The debate around quantum risk is gathering momentum, and rightly so. Research such as Mastercard’s recent exploration of post‑quantum cryptography (PQC) shows the scale of the challenge1, yet many organisations still underestimate the strategic and operational disruption quantum computing will bring.
In this article, I’ll cover why quantum‑driven disruption is accelerating, the underlying gaps materialising across current cryptographic models, and the practical steps leaders should prioritise now to strengthen resilience.
Quantum threats require leadership, not lip service
Today’s digital infrastructure relies on cryptographic foundations that were never designed to withstand quantum‑scale computing. The threat is no longer theoretical. Attackers are already engaging in 'Harvest Now, Decrypt Later' activity, collecting encrypted data with the intention of unlocking it once quantum capability matures. This is reinforced in sector research, including Mastercard’s assessment of the evolving threat landscape1.
Organisations cannot afford a passive or reactive stance. Without early modernisation, cryptographic weaknesses grow quietly inside the environment and may only surface once a breach has already occurred; long after the point at which risk could have been avoided.
Post-quantum cryptography is the practical route forward
Although research positions post-quantum cryptography as the most viable approach2, my own assessment aligns because it is the only approach that can scale across the complexity and diversity of modern enterprise systems.
Crypto-agility must now be treated as a design principle. When cryptography is hard‑coded, undocumented, or fragmented across legacy systems, the transition to quantum‑safe algorithms becomes slower, riskier and significantly more expensive. The starting point is a complete cryptographic inventory as organisations cannot secure or migrate what they cannot see.
Compliance timelines should not define the strategy
Regulations such as the Quantum Computing Cybersecurity Preparedness Act and the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) provide useful clarity on expected timelines, including pathways to compliance by 2033.
However, compliance is not the same as security.
Regulatory deadlines should represent the latest acceptable finish date and not the point at which preparation begins. Waiting until the early 2030s to start migrating will place organisations behind both the threat curve and their industry peers.
Culture is the real barrier to quantum readiness
The technology to begin this transformation exists today but the real challenge lies within the organisational mindset. Security teams largely understand what needs to be done, but boards and executive leaders must recognise post‑quantum migration as a resilience programme; one that protects the organisation’s future.
Adversaries are already taking advantage of the time they have, so organisations must do the same.
Where organisations should begin
To make meaningful progress, leadership teams should prioritise:
-
Cyptographic discovery
Map all algorithms, certificates, key stores, and dependencies. Understanding current cryptographic exposure is the foundation of any successful PQC programme.
-
Quantum risk prioritisation
Identify the data that would cause lasting or catastrophic impact if compromised in the future, even if it appears secure today.
-
PQC roadmapping
Develop a staged transition plan that incorporates hybrid approaches such as Elliptic Curve Cryptography (ECC) and Module-Lattice Key Encapsulation Mechanism (ML‑KEM). This helps teams progress early while maintaining operational continuity.
-
Embedding crypto-agility
Ensure future systems can adapt quickly to cryptographic change to avoid becoming trapped in the next generation of legacy algorithms. Build agility in from the outset, not as a retrofit.
The bottom line
Quantum computing will reshape cybersecurity whether organisations prepare for it or not.
The latest research is clear: early adopters strengthen resilience, build greater trust, and reduce the long‑term cost of transformation, turning readiness into a competitive advantage.
The organisations that take action now will approach the quantum transition with confidence. Those that delay will face higher cost, greater pressure and greater risk at the point of transition.
With UK regulation steadily evolving to mandate stronger security baselines across critical sectors, now is the ideal moment for organisations to build quantum‑ready resilience, whether formally in scope or not.
References
1 Mastercard, 2025. Migration to post-quantum cryptography
2 PQShield, 2025. Mastercard addresses migration to post-quantum cryptography.