Q Day has been scheduled – are you on the meeting invite?

Nearly a decade ago, scientists in Zurich evaluated an early quantum-computer against a conventional desktop system in processing time trials. At that time, the quantum computer came off second best – the observation was that the barriers to quantum remained too great for them to be a real threat. With quantum computing being widely categorised as an emerging risk, organisations focused on more immediate cyber threats, however that assessment is beginning to change. Advances in quantum research, combined with updated guidance from governments and standards bodies, indicate that preparation is now a prudent step.  

Recent advancements in practical quantum computing applications, including the progression toward smaller, room temperature operable quantum systems, show that quantum technology is moving closer to becoming accessible for everyday use. This increased accessibility also means that well-resourced threat actors will soon find ways to exploit emerging quantum capabilities, accelerating the risk that these technologies will be used for malicious purposes as they mature and stabilise. In response to the ever-growing threat, the global security community has responded proactively, with governments and regulators advising organisations to begin planning for a transition to quantum-resistant cryptographic algorithms.

What organisations need to do now to prepare for quantum computing

Organisations can begin implementing a range of practical actions to position themselves for sustained quantum-resilient operations.  

First, it is important to acknowledge that transitioning to quantum-resistant cryptography will be a multi-year effort. For many enterprises, preparation and implementation are likely to take between two to five years. Organisations should therefore begin planning now, engaging executive leadership and boards to agree priorities, investment and risk appetite.  Acting early not only reduces long-term transformation costs, but ensures organisations are not left exposed as quantum capabilities accelerate. Those who move proactively will be better positioned to maintain trust, safeguard critical data, and stay ahead of emerging cyber risk. 

Second, organisations should develop a clear understanding of their existing cryptographic environment. Creating a cryptographic bill of materials (CBOM) provides visibility of where cryptography is used across systems, applications and data flows. This exercise should extend across the entire technology estate, including operational technology environments with long asset lifecycles and integrations with external organisations. A comprehensive view of these dependencies ensures that future transitions to quantum-safe algorithms can be executed methodically and with minimal disruption to critical services.  

Third, engagement with key technology partners is essential. Understanding vendor roadmaps for post-quantum computing (PQC) enables organisations to align transition plans with future software releases and infrastructure upgrades.  

Fourth, business continuity planning should consider scenarios in which systems may need to be restricted or isolated if quantum-related risks emerge earlier than anticipated. Embedding these contingencies ensures organisations can respond decisively, minimising operational disruption while safeguarding assets during a rapidly evolving threat landscape. 

Finally, asset lifecycle planning should factor into quantum readiness. As PQC-capable products become available, replacement and upgrade decisions should consider long-term cryptographic resilience alongside traditional security requirements.  

Why post-quantum cryptographic resilience matters

Encryption underpins trust in modern digital systems, protecting data confidently and integrity across economies, governments and critical services.   

Current encryption methods rely on mathematical problems that are difficult to reverse without the correct key using classical computing; essentially it’s a game of trial and error by submitting solutions. Requiring significant effort and investment, it deters most threat actors and is what makes encryption effective today. However, quantum computing is expected to significantly alter this balance.  

Two primary forms of encryption are widely use: symmetric and asymmetric.  

Symmetric encryption relies on a shared secret key. While quantum computing may reduce the time required to test keys, increasing key lengths remains an effective mitigation, making symmetric encryption comparatively more resilient in a post-quantum context.  

Asymmetric encryption is more vulnerable to PQC. This involves two keys – one public and one private, the former of which quantum algorithms are expected to solve more efficiently using public key details. 

Quantum-computers operate using quantum states rather than binary logic, enabling them to process multiple possibilities simultaneously. As this capability matures, it is expected to have a material impact on certain cryptographic algorithms currently in widespread use.  

Global standards and policy direction

Governments and international partners are actively working to address post-quantum risk. The US National Institute of Standards and Technology (NIST) is leading global efforts to standardise cryptographic algorithms designed to withstand quantum-enabled attacks, with many countries aligning their national guidance to these standards. 

NIST selected algorithms include: 

1. ML-KEM (CRYSTALS-Kyber): A lattice-based key encapsulation mechanism.
2. ML-DSA (CRYSTALS-Dilithium) A lattice-based digital signature scheme.
3. SLH-DSA: a hash based stateless signature based scheme 

While quantum computing does not yet represent immediate threat, the scale and complexity of cryptographic transition means readiness cannot be achieved quickly. For many organisations, identifying cryptographic dependencies and executing a structured transition strategy will take years.  

Beginning this work now, allows organisations to align with emerging global standards, reduce future disruption and build long-term digital resilience.