrete logarithms — problems that quantum computers can solve exponentially faster using algorithms like Shor’s and Grover’s.
One of the most immediate risks is the so-called “harvest now, decrypt later” attack. Adversaries today can capture encrypted communications and store them for future decryption once quantum computers become powerful enough.
Sensitive information — such as financial transactions, proprietary data, personal health information, and government communications — that is encrypted today may already be at risk.
Once quantum decryption capabilities are available, encrypted data could be decrypted retroactively, exposing years’ worth of sensitive information. Waiting for the "right moment" to act is no longer tenable. The longer businesses delay, the greater the security gaps will widen.
The complexity of transitioning to quantum-safe algorithms
Another catalyst for taking immediate action is the reality that switching to quantum-safe algorithms is not a simple "rip and replace" process. Unlike previous cryptographic transitions, this one involves complex trade-offs in terms of processing power, bandwidth, and compatibility.
In environments where devices have limited resources, such as IoT networks, the process is even more challenging. These devices often lack the computational power needed to handle modern cryptographic techniques, let alone quantum-safe algorithms.
For this reason, it is critical to conduct thorough testing before deploying any new cryptographic algorithms. Rushing into this transition without understanding the impact on each part of the technology stack will create more problems than it solves.
Organisations must begin by cataloguing their cryptographic assets, much like they would inventory network or data assets. In fact, this should have already been happening in preparation for a quantum future. This is not an easy task but currently is a bit painstaking which is something that we need to help improve.
A well-planned migration strategy, including rigorous testing phases, should follow. The key is to ensure that new algorithms are robust enough to replace older ones without introducing new vulnerabilities.
Testing for protocol and implementation failures
The adoption of quantum-safe cryptography is not solely about choosing the right algorithms. Even if the protocols themselves are sound, poor implementation can lead to significant vulnerabilities.
It is critical for implementation failures to have been weeded out. History has repeatedly shown that even well-defined cryptographic standards can be compromised by errors in execution. Side-channel attacks, which exploit implementation flaws rather than algorithm weaknesses, are a prime example of this risk.
To prevent such vulnerabilities, it is essential to test not only the algorithms but also their implementation across various platforms. Security teams must focus on ensuring that new cryptographic systems are deployed correctly, especially in environments with limited resources or specialised hardware. This is a meticulous but necessary process to ensure that the new systems are genuinely secure.
Engaging with vendors: The critical missing link
Relying solely on vendors to take the lead in adopting quantum-safe cryptography is a flawed approach.
I have encountered vendors stating that they are not focused on quantum readiness because customers are not asking for it. Again, this is a flimsy excuse, and it creates a dangerous feedback loop, leaving the entire ecosystem vulnerable.
Organisations need to break this cycle by actively engaging with their vendors. Questions about quantum readiness should be a part of every vendor review. If enough customers are requesting actionable plans for implementing quantum-safe algorithms, vendors will be motivated to meet the demand.
This is not just about future-proofing; it is about ensuring that when the quantum threat materialises, we’re ready — otherwise we’ll have created the next existential crisis.
Preparing for a quantum future today
Quantum computing’s ability to break widely deployed cryptographic methods poses a legitimate threat to all enterprises that rely on cryptographic protocols to authenticate commands and encrypt sensitive operational data. This includes critical national infrastructure, making quantum risk an issue of national security.
However, addressing this challenge requires a balanced approach. Buying into the FUD and the notion there’s going to be a grand ‘cryptopocalypse’ isn’t constructive — but neither is the continued procrastination that puts quantum on the perpetual backburner.
The most practical approach is to split security investments and activity in two. On one side are the usual security priorities: ensuring today’s security threats are accounted for and investing to tackle technical debt backlog. These are things we all understand and can measure with defined ROI and SLAs.
At the same time, there needs to be a forward-looking strategy to address emerging threats like quantum. These issues aren’t yet definable with the usual success metrics, so future-proofing requires a different mindset. Ideally, it should be seen as an opportunity to get ahead.
Alongside the recent guidance from NIST, The World Economic Forum has released two whitepapers that provide practical advice for adjusting and budgeting in a post-quantum economy. These can help CISOs make their case for why quantum investment needs to happen now, rather than years down the line.
Tackling the quantum issue now will ensure an organisation is ready when the day arrives, rather than having to urgently find the capital to deal with an active quantum threat to its critical encrypted data.
