(Editor’s note: This is the 43rd installment of a monthly column on the growing number of cyberthreats facing businesses of all sizes and what they can do about them. See previous installments here.)
In recent months, my conversations with executives and industry leaders have drifted to the same topics: artificial intelligence, cloud computing, innovation, data governance and geopolitical instability. But when I bring up "Q Day," the theoretical moment when a quantum computer becomes powerful enough to shatter existing data encryption, the conversation goes quiet. That’s because most business leaders view quantum as a "next decade" problem. But that mindset could be one of the greatest strategic blind spots in business.
The shift to post-quantum computing won’t just be another technology cycle; it will be a fundamental shift in digital trust. For business leaders, the urgency shouldn’t be about when the hardware arrives, but about what competitors and cyberthreats are doing right now. Because quantum computers can break the mathematical "locks" used today, a wide range of business assets will be exposed.
In my recent Business Security Weekly Podcast with Sandy Carielli, vice president and principal analyst at Forrester Research, we discussed how most experts forecast that Q Day will arrive in the early 2030s. But the migration of the business-scale cryptography is a massive undertaking that typically takes three to seven years. If you are waiting for the hardware to arrive, you have already lost the race.
With regulatory and supply chain pressure beginning to ramp up, organizations such as the National Institute of Standards and Technology have finalized post-quantum cryptography standards. The U.S. government has set a 2035 deadline for federal agencies to migrate to these standards. Before you know it, your partners, insurers and regulators will soon demand "quantum readiness" as a prerequisite for doing business.
Quantum migration is a business risk masked as a technical problem. Unlike previous tech changes, Q Day could be a breaking point where digital trust is eroded overnight. If the "invisible shield" protecting our most sensitive information collapses, the damage won't just be a line-item expense; it could be empirical.
Addressing this requires a holistic and cross-functional approach. This is not a job for the technology department alone. Security, finance, procurement, risk and legal must collaborate on a unified risk mitigation plan.
You cannot protect what you cannot see. An organization’s first move should be a "crypto-inventory." Identify every application, vendor and device that relies on public-key encryption. This inventory provides the roadmap to your highest risks. Even encrypted data that had been previously part of a data breach should be inventoried. Cybercriminals have engaged in "harvest now, decrypt later" campaigns. They can sit on encrypted data and wait until the capabilities are available to unlock it.
Not all data will require immediate quantum-proofing. Focus first on high-value assets with long-term confidentiality needs, the data most susceptible to attacks. This "triage" strategy makes sure that your initial investment produces the highest risk reduction.
Business leaders must mandate a move toward "crypto-agility.” This is a strategy that involves designing systems so that cryptographic algorithms can be swapped out without rebuilding your entire architecture. This allows your organization to remain resilient and agile as new standards and threats evolve.
Don’t forget to check your vendor ecosystem. Your security is only as strong as your weakest partner. Challenge your vendors to produce their post-quantum cryptography roadmaps as your hardware and software providers. Have quantum readiness requirements in all new procurement decisions to avoid inheriting legacy risks.
Proactive quantum readiness isn’t about avoiding a "crytpo apocalypse." It is about building that foundation of digital trust that becomes a competitive advantage. By getting ahead of the game and leading the charge now, you guarantee that your organization is already operating with the highest level of integrity and resilience.
The countdown is here. The only question is whether your organization will take on the proactive approach or the risks of delay.
Next month: Automation we can trust in the age of artificial intelligence.
Jason Albuquerque is the chief operating officer of Pawtucket-based Envision Technology Advisors LLC. You can reach him at www.envisionsuccess.net.
