Why Your Business Needs Post-Quantum Cryptography: Insights from Industry Experts

The mainstream media has picked up on something that we’ve known for quite some time: Quantum threats aren’t theoretical, they’re imminent [source].

Most business leaders are more focused on near-term risks, such as ransomware, phishing, and insider threats. And that makes sense. But quantum computing presents a less-visible threat on the horizon that could make much of today's encryption obsolete.

And the implications for cybersecurity are enormous.

In this article, we’ll explore why your organization needs to start thinking seriously about post-quantum cryptography (PQC), what post-quantum cryptography experts are advising, and how businesses are preparing for this transition.

The implications can be downright frightening, but this isn’t a call for panic; it’s a call to act. Those who begin planning today will be the ones best equipped to stay secure for the foreseeable future.

Here’s what we’ll cover:

• What is post-quantum cryptography, and why won’t traditional encryption hold up?
• Industry insight from cryptography researchers and policymakers.
• What are leading post-quantum cryptography companies already doing?
• Measures your organization can take to prepare now.

Let’s get started.

What Is Post-Quantum Cryptography and Why Is It Necessary?

Post-quantum cryptography (PQC) refers to cryptographic algorithms designed to withstand attacks from quantum computers, which will be capable of solving problems that are computationally impossible (or impractical) for today’s systems.

Many of the algorithms we rely on today, such as RSA, ECC, and DH among them, are vulnerable to quantum algorithms like Shor’s. A sufficiently powerful quantum computer could crack these protections in hours, if not minutes.

These types of quantum machines aren’t mainstream yet, but post-quantum cryptography experts agree that it's not a matter of if, but when. Michele Mosca, a leading figure in quantum cybersecurity, has said that if x = the shelf-life of your data and y = the time it will take to migrate your systems, you need to start before x + y = the arrival of a quantum computer [source].

This is critical now because of so-called “harvest-now, decrypt-later” attacks, where threat actors collect encrypted data with the assumption that they’ll eventually have the quantum horsepower to decrypt it.

In other words, sensitive data like healthcare records, intellectual property, and government communications could be vulnerable long after you thought it was safe.

At the end of the day, you’re not alone—the World Economic Forum forecasts that 20 billion digital devices will need to be upgraded or replaced for PQC in the next decade or two [source]. But that fact shouldn’t deter your sense of urgency.

What Post-Quantum Cryptography Companies Are Doing Right Now

While many may still be wrapping their heads around the threat, some post-quantum cryptography companies are already moving toward mitigation so they can future-proof their infrastructure and win customer trust.

Here’s how some industry leaders are approaching the transition:

• IBM offers a “Quantum Safe” roadmap that includes tools for assessing risk, simulating quantum attacks, and integrating quantum-safe algorithms across hybrid cloud environments.
• Google has implemented post-quantum algorithms like Kyber in Chrome’s test builds and its internal VPN infrastructure.
• Microsoft is building PQC readiness into its Azure platform, enabling customers to test NIST candidate algorithms.

Government agencies are involved as well. The U.S. National Institute of Standards and Technology (NIST) has selected five post-quantum algorithms for standardization, including CRYSTALS-Kyber for encryption and CRYSTALS-Dilithium for digital signatures [source].

Still, future planning seems to be lagging. Just 5% of organizations say they have a quantum computing roadmap, meaning 95% would be in trouble if quantum computing became a reality tomorrow [source].

Advice from the Experts: How to Start Your PQC Transition

A complete rip-and-replace strategy isn’t feasible, nor is it necessary. According to post-quantum cryptography experts, it’s better to take a more phased and strategic approach. The end goal is to build your crypto-agility, or the ability to update cryptographic systems as new threats and standards emerge.

Five steps to get started including:

1. Take an extensive inventory. Identify and log all of your crypto assets, including keys, algorithms, protocols, and every location where encryption is applied (applications, APIs, databases, devices, etc.).

2. Prioritize what matters most. The initial focus should be on high-impact systems and long-lived data. If it needs to remain confidential for the next 10–20 years, it’s at risk.

3. Make your organization more crypto-agile. Systems hard-coded to use RSA or ECC are the most difficult to update, so invest in architecture that allows for modular or configurable cryptography.

4. Begin testing PQC algorithms. Several of the NIST-approved candidates can already be tested in controlled environments, and these pilots can expose compatibility issues and accelerate integration later.

5. Use Hybrid Algorithm as a mid-stage. To bridge the gap between classical and quantum-safe security, implement hybrid approaches that combine existing algorithms like RSA/ECC with PQC candidates. This provides stronger protection today while easing the transition to fully quantum-safe systems later.

6. Collaborate with post-quantum cryptography companies. Work with vendors who have already built post-quantum capabilities to benefit from their research, tooling, and hard-earned lessons.

Ways to Build a Resilient Future

While transitioning to post-quantum cryptography is a must, it can’t mean hitting pause on your business. The good news is that most organizations can begin the transition without disrupting ongoing operations. That’s the whole idea behind starting early—to be proactive, not reactive.

One of the most challenging tasks on this path is educating your stakeholders. Many board members and senior leaders are unaware of the quantum threat, so it's essential to bring this issue to the forefront to secure the necessary budget and resources.

On this front, it often makes sense to align your PQC planning with any broader digital transformation efforts your organization is working on. If you’re already migrating to the cloud or re-architecting apps, for example, it’s the perfect time to bake in crypto agility.

This isn’t a side project, so organizations must select a team or leader responsible for tracking PQC progress, vendor readiness, and industry standards. That last task is particularly vital; keeping tabs on NIST, ETSI, and other groups shaping global PQC frameworks will give you guidance on the direction your crypto agility should take.

Starting small is perfectly OK. For example, conducting an internal PQC workshop or commissioning a cryptographic audit can help you understand where your vulnerabilities lie and where to focus first.

The Quantum Era Is Coming. Get Ahead of It Now.

Quantum computing may still seem futuristic, but the security implications are very urgent. The encrypted data you store today could be compromised in the near future if it falls into the wrong hands. That’s why post-quantum cryptography experts urge businesses to begin laying the groundwork now.

In essence:

• PQC is about more than just encryption. It's about long-term resilience.
• Post-quantum cryptography companies are already building tools, roadmaps, and protocols that will define the next era of cybersecurity.
• You don’t need to overhaul everything overnight, but you do need a strategy—and soon.
• Crypto-agility, risk prioritization, and vendor partnerships are the pillars of effective transition.

Fortanix helps enterprises get ahead of the quantum curve with solutions that support crypto-agility, centralized key management, and standards-based security. Whether you're preparing for a full migration or just getting started with crypto inventory, we can help.