For years, post-quantum cryptography (PQC) sat comfortably in the category of “important, but not urgent.”
Security leaders knew it was coming. Researchers talked about it. Standards bodies worked on it. Most organizations acknowledged that it would eventually require attention. But I would argue that the time to start preparing is now.
In this episode of STRIVE, I sat down with Sr. Director of Portfolio Marketing Michael Fasulo to discuss why the conversation around PQC is changing so quickly – and why the organizations that wait for certainty may find themselves running out of time.
Watch the full episode.
Key Takeaways
- Harvest Now, Decrypt Later attacks mean sensitive data is already at risk, even if quantum capabilities aren’t stable or commercially viable yet.
- Most organizations do not have a complete view of their cryptographic inventory, making discovery the first major hurdle.
- PQC is just as much a technology challenge to solve for and as much as it is about risk prioritization.
- The organizations that start preparing now will have more options to course correct on prioritizations than those forced to react later.
The Problem Isn’t the Technology
Most discussions about post-quantum cryptography start with technology.
- How quickly is quantum computing advancing?
- When will cryptographically-relevant quantum systems become practical?
- Which algorithms are likely to survive long term?
Those are important questions. But they’re not the questions I would prioritize asking. Michael wrote a blog last year about PQC and we discussed today how several things have changed since then.
Over the past several years, estimates have consistently moved in one direction: what once felt distant now feels increasingly close. At the same time, standards are evolving; regulatory expectations are increasing, and organizations are beginning to recognize how much cryptographic debt they’ve accumulated over the decades.
The exact date of Q-Day may remain uncertain. The direction of travel is not.
The Risk Is Here And Now
One reason this conversation has become more urgent is the growing attention around Harvest Now, Decrypt Later attacks. The concept is straightforward: An adversary gains access to encrypted information today, stores it, and waits for future capabilities to make that information readable.
What’s important here is that the risk doesn’t begin when quantum computing arrives. The risk begins when even encrypted data is exfiltrated and stored.
For organizations protecting intellectual property, healthcare records, government information, or other sensitive long term retention data, that distinction changes everything.
Organizations need to know whether data being retained today will still matter when that future arrives.
For many,esp. the highly regulated industries and critical infrastructure, the answer is yes.
Sneak Peek: Why Crypto Agility Matters
Embed clip here: https://www.youtube.com/watch?v=A3YWU5rlmGA
In this clip, Michael explains why PQC isn’t a one-time fix or switch. The real goal is crypto agility – building the flexibility to adapt cryptographic algorithms as standards, and threats evolve. Because in cybersecurity, the challenge isn’t just preparing for what’s next. It’s being ready for what comes after that.
Discovery Is the Real Project
One misconception about PQC is that it’s primarily an encryption upgrade. In reality, most organizations haven’t reached the stage where replacement is the biggest concern.
They’re still trying to understand the scope of the problem. Cryptography exists everywhere.
- Applications
- Certificates
- Cloud services
- APIs
- Code signing
- Third-party platforms
Many organizations struggle with the creation of the cryptographic inventory or its scope. That makes discovery one of the most important – and often underestimated – parts of the journey.
And for many enterprises, that’s a much larger endeavor than expected.
The Supply Chain Challenge
Another reason PQC has become a priority is that no organization will navigate this transition alone. Modern enterprises depend on vendors, cloud providers, software partners, and countless third parties, all of whom use cryptography.
That means quantum readiness extends beyond internal systems. It becomes a question of ecosystem readiness.
- Are suppliers preparing?
- Are critical vendors planning migrations?
- Are third-party platforms aligned with emerging standards?
These questions will increasingly become part of risk conversations, procurement discussions, and long-term technology planning. Because cryptography doesn’t stop at organizational boundaries. Neither does risk.
Why This Conversation Matters
The most important takeaway from this discussion is that post-quantum cryptography is no longer a future technology challenge.
It’s becoming a present-day resilience conversation.
Organizations don’t need to panic and they don’t need to overhaul every system overnight. But they do need to begin, to make the best use of the time at their disposal for prepartion.
The organizations that navigate this transition successfully won’t necessarily be the ones with the most sophisticated cryptography. They’ll be the ones that started building understanding before certainty arrived.
And that’s often how resilience works.
Watch the Full Episode
There is plenty more that Michael and I explore in the episode that I didn’t capture above. Be sure to watch now for insights to:
- The biggest challenges organizations face when starting their PQC journey.
- What leaders should prioritize today including some best practices.
- Understanding MLKEM algorithms and crypto agility.
- Infrastructure considerations for PQC.
- How Commvault is preparing for this future.
FAQs
Q: What is post-quantum cryptography (PQC)?
A: PQC refers to cryptographic algorithms designed to help remain secure against attacks from future quantum computers.
Q: What is Harvest Now, Decrypt Later?
A: It’s a strategy where attackers collect encrypted data today with the intention of decrypting it later when more advanced computing capabilities become available.
Q: Why are organizations focusing on PQC now?
A: Because preparation takes years, and sensitive data collected today may still be valuable when quantum threats become practical.
Q: What is the biggest challenge organizations face?
A: Discovery. Most organizations do not have complete visibility into where cryptography is used across their environments.
Q: Do organizations need to replace all cryptography immediately?
A: No. Most experts recommend starting with inventory, discovery, and prioritization before planning broader migrations.
Q: What should leaders do first?
A: Identify long-lived sensitive data, understand cryptographic dependencies, and begin building a roadmap for future transition.
Vidya Shankaran is Field CTO at Commvault.