How Executives Can Lead The PQC Migration

Posted by Ted Shorter, Forbes Councils Member | 5 hours ago | /innovation, Innovation, standard, technology | Views: 7


Ted Shorter has worked in the security arena for 25+ years, including 10 years with the DOD and 15 years at Keyfactor where he serves as CTO

2025 marks a turning point for post-quantum cryptography (PQC) as new standards take center stage and become urgent priorities that the C-suite can no longer afford to ignore.

For the past three decades, the industry has effectively only had two asymmetric encryption standards to safeguard all digital communications—the RSA and ECC cryptographic algorithms. In 2024, the National Institute of Standards and Technology (NIST) introduced three new algorithm standards to replace them and set a 2030 deadline for the depreciation of legacy encryption algorithms. A fourth quantum-resistant standard is expected in 2025, and more momentum continues as NIST announced it has selected a fifth algorithm and expects to issue a finalized standard in 2027.

These developments provide a clear message: RSA and ECC are on borrowed time, and organizations must prepare now for the wave of new public key algorithms that will define the future of digital trust.

As more quantum-resistant algorithms emerge in the coming years, industries in high-risk sectors will be among the first to prioritize their PQC transition. Gartner recognized PQC as one of the top strategic technology trends for 2025, underscoring the urgency for organizations to act. With quantum advancements accelerating, 2025 marks a critical inflection point for organizations to begin their transition or risk falling behind.

Industries On The Front Lines Of PQC Transition

Based on my experience, we’re seeing the most engagement in PQC migration conversations from the finance, telecom and government sectors. These highly regulated industries hold extremely sensitive data, making them increasingly aware of the threat and therefore prime candidates for early adoption. While these industries are starting their PQC migration journeys first, it’s important to note that all organizations need to make this transition—and the sooner, the better.

Given the heightened awareness of quantum computing and impactful regulation and compliance frameworks, these industries will face escalating risks to data security, prompting more stringent regulatory mandates and an urgent need to implement PQC solutions like public key infrastructure (PKI) to protect critical infrastructure and consumer trust. Many of these organizations have already established what Gartner calls a cryptographic center of excellence, an established team responsible for managing cryptographic infrastructure and regulatory compliance, positioning them to lead the transition.

So, how can the C-suite prepare their organizations for the coming shift?

Preparing For The Post-Quantum Era: A C-Suite Playbook

While security teams are often tasked with helping their organizations prepare for PQC migration, it should not solely fall on their shoulders. In fact, it would be a mistake to think that the transition doesn’t require a cultural shift starting at the C-suite and board level. Here are a few steps that members of the C-suite must take to ensure their organization is fully prepared.

Set a quantum resilience mindset.

While preparing initial steps toward migrating is often an endeavor for security teams, the board and C-suite will play a critical role in determining the investment and effort put into transitioning. As a CEO, CTO or CIO, it’s important to encourage the wider enterprise to prepare and adopt strategies essential to creating quantum resilience.

Foster a culture of continuous adaptation and crypto-agility by educating leadership and key stakeholders on quantum risks, integrating PQC readiness into long-term security strategies and prioritizing agility in cryptographic updates.

Don’t wait for regulations to begin the transition; lead it.

Now that NIST has released its first set of PQC standards, it’s only a matter of time before regulations become more prevalent globally. The C-suite must take a proactive stance, championing PQC readiness across their organizations. This means assembling cross-functional teams, investing in cryptographic agility and embedding PQC migration into long-term security and compliance strategies.

Executives should drive the development of a phased transition plan, prioritizing critical systems and aligning with emerging standards from NIST and industry leaders. Taking action now will not only ensure regulatory compliance but also protect business continuity and maintain customer trust in an era of quantum uncertainty.

Prepare your infrastructure.

The finalization of the first suite of algorithms from NIST marks an essential milestone. Preparation should include gathering an inventory of all cryptography used and building out automation systems to ensure that your organization can transition quickly, especially in the most sensitive parts of the security ecosystem.

This preparation is too broad and deep to be done manually and requires building out automation capabilities to update certificates, keys and trust stores to be completed. From there, CSOs, CISOs and other security leaders can begin testing the system’s ability to issue quantum-resistant certificates.

Collaborate with industry and government.

Engage with cybersecurity experts and regulatory bodies to stay ahead of evolving PQC developments and ensure compliance with future requirements. It’s equally as important, if not more so, to have conversations with your vendors on their PQC transition road map. This will be critical for your planning; you can’t transition until your vendors do.

The Next Chapter In PQC: What C-Suite Leaders Must Prepare For

The payment card industry (PCI) security standards require organizations to maintain a comprehensive inventory of cryptographic algorithms and protocols used. Specifically, the inventory of trusted keys helps organizations track algorithms, protocols, key strength, key custodians and key expiry dates, ensuring they can respond quickly to vulnerabilities discovered in cryptographic algorithms.

Although PQC is not explicitly mentioned in this edition of the PCI standards, the depth of cryptographic inventory required is exactly the kind of inventory organizations need to lay the groundwork for the transition to quantum-resistance. Establishing full visibility into cryptographic assets is an imperative first step toward post-quantum readiness. As quantum threats become more imminent, it’s only a matter of time before regulations begin addressing PQC directly and mandating processes that will lead to post-quantum readiness.

Quantum computing is no longer a distant possibility; it’s shaping the future of cybersecurity today. 2025 will be a pivotal year for PQC, with emerging guidelines and standards taking center stage as companies begin their transition. In the meantime, NIST and other government organizations have set extremely aggressive depreciation dates, and it’s likely that other compliance frameworks will follow suit.

While the quantum threat is not today’s reality, compliance and regulation will drive the PQC transition, prompting the C-suite to take action now.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?



Forbes

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *