Post-quantum cryptography (PQC) has been discussed for years, but for many organizations it still sits in the category of acknowledged future risk rather than active planning today. In the Cyber Security Tribe Annual Report, 32% of respondents said post-quantum cryptography had not yet been discussed internally, while 46% said they were aware of PQC-related risks but had not taken any formal action. That gap between awareness and preparation is significant, especially given that cryptographic transitions are rarely simple, fast, or isolated to a single system or team.
This article is part of Cyber Security Tribe’s wider editorial series based on findings from the annual report and expert conversations held at RSAC 2026 in San Francisco. Across the series, senior cybersecurity leaders and practitioners were asked to respond to key themes raised by the report, including agentic AI, identity-centric security, AI governance, employee concerns, and quantum readiness. For this article, we asked a pressing question tied directly to the report’s findings: "with many organizations aware but not yet acting on post-quantum cryptography, how can they justify accelerating migration planning today?"
The perspectives that follow examine why PQC planning is increasingly being treated as a present governance and resilience issue rather than a distant technical one. They explore the long lead times involved in cryptographic discovery, dependency mapping, vendor coordination, and migration planning, along with the challenge of identifying where cryptography actually exists across modern environments. They also consider the risk of delay, particularly for organizations that handle sensitive data requiring long-term confidentiality.
Organizations need to understand how much sensitive data they hold, how long that data must remain protected, where cryptography is embedded across their environments, and how difficult migration is likely to be once it begins. This article explores why experts believe planning should start before external pressure forces action, and why early preparation can reduce both operational disruption and future risk.
The thought leaders who contributed to the article include:
| Greg Wetmore, Vice President of Product Development, at Entrust |
Niall Browne, CEO and co-founder, AIBound |
| David Girvin, AI Security Researcher at Sumo Logic |
Rik Ferguson, Forescout VP of Security Intelligence |
| Willie Tejada, GM & SVP, Aviatrix |
Shashi Kiran, Chief GTM Officer, Nile |
| Darren Meyer, Security Research, Checkmarx |
|
Greg Wetmore, Vice President of Product Development, at Entrust
Across the enterprise, the gap between awareness and action on the post-quantum threat is widening. A cryptographically relevant quantum computer isn’t here yet, but credible roadmaps are shortening faster than most organizations can execute. IBM’s recently shared timeline for Starling, its first large scale fault-tolerant quantum computer that will be available in 2029, reinforces this momentum. While Starling is not expected to break RSA based on what we know today, it marks meaningful progress.
The last twelve months have demonstrated real acceleration in quantum computing research, prompting the industry to reassess migration timelines. We’re entering a compression phase, where quantum computing roadmaps are now shorter than the time many organizations will need to complete a transition to quantum-safe cryptography.
This is the most complex cryptographic transitions businesses have ever faced. Inventorying cryptographic assets alone can be an early and time-consuming hurdle, especially as those assets sprawl across divers environments. In fact, 41% of IT and security professionals worldwide cite limited visibility into cryptographic assets as a top barrier to post-quantum readiness, according to a recent Entrust data. But discovery cannot be the only focus. The most proactive organizations are working in parallel, building an inventory of cryptographic assets while also implementing quantum-safe digital infrastructure. Both tracks must move together to avoid bottlenecks and build meaningful readiness.
The real question isn’t how organizations justify accelerating migration planning today, but how they can justify waiting. Those who delay will find themselves racing to protect digital assets as quantum capabilities advance.
David Girvin, AI Security Researcher at Sumo Logic
Because “wait and see” is how you end up on the front page explaining why your encrypted archives suddenly turned into a public data buffet.
nobody is asking enterprises to forklift-upgrade every algorithm tomorrow. But pretending PQC isn’t your problem yet is delusional when adversaries are actively harvesting encrypted data today to decrypt later.
The justification is simple:
-
Crypto migrations take years, inventory, risk mapping, dependency untangling, vendor alignment, hardware replacement… none of that happens with a six-month project plan.
-
Quantum timelines aren’t the point, your data lifetime is. If your data needs confidentiality beyond 5–10 years, you’re already late.
-
Regulators and auditors aren’t going to accept “we were waiting for NIST to send us a calendar invite.”
So yes, start now, not because quantum breaks everything tomorrow, but because your org’s tech debt moves at the speed of continental drift. Planning today is cheaper than crisis-migrating under headlines later.
Rik Ferguson, Forescout VP of Security Intelligence
Quantum preparedness earns its budget the way resilience always does: by respecting lead times. If your data will still matter in ten years, an attacker doesn't need a quantum computer now. They just need to intercept it now and wait. Harvest today, decrypt tomorrow.
“Migrating crypto” is never the tidy algorithm swap the slide deck promises. It’s an archaeology dig through applications, libraries, devices, suppliers, certificates, and key lifecycles, followed by a careful rollout where success means nothing visibly happens.
Start the work now and you turn a future compliance fire drill into governed change. Wait, and you’ll be doing it at pace, under pressure, with everyone watching. Classify data by longevity and sensitivity. Map where cryptography actually lives, not where you assume it lives. Build crypto agility into new projects and procurement so you stop pouring concrete around the problem every quarter.
Niall Browne, CEO and co-founder, AIBound
The migration to post-quantum cryptography is not a technical challenge -- it is a priority challenge. Security teams have a long history of changing encryption schemes and cryptographic algorithms as needed, driven by the exponential growth of computing power and increasingly sophisticated adversaries.
We saw this play out with the transition from TLS 1.2 to TLS 1.3: companies were slow to move until regulatory requirements and compliance deadlines forced their hand, but once it became a priority, they executed. The same pattern will repeat with PQC.
Honestly, most CISOs do not see this as their top Monday morning priority -- they have fifty other pressing issues competing for attention. But when they start seeing peers impacted by quantum-related threats, or when regulators mandate migration timelines, it will move to the top of the queue.
The good news is that security teams already have the muscle memory from decades of cryptographic transitions. The justification for accelerating migration planning today is straightforward: start the inventory and discovery work now so that when the priority shifts, you are ready to execute rather than scrambling to understand your cryptographic footprint.
Willie Tejada, GM & SVP, Aviatrix
Quantum is a real threat, but I’d argue we have a more urgent cryptographic problem: most east-west traffic inside cloud networks isn’t encrypted at all. We’re worried about future decryption while ignoring present-day exposure. That said, the harvest-now-decrypt-later risk is cumulative and real. If your organization holds sensitive data with a long shelf life, planning cannot wait.
Migration to post-quantum cryptography will take years. It requires inventorying cryptographic assets, updating systems, coordinating with vendors, and validating performance. Planning now reduces future operational shock and distributes cost over time.
Waiting until quantum systems are fully mature will compress the timeline into a disruptive and expensive scramble.
Shashi Kiran, Chief GTM Officer, Nile
The technology is still nascent, but rapidly advancing with significant investments from cloud providers to chip vendors, specialized OEMs, and in industry standards from NIST, IETF, etc. Organizations can prepare by getting themselves educated on the technology and its own impact to the organization. This would include deeply understanding the potential as well as the pitfalls, and ensuring the knowledge level of the workforce is continually elevated.
Many organizations have lost visibility across the IT domain, due to rapid changes, complexity, irregular audits and personnel shifts. Constantly assessing posture and being in a state of readiness is a better way to be prepared. This can be accomplished by:
1. Start building inventory of components and functions where cryptography is used.
2. Evaluate the risks to them from PQC and prioritize high risk items.
3. Prepare a roadmap for transitioning those to PQC algorithms.
4. Build technical capabilities to execute on that roadmap.
5. Identify interoperability issues and other types of system impact that the transition may have.
Darren Meyer, Security Research, Checkmarx
Organizations deciding whether to accelerate migration planning should carefully consider what risks they’re seeking to mitigate. “Harvest now, decrypt later” attacks are a genuine concern, but not for every organization or every use case. Organizations that must protect secrets long term, and against well-funded, persistent, and determined attackers, have a clear mandate to start rolling out quantum-safe cryptosystems.
Other organizations should be focused on planning an orderly and cost-effective rollout to avoid a more-costly panic later.
