3 steps to prepare for a post-quantum cryptography world - cio.com

The threat is real. Here’s how to assess your landscape, vet your solutions, and incorporate NIST recommendations for a hybrid approach. Credit: Shutterstock The conversation around post-quantum cryptography (PQC) has shifted as we move into 2026. What once seemed a distant concern is now quite real, as experts are actively highlighting crypto hygiene problems. In short, it’s time to get your PQC act together. The good news is we are also seeing early implementations of post-quantum solutions, including PQC-safe code signing for firmware and software, hybrid public key infrastructure certificates, and various PQC algorithm replacements in critical applications. The quantum problem Briefly stated, the problem at hand is that quantum computers promise to be powerful enough to crack the algorithmic keys used in today’s PKI systems. The only question is when these quantum computers will be available, to bad actors and the industry at large. Gartner estimates that by 2029, advances in quantum computing will make standard asymmetric cryptography unsafe and by 2034, fully breakable. “Harvest-now, decrypt-later” attacks may already exist, Gartner says.1 Reasonable people can disagree on the timeline, but even if there’s a 10% chance that cryptographically relevant quantum computers (CRQC) are available in the next 3-5 years, that’s a risk few can afford to take, says Blair Canavan, Director of Alliances for the PKI & PQC Portfolio with the cybersecurity solution provider Thales Group. “It warrants action now,” he says. Standards bodies are on board with that assessment. In the US, the National Institute of Standards and Technology (NIST) has approved four PQC algorithms for standardization2, along with a fifth just in case its first choice for the main algorithm doesn’t pan out.3 3 steps to prepare for PQC Thales recommends enterprises take three specific actions to prepare for a PQC future. 1 – Assess your landscape. Cryptography is literally everywhere in today’s enterprises, including in servers, applications, APIs, network infrastructure, internet of things (IoT) components, and various types of hardware, including mobile devices. Then you’ve got the myriad components of your cryptography systems, including certificates and identities, encryption keys, ciphers, algorithms, libraries, and protocols. “It’s like needles in a haystack and now you need to make them glow,” Canavan says. “Then you need to determine the scope and priority in which you’re going to address them.” 2 – Assess solutions. As vendors introduce solutions, enterprises must focus on the ability to abstract cryptography from underlying applications and devices. Whereas today an application developer would specify which algorithm to employ for a given application, abstraction removes that obligation. Instead, the ultimate goal is to have the decision driven by cryptographically agile policy, on a dynamic basis. “Depending on the sensitivity of the application, you apply whatever algorithm policy is most appropriate,” Canavan says. “That’s what we’re aspiring to.” 3 – Focus on a NIST hybrid approach. A policy-driven approach to crypto also delivers the ability to swap out one algorithm for another. That makes it easier for organizations to comply with the hybrid approach NIST recommends. “Nobody is going to flip a switch from classical to post-quantum overnight.” Canavan says. “You’re hedging bets. The idea is to use both and wean from one to another over time.” That’s especially important given that all the NIST algorithms are new. As NIST’s choice of a fifth, “just in case” algorithm suggests, nobody is yet 100% sure which PQC algorithms will prove most effective. “You’re being realistic,” Canavan says. “The pragmatic approach is to use both classic and PQC algorithms.” It’s also pragmatic to acknowledge you’re likely to need guidance with the PQC transition. As Canavan explains, companies like Thales Group –– along with its extensive, experienced stable of ecosystem technology and delivery partners –– are ready to help. There’s no time to waste. To learn more, visit the Thales Post-Quantum Cryptography Solutions page. 1 “Begin Transitioning to Post-Quantum Cryptography Now,” Sept. 30, 2024, Gartner.com. 2 “NIST Releases Four PQC Algorithms for Standardization,” April 13, 2024, Quantum Insider. 3 “NIST Selects HQC as Fifth Algorithm for Post-Quantum Encryption,” March 11, 2025, NIST. Security SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below.