8 Tips to Prepare for Quantum Computing and Post-Quantum Cryptography

Quantum computing represents a “prepare-thoughtfully” risk rather than a “drop-everything-now scenario,” according to IANS Faculty Member  Russell Okoth. While practical quantum computers may still be years away, the strategic groundwork for post-quantum cryptography transitions could and should begin today.

Here's how IANS Research faculty members and security experts recommend organizations should approach this challenge systematically.

1. Assess Your Data’s Long-Term Value

Preparing for quantum computing depends on one question: Does your organization handle data that bad actors would harvest today to decrypt years later? As IANS Faculty Member Jake Williams says, “The biggest thing that matters here for me is if I have data traversing the internet and using asymmetric encryption algorithms that a nation-state threat actor (or someone with ISP-level network access) would find valuable to store and decrypt X years later.”

Williams adds: “My personal take is that you have at least 10 years before a practical quantum computer is available to governments.” Most organizations don't handle data with sufficient long-term value to warrant immediate concern, but organizations in national security, defense, or sensitive financial sectors should start planning.

READ MORE: Tips to Prevent Quantum Computing Encryption Data Breaches

2. Build a Cryptographic Inventory

Effective transition planning requires visibility into your current cryptographic landscape. Okoth recommends organizations “build a crypto inventory and identify crown jewel systems,” while evaluating “whether your data will retain value five to 10+ years from now.”

IANS Faculty Member Alex Sharpe emphasizes pragmatism: “Pull together an inventory so you know what to upgrade. Recognize your inventory will not be perfect. Something will be missed.” The goal is comprehensive coverage, not perfection.

3. Prioritize Within Your Overall Security Portfolio

Quantum readiness must compete for resources alongside more immediate security concerns. IANS Faculty Member Adam Shostack advises CISOs to “assess the urgency of moving relative to other activities you're working on, which are almost certainly higher priority.”

IANS Faculty Member Kevin Beaver  says: “I can't imagine this being a top priority unless and until you have fully mastered all the basics of a security program, including vulnerability management, patch management, endpoint security, network visibility, and incident response, user education, and so on."

4. Embed Quantum Readiness in Procurement and Architecture Decisions

Preventing future cryptographic debt starts with today’s decisions. Okoth recommends organizations “ensure systems you deploy now can swap to NIST PQC (post-quantum cryptography) standards when finalized.”

Shostack supports this approach: “Preparation, including inventory and ensuring that you have a plan for each item on the inventory and that you're not accumulating more debt, is probably worth doing, including new standards, new procurement rules, etc.”

5. Evaluate PKI Infrastructure for Transition Capability

An organization’s public key infrastructure will be central to any cryptographic transition. Sharpe advises organizations to “assess your PKI for its ability to handle the transition, including the support of multiple types of certificates and secrets, especially during the transition.”

The transition period will require systems to support both legacy and post-quantum algorithms simultaneously. Organizations with rigid PKI implementations should prioritize modernization now.

6. Develop a Prioritized Strategy for Data at Rest

Re-encryption of stored data presents significant operational challenges. IANS Faculty Member Mick Douglas highlights an often-overlooked concern: “When it's time to deploy quantum-resilient crypto systems, one of the bigger issues not getting attention is re-encrypting data that’s at rest. Your biggest issue will be I/O.”

Douglas offers pragmatic advice: “If your plan is to delete the data when quantum attacks are viable, I URGE you to delete this data now. If you can do without post-quantum widespread availability, you can do without it now.”

Sharpe adds: “Develop a strategy for handling encrypted storage so it can be decrypted at a later date. For example, most retention is useful life plus seven years. Mortgage companies need to decrypt data in storage for 37 years.”

7. Account for Digital Signature Verification Requirements

Digital signatures present unique challenges beyond encryption. Sharpe cautions: “Don't forget digital signatures. Digital signatures are used for notarization and non-repudiation. You may need to prove to an objective third party that data has not changed and assure the participants. You will need the certificates and the algorithms.”

Organizations must maintain the ability to verify signatures created with pre-quantum algorithms even after transitioning to post-quantum methods, particularly for legally binding documents and compliance records.

8. Address Market Perception and Customer Expectations

Beyond technical risks, quantum readiness has become a business concern. IANS Faculty Member Josh More identifies a present-day threat: “The perception by customers and prospects that you are somehow not ready to meet the ‘quantum challenge.’ This can result in lost business, longer deal close times, and more burdensome due diligence processes.”

More recommends: “You can meet this issue by adding a general quantum encryption plan to your public-facing supply chain statement. I would start working on the plan today and revise it annually.”

READ MORE: Preparing for the Quantum Shift in Cybersecurity

Why Quantum Computing Requires a Strategic Perspective

IANS Faculty Member Todd Inskeep offers context on timing: “It is pretty clear that we're still five to seven years (or more) from viable quantum computers that will create problems.” However, he emphasizes the harvest-now-decrypt-later risk for high-value targets: “If you deal in information valuable to nation-states, you want to move as rapidly as reasonable, since they could be starting to collect encrypted data now.”

Williams provides perspective on the current hype: “The hype you’re hearing now is largely venture capital fueled, like blockchain, metaverse, NFTs, and, most recently, ‘generative AI will solve everything.’ Realistically, most systems you have deployed today will be replaced at least once before practical quantum computing is a thing.”

Quantum computing represents a manageable, long-term transition rather than an imminent crisis. Organizations should begin systematic preparation while also keeping their focus on more immediate security priorities. By taking measured steps today—building inventories, updating procurement standards, and ensuring architectural flexibility—CISOs can position their organizations for a smooth transition when post-quantum cryptography becomes operationally necessary.

Download our 2025 Security Software and Services Benchmark Report—and gain access to valuable insights and practical strategies for managing vendors and MSSPs, especially during periods of budget constraints.

Take our  CISO Comp and Budget Survey in less than 10 minutes and receive career-defining data and other valuable insights or data sets.

Security staff professionals can take our  2025 Cybersecurity Staff Compensation and Career Benchmark Survey.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.