09-04-2025
Why Organizations Need To Start Developing Post-Quantum Cryptography Strategies Now
Scott Buchholz is the CTO of Deloitte Consulting LLP's Government and Public Services practice.
As quantum computing swiftly advances, organizations face an unprecedented cybersecurity challenge. Cryptanalytically relevant quantum computers (CRQCs) stand to be able to break current encryption standards in hours instead of billions of years—potentially exposing vast amounts of data and breaking transactional tunnels across healthcare systems, global financial networks, critical infrastructure, government institutions and more.
The timeline for the development of CRQCs is uncertain, which can cause many leaders to put preparation on the back burner. But delaying preparation could potentially expose organizations to significant risks. Leaders should start developing post-quantum cryptography (PQC) strategies now to help safeguard their organizations against CRQCs.
Ultimately, improving resiliency against CRQCs is a journey organizations need to start today.
On a foundational level, the existence of CRQCs could degrade trust in digital communications and systems—in a world where encryption can be broken, bad actors would be capable of masquerading as someone else, having potentially catastrophic impacts on trust in digital environments. In addition to eroding trust, bad actors could also leak sensitive data, access credentials and impersonate others. They can generally wreak havoc, such as by subtly corrupting data, forging contracts, funneling money out of bank accounts and more.
While it remains unknown when we'll see the first CRQC, it's important that leaders act proactively to make their organizations quantum resilient. The published timelines regarding the maturation of a cryptanalytically relevant quantum computer vary. For instance, Gartner predicts that 'by 2029, advances in quantum computing will make asymmetric cryptography unsafe and by 2034 fully breakable.' The 2024 'Quantum Threat Timeline Report,' published by the Global Risk Institute, polled groups of expert timeline estimates, and the midpoint of their estimates is that a quantum computer that can decrypt RSA-2048 (a widely-used encryption standard) in 24 hours could be available in about 15 years. Regardless of the exact answer, large organizations could need up to a decade to update all of their cryptography. And it's not merely future data and transactions that are at risk. If bad actors are able to exfiltrate encrypted data, they could store it until such time as CRQCs are available to decrypt it.
Thus, the window to secure data is shorter than what many leaders might think—and the longer they wait, the further they will fall behind. Creating a PQC strategy and performing the necessary upgrades will be an extensive process, one that can take years.
In August 2024, the National Institute of Standards and Technology (NIST) released its initial three finalized standards. This was a significant step in protecting digital infrastructure against the emerging cryptographic threats from quantum computing.
The first of the three, the Federal Information Processing Standard (FIPS) 203, is 'intended as the primary standard for general encryption.' The second, FIPS 204, is 'intended as the primary standard for protecting digital signatures.' Finally, FIPS 205 is 'also designed for digital signatures' and serves as a 'backup method' in the event that the algorithm FIPS 204 runs on 'proves vulnerable.'
NIST developed these standards to guard against CRQCs being able to decrypt sensitive data and secure digital transactions. By adopting these standards in the near term, leaders can proactively protect their organizations' sensitive digital information from potential quantum threats and be better prepared to adapt to advances in quantum computing.
While building quantum resiliency may not be the number one priority for leaders today, I suggest leaders commit to at least developing a plan in 2025. That plan should include an assessment, an analysis of quantum's potential impact on the business operations of an organization and a roadmap for implementation. Incremental steps that show value along the way are key.
The initial step is evaluating exposure. Organizations that deal with sensitive and/or long-lived data, such as healthcare providers, insurers, banks and government agencies, should prioritize developing PQC strategies sooner for sensitive data and/or transactions. From there, leaders should evaluate their key data assets and identify which have the highest value—and what the lifetime relevance of that data is. Consider banks and the types of data they store. Credit card numbers may change every five years, so a bad actor getting access to a list of client credit cards in a decade isn't as important as getting access to, say, checking and savings account numbers and associated addresses.
Once leaders identify their key data and its associated lifetime, they should analyze the way that data is moving through business processes and infrastructure. Data, after all, doesn't sit still. It's always in motion. That information will inform leaders about where they need to start. Then they can determine who internally (on their IT and cybersecurity teams) and/or externally (such as cloud or hardware providers) is responsible for performing system and security upgrades and remediation. While this may not require new resources, it will require organizations to manage the process to completion.
Leaders should also keep an eye on cryptography standards as they are validated by national and international bodies and remain aware of any updates to those standards. Being well-informed is one of the key steps to achieving 'crypto agility,' the ability to seamlessly transition between cryptography standards as they evolve. Organizations that achieve crypto agility will be better positioned for future transitions, which are a given, considering that cryptography standards have been upgraded several times throughout the internet's history.
There are countless challenges in cybersecurity at any given time. While the timeline for CRQCs is unknown, the implications are staggering. Having a plan to manage it will help leaders safeguard their organizations when CRQCs arrive.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
