Why now’s the time to prepare for the quantum computing era - SC Media

Security Strategy, Plan, Budget, Security Operations, SOC, Threat Management, Government securityWhy now’s the time to prepare for the quantum computing eraFebruary 23, 2026ShareBy Marc Puverel(Adobe Stock) COMMENTARY: For the last decade, quantum computing has been a technology that was coming, but not soon enough to worry about it today. We had important work to do: like killing the password and patching every server.That luxury has evaporated. The future arrived faster than we expected. Guidance from NIST, CISA, and Gartner has shifted from gentle nudges to loud warnings.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]NIST has said that the transition to a secured quantum computing era will consist of a “long-term intensive community effort that will require extensive collaboration between government and industry.”NIST goes on to tell organizations to start their quantum computing journeys sooner than later.By 2029, quantum computing will likely crack traditional RSA and ECC encryption that now holds the internet together.And, sophisticated attackers aren’t waiting for quantum computers to begin exploiting cryptography: they are already harvesting encrypted data today. Nation-state actors are collecting encrypted communications and long-lived sensitive data, betting that future advances will render today’s protections ineffective.Ransomware groups exfiltrate encrypted backups and archives, knowing that weak key governance, identity exposure, or cryptographic decay can turn inaccessible data into future leverage.This resets the assumptions security leaders have relied on for decades.The inventory nightmareThe industry presents post-quantum migration as a linear process: team, inventory, prioritize, and migrate. While it's easy to recommend building a cryptographic inventory, it's very hard to operationalize at scale.Most security teams rely on traditional discovery tools that are great at scanning networks for public certificates. But those scans are surface-level. They completely miss the messy, tangled reality of modern infrastructure.They miss the keys in applications. From the hard-coded keys buried in legacy applications to software libraries used by off-the-shelf and in-house developed or open source software to ephemeral keys spinning up and down in Kubernetes clusters. They miss shadow IT service accounts that developers set up to bypass friction.We don’t just have to know what keys and libraries are crypto-capable, we now need to know what our systems actually use. Just because our systems are crypto-capable doesn’t mean they actually use post-quantum cryptography (PQC). For example, a server might use an RSA PQC vulnerable certificate, but it’s capable of using a PQC algorithm for key exchange (ML-KEM). This means that we need both static discovery and observation of what’s happening on the network.Lacking that visibility, many of us are flying blind today.Stop counting keys, start tracking identitiesHow do we fix the visibility gap? We need to stop treating cryptography as a math problem and start treating it as an identity problem.Cryptographic credentials don't float in space. They are always attached to something: a person, a server, a bot, an agent, or an application. A certificate, key, or equivalent credential is effectively just an ID card for a machine or service.When we shift our focus from "finding keys" to "mapping identities," the picture clears up. We move from a chaotic list of random file paths to a contextual map of our environment. This identity-first approach can make PQC migration manageable. It does the following:Contextualizes risk: If we hand a generic list of 10,000 weak certificates to an IT team, they will freeze. Where do they start? But if we link those certificates to identities, we can triage. We can see that this certificate belongs to a critical payment gateway, while that other one belongs to a dev-test sandbox. We fix the items that actually matter first.Solves the "Who owns this?" mystery: We’ve all been there: staring at a vulnerable SSH key on a critical server, afraid to rotate it because we don't know what it breaks. When we discover crypto through the lens of identity, we automatically see the owner. We turn a detective project into a simple remediation ticket.Catches the machines: In modern DevOps, machine identities outnumber human users by a massive margin. Bots create their own keys, use them for seconds, and discard them. Traditional scanners miss this entirely. An identity-centric view captures the automated underbelly of the enterprise, ensuring we aren't leaving the back door open while we lock the front.The cost of waitingGartner compares this migration to Y2K, but that analogy falls short. Y2K had a fixed deadline and a known bug. PQC has a moving deadline and requires replacing the very foundation of trust in our systems. And it’s all at a much bigger scale. An enterprise can have hundreds of millions of assets relying on cryptographic credentials.Delaying by another year only narrows our options. It turns a decade of accumulated cryptographic and identity debt into a compressed, high-risk sprint.The quantum era will come soon, whether we feel ready or not.Stop counting certificates. Start looking at identities. And start now.Encryption and digital signatures are not a one-time control: they are systems that we must continuously govern through strong identity assurance, disciplined key management, and crypto agility.In other words, it’s hard.Marc Puverel, vice president of product, AxiadSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.Marc PuverelRelatedSecurity Strategy, Plan, BudgetA practitioner’s view of the Trump administration’s new cyber policySagy KratuMarch 11, 2026The recent Trump administration cyber policy delivers a strong message, but it’s short on specifics. Governance, Risk and ComplianceTrump cyber policy focuses on offensive operations, harnessing AISteve ZurierMarch 9, 2026Trump cyber policy shifts from secure-by-design towards offensive operations.

Zero Trust WorldThe importance of keeping calm in trying circumstances: Zero Trust World 2026Paul WagenseilMarch 8, 2026ThreatLocker's annual conference closed with lessons about preparation and execution. Get daily email updatesSC Media's daily must-read of the most current and pressing daily newsBusiness EmailBy clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.