Preparing for the post-quantum world: what IT leaders need to know

For decades, the security of the digital world has rested on public-key cryptography. Algorithms like RSA and elliptic curve cryptography (ECC) keep everything from online banking to government communications safe. But advances in quantum computing threaten to undermine this foundation. While today’s quantum computers cannot yet break RSA or ECC in practice, it is fully expected that in the near future they will do so. The possibility of ‘harvest now, decrypt later’ attacks — where adversaries capture encrypted traffic and data today and wait to decrypt it once quantum machines arrive — makes the problem urgent now, not some day in the future.

At DigiCert’s 2025 World Quantum Readiness Day held on 10 September, company CEO Dr. Amit Sinha warned that the technology will soon trigger a breakthrough moment similar to ChatGPT.

“One day you’ll wake up and realise the disruption has already happened. The big tech firms like Google, Microsoft, and AWS are racing for quantum supremacy, and the pace of advancement is staggering,” he said.

“Moving to quantum is a huge change for organisations, and whenever people and organisations are faced with a big change, they usually go through the five stages of grief: denial, bargaining, anger, depression, and acceptance,” he added. “Today, 24% of organisations are still in denial about the risks of quantum computing. Our goal with the Quantum Readiness Day event is to help them move toward acceptance, because this is the year that shift must happen.”

Bringing together a distinguished panel of experts from industry, government, and academia, the Quantum Readiness Day event underscored the urgency of migration as regulators across Australia set accelerating deadlines and guidance for post-quantum cryptography (PQC).

Action and the cost of inaction

The global response to the issue has been ongoing for some years. Governments, standards bodies, and industry have been working together to prepare a new generation of PQC algorithms. For IT leaders, the challenge is no longer about whether PQC will matter, but about when and how to begin the migration.

Speakers at the event stressed that delaying action will only increase risks and costs.

“Every month you delay the transition, the risks compound. The expense of emergency migration under pressure will far outweigh the investment of starting early,” said Lakshmi Hanspal, Chief Trust Officer at DigiCert. Colin Soutar, Deloitte’s Global Quantum Cyber Readiness Lead, agreed: “Organisations that wait will end up paying more, financially, operationally, and reputationally.”

Where the standards stand

The US National Institute of Standards and Technology (NIST) has been leading the charge with a multi-year competition to evaluate and standardise quantum-resistant algorithms. After five years of global review, NIST announced the first set of algorithms in 2022, and draft standards were published in 2024. These include new public-key schemes for both encryption (key exchange) and digital signatures.

The first algorithms expected to see widespread adoption are ML-KEM (short for Module Lattice Key Encapsulation Mechanism) and ML-DSA (Module Lattice Digital Signature Algorithm), which grew out of a family of algorithms known for their strong security properties and efficient performance. NIST has chosen these and other algorithms to replace or complement existing schemes like RSA and ECC. Further candidates are still being evaluated in a ‘fourth round’, ensuring that backup options exist if weaknesses are found.

William Whyte, Senior Director of Technical Standards at Qualcomm, explained that these standardised algorithms are not vulnerable to quantum attacks and will become widely used alternatives to today’s RSA encryption. But Dr. Taher Elgamal, cryptographer and father of SSL, cautioned that organisations should not assume this will be the final solution.

“The migration from RSA to ML-DSA will not be the last. Agility is the way forward,” he said.

What a migration looks like

Moving to PQC is not just a technical upgrade — it’s a program of change management that touches people, processes, and suppliers. IT managers should think of it as a staged journey rather than a single project.

The first step is visibility. Most organisations do not have a complete inventory of where and how cryptography is used. It shows up in obvious places like VPNs, TLS connections, and digital certificates, but also in software updates, document signing, secure email, and the protection of data at rest. Mapping these dependencies is essential for planning a phased migration.

Next comes prioritisation. Not all data has the same sensitivity or lifetime, and systems that handle long-lived sensitive data should be at the top of the list for quantum-safe protection. With a clearer picture in hand, organisations can begin introducing crypto-agility — the ability to swap cryptographic algorithms without a major redesign.

The next step is pilot deployment. Many vendors and open-source projects now offer versions of their products that support hybrid post-quantum algorithms. Running pilots in controlled environments allows IT teams to measure performance, test interoperability, and train staff without exposing production systems to unnecessary risk.

Experts urge APAC organisations to act

Quantum computing is one of those technological shifts that moves from speculative to inevitable almost overnight. For cybersecurity, the shift is already underway. The fact that international standards exist, widely supported libraries are available, and vendors are beginning to ship hybrid solutions tells us that the transition has begun.

As APAC organisations face rapidly accelerating expectations and guidelines around quantum readiness, the event’s timing and focus could not be more critical.

“Our team at DigiCert aligns with the Australian Government’s 2023–2030 Cyber Security Strategy, which identifies quantum threats as a resilience priority, and we are encouraged by the broader ecosystem’s progress in advancing PQC through research and pilots that will accelerate sector-wide adoption,” said Daniel Sutherland, DigiCert Regional VP ANZ.

DigiCert has reaffirmed its commitment to leading this effort by delivering tools, roadmaps, and collaborative frameworks that empower organisations, anchored by its DigiCert ONE platform. Designed to give organisations the agility to adapt as cryptographic standards evolve, DigiCert ONE supports the latest post-quantum algorithms and helps enterprises prepare and manage the complex transition.

Image credit: iStock.com/blackdovfx