WhoshouldIsee Tracks

Anyone old enough to remember Quantum Leap back in the late 80s will remember Sam Beckett jumping through time each week with the help of his AI supercomputer, Ziggy. Somehow having leaped through time myself to 2026, the idea of AI and quantum computing now feels far more fact than science fiction. 

Time travel may still be some way off, but if you happened to read my attempt at predicting the future in my annual cybersecurity predictions blog earlier this year, my final prediction was that post-quantum readiness would shift from theory to preparation. At the time, I joked that 2026 would finally be the year we saw “Q-Day”. While that deliberately dramatic prediction hasn’t materialised (yet), recent developments suggest the industry is beginning to take the prospect far more seriously. 

Most notably, Google recently published an accelerated timeline for securing the quantum era, targeting broad migration toward post-quantum cryptography (PQC) by 2029. To be clear, Google is not predicting that ‘cryptographically relevant’ (an industry term for a computer that can break widely used encryption keys) quantum computers will suddenly become widely available within the next three years. Rather, its researchers are making the very sensible point that organisations cannot afford to wait until the technology arrives before preparing for it. As Google stated directly, “Quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures.” Given the pace of advancement in both quantum computing and AI, that warning should not be ignored.

A New Line in The Sand

Post-quantum cryptography preparedness is by no means a new concept. The National Cyber Security Centre (NCSC) has been encouraging organisations to think seriously about security in a post-quantum world for several years, most notably through its 2020 whitepaper, Preparing for Quantum Safe Cryptography. While aimed primarily at technical policymakers, it remains one of the more accessible explanations of how public-key cryptography (PKC) works, why quantum computing presents such a significant long-term challenge to existing encryption standards, and what organisations should begin doing now to prepare.

What’s changing is not necessarily the underlying risk itself, but the urgency surrounding preparation. For a long time, post-quantum cryptography sat firmly in the category of ‘important, but later’. Increasingly, that is no longer the case.

In March 2025, the NCSC published formal guidance outlining target timelines for migration activities, specifically:

Taken in isolation, those dates may still feel comfortably far away. But for large organisations operating complex environments, legacy infrastructure, and long technology lifecycles, they are actually remarkably ambitious.

Google’s recently announced 2029 migration target is therefore best viewed not as an isolated prediction, but as the latest line in the sand from organisations increasingly treating quantum readiness as a practical planning exercise, rather than a purely theoretical concern. While the NCSC timelines are particularly relevant to government bodies, regulated industries, and critical national infrastructure (CNI), they also provide a useful benchmark for any organisation beginning to move from awareness toward action.

Harvest Now, Decrypt Later

One of the key reasons organisations are being encouraged to act early is the growing concern around so-called ‘harvest now, decrypt later’ attacks. While a cryptographically relevant quantum computer capable of breaking today’s encryption standards may not yet exist, threat actors do not necessarily need immediate access to one for the risk to become real.

The principle is relatively simple. Sensitive encrypted data stolen today can be retained indefinitely and decrypted later once sufficiently powerful quantum capabilities become available. In other words, information with a long confidentiality shelf life: intellectual property, government records, healthcare data, financial information, legal communications or classified material, may already be at risk, even if existing encryption remains secure in the near term.

This is particularly relevant for sectors handling sensitive data that needs to remain protected for many years, or in some cases, decades. What’s changing is that organisations are increasingly being asked to think not just about the security of data in the present, but the future lifespan of the cryptography protecting it.

In many ways, this is why post-quantum readiness is becoming a strategic planning issue now, rather than a last-minute technical migration exercise later. The challenge is no longer simply preparing for the arrival of quantum computing, but understanding whether data being encrypted today could still be valuable when that moment eventually arrives.

Don’t Panic, But Don’t Ignore It

At this point, it’s important to separate long-term strategic risk from immediate operational panic. Despite some of the more dramatic headlines surrounding quantum computing, organisations are not about to wake up tomorrow to find RSA and elliptic curve cryptography suddenly obsolete overnight. The reality is that most organisations are still several years away from any large-scale PQC migration becoming ‘do or die’.

Organisations of every size should be thinking about preparedness. As with many areas of cybersecurity, those who struggle most are usually the ones forced into reactive transformation under time pressure. PQC migration has the potential to become one of the most complex technology transitions many organisations will undertake because cryptography underpins almost everything: identity systems, VPNs, certificates, applications, cloud services, operational technology, embedded devices, third-party platforms, you name it.

Like any area of cybersecurity, the first practical step is therefore visibility. Before making any decisions around quantum-safe cryptography, security teams need to understand where cryptography is actually being used across the estate. In practice, that means building accurate inventories of cryptographic dependencies, identifying legacy algorithms, mapping certificate usage, and understanding where externally managed services or suppliers introduce cryptographic risk.

This is also why many organisations are now beginning to think about crypto agility; the ability to replace or update cryptographic mechanisms without major architectural redesign. Systems built with hardcoded cryptography or unsupported legacy dependencies will naturally become more difficult and expensive to transition over time. Building flexibility now reduces future migration pain later.

I think it’s important to note that none of us will be solving the quantum problem alone. Much of the transition will ultimately be driven by vendors, cloud providers, and platform manufacturers integrating PQC support into mainstream products over the coming years. The immediate challenge for most security leaders is therefore less about deploying new algorithms tomorrow and more about ensuring they are not locked into technologies that can’t evolve when the time comes.

From Theory to Preparation

In many ways, this is why post-quantum readiness is now shifting from theory to preparation.

For years, PQC was treated largely as an academic or future-looking discussion. The combination of formal migration timelines from organisations like the NCSC, increasing vendor activity and accelerating quantum research means the conversation is becoming more practical. The organisations making progress with this are not necessarily ripping out existing encryption standards. They are beginning the slow work of assessment, planning, and dependency reduction. 

For CISOs and those at the coalface of cybersecurity, the key challenge over the next few years will be balancing pragmatism with preparedness. There is little value in rushing into expensive wholesale change programmes before standards and vendor ecosystems fully stabilise. Equally, there is growing risk in assuming this remains someone else’s problem for another decade.

For most organisations, the sensible approach is not wholesale change but incremental preparation: small, actionable steps to increase visibility. Understand where cryptography genuinely matters to the organisation, identify legacy systems likely to present migration headaches later, and avoid making technology decisions now that create unnecessary lock-in later down the line.

Quantum disruption may not materialise as the sudden leap science fiction once imagined. But the direction of travel is becoming increasingly difficult to ignore, and organisations that start preparing now will almost certainly have an easier time than those waiting for complete certainty.