



























Getty
Post-quantum cryptography is moving from a future security concern to a practical planning issue for organizations. Quantum computers powerful enough to break widely used public-key encryption aren’t here yet, but the risk is already relevant, since attackers can collect encrypted data now and decrypt it later when the technology catches up.
NIST finalized its first three post-quantum cryptography standards in 2024, giving organizations a clearer path forward, but migration won’t be as simple as swapping in a new tool. Below, Forbes Technology Council members share practical steps leaders can take now to strengthen cryptographic agility and prepare their systems for a post-quantum future.
Classify your data by its sensitivity lifespan, not just its current value. Encrypted financial records may be worthless in five years, but patient health data or contracts stolen today remain dangerous for decades. Prioritizing migration based on how long data must stay confidential focuses on quantum-readiness, where the exposure window is longest and the real organizational risk actually lives. - Jagadish Gokavarapu, Wissen Infotech
As organizations prepare for post-quantum cryptography, leaders must inventory and centralize their cryptographic assets now to enable true agility. You can’t upgrade what you can’t see, and visibility into where and how encryption is used is the foundation for rapidly adopting post-quantum standards as they evolve. - Suman Sharma, Ping Identity
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
The first step is to automate your cryptographic inventory. Why? You can’t replace what you can’t find. Identifying where legacy algorithms are buried is the only way to move toward a “swappable” architecture. This turns a future “rip-and-replace” crisis into a controlled upgrade, ensuring you can deploy post-quantum standards without breaking your stack or leaving hidden vulnerabilities. - Abhik Biswas, Prakat Solutions Inc.
Don’t assume that this is purely a cybersecurity or IT issue; bring others along. Is your procurement team aware of your new cyber requirements? Have you considered working with the business to accelerate the modernization of old systems? Don’t underestimate the complexity of the journey. It takes a big team to transform. - Scott Buchholz, Deloitte
Leverage AI to accelerate cryptographic discovery and risk prioritization. Manually auditing encryption is too slow for quantum timelines. AI rapidly identifies vulnerable algorithms, assesses exposure and recommends migration paths, turning an overwhelming transition into a roadmap. Leaders who embed AI into their crypto-agility strategy today will adapt faster when quantum threats become real. - Mohit Gupta, Damco Solutions
Leaders need to understand that simply adopting post-quantum encryption algorithms doesn’t give them any guarantee of security. They must also tackle forward secrecy, mutual certificate-based verification, and true multilayered end-to-end key exchange and authenticated encryption. - Federico Simonetti, Xiid Corp.
Crypto-agility means that root-of-trust components in new chips should include more than one means of quantum-safe firmware verification—for example, both ML-DSA and LMS/XMSS options. This way, fielded chips can reliably mitigate potential future problems with the security of one of the new algorithms. - Steven Woo, Rambus
Leaders should assess whether existing organizational tools can automatically detect and track cryptographic use. This matters because post-quantum migration won’t be a one-time replacement project. Without automated visibility, they may miss hidden or hardcoded cryptography across code, applications, hardware and third-party systems, making future transitions slower, riskier and more expensive. - Klaudia Zaika, Apriorit LLC
You should evaluate whether your data can be attacked by someone who will actually have a working quantum computer. Right now, I only see governments and some IT giants having access to quantum computers. Why should they decrypt your data? Is it worth it? Do you think governments and IT giants want to hurt you? It’s simple and affordable to protect the authenticity of your data by using the blockchain. It might be encryptable, but it’s not tamperable. - Thomas Berndorfer, Connecting Software
We need to stop hardcoding cryptography. Build crypto agility by abstracting algorithms behind policy-driven layers so keys, protocols and libraries can be swapped without breaking systems. Most environments are tightly coupled to legacy crypto, making migration slow, risky and often ignored until it is too late. - Radhakrishnan PN, HPE
Inventory every cryptographic dependency now, including certificates, libraries, protocols, hardcoded algorithms and third-party services. You cannot migrate what you cannot see. A clear crypto inventory is the foundation of agility because it lets teams prioritize high-risk systems, swap algorithms faster and avoid costly surprises later. - Rohit Muthyala, ZoomInfo Technologies Inc.
Prioritize migration by how long your data needs to stay confidential, not how critical the system is. A modern system housing records that expire in two years isn’t your biggest risk. Harvest now, decrypt later attacks are a bigger risk when they target patient records, contracts and IP filings that will still matter in 15 years. Migrate those first to make sure they are the most protected. - Luke Wallace, Bottle Rocket
Post-quantum cryptography isn’t a spectator sport. NIST finalized the PQC draft in 2024, and implementations are already available in different programming languages. Today, you need to run your own certificate authority for FIPS 204. Start rolling out PQ keys, and get experience managing and operating those keys, as they are a bit larger. Start signing, hashing and exchanging messages. Good luck and have fun! - Victor Paraschiv, broadn
Pressure-test live environments now to see what actually breaks when PQC changes hit, because the transition will be rocky and take years. Equally important, require every vendor to show a credible PQC roadmap across the products you rely on. Partner with firms that can help today and develop a practical migration plan, not another slide deck. - Denis Mandich, Qrypt
Stop treating cryptography as static—treat it as perishable. Introduce “crypto chaos drills” that deliberately expire keys and swap algorithms in live environments. This actively exposes hidden dependencies and builds muscle for automated change. True agility isn’t choosing PQC early—it’s ensuring your architecture auto-heals when legacy crypto inevitably breaks. - Deep Narayan Mishra, Walmart Inc.
Most leaders won’t have the engineering bandwidth to audit every TLS library, signed binary and vendor SDK themselves. Partner with AI-enabled cryptographic auditing firms to scan the surface and produce a prioritized vulnerability map. The point isn’t to migrate everything; it’s to identify what actually matters, then concentrate scarce resources there. - Lihong Wang, Freeport Markets
Abstract every cryptographic primitive behind a swappable interface, then maintain a versioned inventory of what calls each primitive. Most teams know they need a crypto inventory. Few have the abstraction layer that lets them swap an algorithm without rewriting application code. Crypto agility is an interface design problem first, a math problem second. Build the interface now. - Nikhil Jathar, AvanSaber Technologies
One key step is to decouple cryptographic logic from application logic. By abstracting encryption into modular, replaceable layers (crypto-agility architecture), organizations can swap algorithms without rewriting core systems. This matters because post-quantum standards are still evolving—agility, not prediction, is what prevents costly systemwide rewrites later. - Wade Hang Song, TEA AI
Effective post-quantum readiness won’t rely solely on cryptographic algorithms. Long-lived, sensitive and sovereign data are the true exposure points, underprotected and subject to increasingly common “harvest now, decrypt later” attacks. That’s why PQC should begin with the adoption of continuous, data-first governance and hybrid lifecycle enforcement, reducing exposure before it’s too late. - Thyaga Vasudevan, Skyhigh Security
Crypto-agility is a goal, but a tool that provides an automated cryptographic inventory and tracks remediation is a strong “how.” Consider a dashboard that shows applications, including keys and libraries; network traffic protocols and ciphers; hardware, such as HSMs and TPMs; and third-party dependencies, including cryptographic or software bills of materials. Changes on the way to PQC will show up there. - Kim Bozzella, Protiviti
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。