Here’s a question most boards aren’t asking yet: what happens when the encryption protecting your organisation’s most sensitive data can be broken in minutes?
It sounds dramatic, but that’s the reality of the quantum computing threat. The encryption algorithms that underpin virtually every secure transaction, communication and authentication process in use today (RSA, ECC, Diffie-Hellman) were never designed to withstand the computational power of a cryptographically relevant quantum computer. When that capability arrives, and credible estimates place it within the next decade, these algorithms will no longer provide the protection organisations depend on.
Post-Quantum Cryptography (PQC) is the collective term for the new generation of cryptographic algorithms designed to remain secure against both classical and quantum computing. Whilst the technology itself is deeply complex, the business challenge is refreshingly simple and it’s time to prepare now.
The Threat That’s Already Here
One of the most common misconceptions about PQC is that it’s a future problem. In fact, the risk is present-day.
Sophisticated threat actors are already executing what the industry calls “Harvest Now, Decrypt Later” (HNDL) attacks: intercepting and storing encrypted data today with the expectation that quantum computers will eventually allow them to decrypt it. For any organisation handling data with a long shelf life such as government records, financial transactions, health data, intellectual property etc, then the data you’re encrypting today may already be compromised in principle.
There is also a less discussed but equally serious threat: “Trust Now, Forge Later” (TNFL). This targets the integrity side of cryptography. Digital signatures that validate software updates, authenticate identities and verify documents all rely on the same vulnerable algorithms. A quantum-capable adversary could forge signatures retrospectively, undermining trust in systems, signed code and digital identities that were considered secure at the time they were created.
At Unsung, we see HNDL and TNFL as the two key risks of the quantum threat, one targeting confidentiality, the other targeting trust, and the inevitable truth is that your business will be impacted by one or both of these risks, regardless of your business sector, cyber security posture, or location.
Know What You’ve Got Before You Can Protect It
If there’s one lesson, we’ve learned from helping organisations across government, defence, healthcare and critical infrastructure, it’s that you cannot secure what you cannot see. Most organisations have no comprehensive view of where cryptographic controls are used across their estate, which algorithms protect which systems, where certificates are deployed, what key lengths are in use, or which applications depend on specific cryptographic libraries.
This is where a Cryptographic Bill of Materials (CBOM) becomes essential. Think of it as a detailed inventory of every asset’s cryptographic capability, dependency and algorithm in your environment. It provides the visibility needed to understand your current exposure, prioritise what needs to change first and build a credible transition plan. Without a Cryptographic Bill of Materials (CBOM), any PQC impact assessments and migration effort is guesswork. With a CBOM, it becomes a structured, risk-informed programme of work. Our CBOM service helps organisations build exactly this foundation.
Crypto-Agility is the real strategic goal
One of the pitfalls we counsel organisations to avoid is treating PQC as a one-off ‘algorithm swap’. Organisations that approach this challenge with point solutions will struggle; those that build genuine capability will succeed.
The same principle applies here. The real objective isn’t simply to replace RSA with a quantum-resistant alternative. It’s to build crypto-agility: the ability to adopt, replace and rotate cryptographic algorithms quickly and safely as standards evolve, new threats emerge or existing algorithms are deprecated. NIST has set firm deadlines for phasing out current algorithms, with deprecation beginning from 2030 and completing by 2035. But the standards landscape will continue to shift beyond those dates. Organisations that invest in agility now will be far better positioned to respond, not just to the quantum threat, but to whatever comes after it.
Practical Steps You Can Take Today
The good news is that preparing for PQC does not require massive upfront investment or a wholesale infrastructure replacement. It starts with sensible, proportionate steps that any organisation can take now:
- Understand your current cryptographic landscape. Commission a PKI health check as a first step of discovery. Identify which systems handle your most sensitive, longest-lived data and prioritise those for early attention. Further in-depth analysis of systems identified by carrying out a CBOM of those systems.
- Assess your PKI architecture for crypto-agility, can your certificate authorities, key management processes and trust chains support algorithm changes without a full rebuild?
- Engage your leadership team as this is not purely a technical exercise; it has implications for procurement, compliance, supplier assurance and risk management and it belongs on the board agenda.
We suggest being wary of vendor-driven urgency. Whilst the PQC transition is genuinely important, the market is awash with overblown claims and unnecessary complexity. Seek independent, vendor-neutral guidance that focuses on your organisation’s actual risk tolerance, not on selling you a product.
Start the Conversation Now
At Unsung, we’ve spent over 15 years helping organisations across the public and private sector design, deliver and manage their PKI environments. We’re now applying that same depth of expertise to the post-quantum transition and are helping our clients build their cryptographic inventories, assess their readiness, and develop practical migration strategies that align with NIST timelines and real-world operational constraints.
We’ve published a comprehensive whitepaper, Post-Quantum Cryptography: A Strategic Whitepaper for the C-Suite, which sets out the full picture – the threats, the timelines, the practical frameworks, and the questions boards and CISOs should be asking right now in order to start your organisation’s PQC journey on solid ground.
Todd Beldham
Todd Beldham is Founder and CTO at Unsung Limited, a UK-based specialist PKI consultancy.
