Q‑Day Is a Leadership Risk: Why Post‑Quantum Cryptography  Can’t Wait 

AI is raising the speed, scale, and sophistication of cyberattacks, making them faster, cheaper, and more targeted. But quantum computing introduces a more foundational risk: Q-Day, when quantum systems can break today’s public-key cryptography. That moment puts the digital trust enterprises rely on — for identity, contracts, secure communications, payments, blockchain infrastructure, and data integrity — at serious risk.

When digital trust fails in an enterprise, the impact is felt at the boardroom level. Because enterprises and organizations often standardize their cryptography, failure can also be systemic, with a high degree of complexity due to multiple layers of legacy systems.

Companies that think they can hold off until quantum computers crack today’s cryptography are mistaken. Enterprise transition to post-quantum cryptography (PQC) needs to start now.

Malicious actors banking on emerging quantum computing capabilities are already harvesting encrypted data today, with plans to access it when Q-day arrives. We believe the most prudent path forward is to start a staged, multi-year transition to PQC immediately, rather than reacting under crisis conditions.

Here’s why:

Q-Day belongs in the risk register now

While artificial intelligence (AI) may currently dominate headlines, QC is making massive advances in parallel, moving from laboratory experiments to commercial roadmaps to quantum supremacy. These computers rely on the properties of quantum mechanics and are dramatically faster than classical computing systems at solving some complex problems like decryption. No longer just theory, a massive shift has begun in levels of quantum computing capital deployment and industrial activity.

According to our research, revenue in quantum is projected to grow from roughly $2.3 billion in 2024 to $8.9 billion by 2028. This growth is underpinned by a surge in investment, rising from $11.6 billion to $18.7 billion over the same period, with external forecasts pointing toward a multi-billion-dollar market over the next decade.

This influx of capital accelerates progress in error correction, qubit scaling, and algorithmic efficiency. These advances unlock a range of use cases — including cryptographically relevant quantum computers (CRQCs) that could crack much of today’s digital encryption.

In addition, major players like IBM, Google, and IonQ, as well as startups (like Iceberg Quantum) and state-backed programs in the U.S., E.U., and China, have published roadmaps suggesting that cryptographically relevant systems could emerge as early as the late 2020s or early 2030s.

Government authorities are not waiting. The U.S. National Institute of Standards and Technology (NIST) has already finalized its first set of PQC standards. Similarly, the U.K. and E.U. cybersecurity agencies have published phased migration roadmaps. These entities recognize that the transition will take years of planning and execution, and that the "safe" window for beginning a migration is already closing.

The exposure of public-key cryptography

“Harvest now, decrypt later” (HNDL) strategies of adversaries present a real threat to data and digital trust. Public-key cryptography based on algorithms like Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) will be early victims.

Most enterprise workloads will not "flip" to post-quantum cryptography overnight. Our experience shows us that cryptographic transitions are often slow, taking a decade or more to fully implement across a global infrastructure. However, waiting for industry consensus or the "perfect" hardware date significantly increases risk.

Cryptography: the invisible infrastructure of everything

Cryptography underpins four fundamental pillars of modern business:

1. Identity and Access Management (IAM): Ensuring that an IT system user is truly who they claim to be.
2. Digital signatures and non-repudiation: Providing legal and technical proof that a contract was signed or a transaction was authorized.
3. Secure communications: The digital mechanisms (TLS and VPN protocols) that protect data in transit across the internet.
4. Regulated records and auditability: Guaranteeing that historical data hasn't been tampered with.

For enterprise trust to consistently protect and enable operations, enterprises and organizations also need crypto-agility, which is the ability of systems to quickly switch between cryptographic algorithms without a total overhaul of the underlying infrastructure.  

Executive-level consequences

When these pillars collapse, the consequences can be catastrophic. Trust disputes become plausible; if a digital signature can be forged because the underlying key has been decrypted, every contract, trade confirmation, and legal record becomes contestable. Furthermore, because most enterprises use the same cryptographic standards across all departments, controls fail together, creating a systemic correlation risk in which a single vulnerability can collapse the entire security posture. Once the "root of trust" is compromised, the ability to verify the past or secure the future vanishes.

The cost of delay: A forced scramble

The more organizations wait for Q-Day to be "closer," the more they set themselves up for a forced, high-risk scramble. Delaying action results in:

• Increased volume of vulnerable data: Each day without post-quantum cryptography is another day of creation of data vulnerable to HNDL.
• Cryptographic debt: A form of technical debt, "crypto-debt" accumulates as more systems are built on soon-to-be-obsolete standards.
• Vendor dependency: Enterprises and organizations that wait will be at the mercy of their vendors' readiness during a global crisis, potentially facing massive price hikes or service outages.

The PQC 90-day leadership playbook

CEOs and boards should manage this transition as they would any major enterprise risk. We recommend the following 90-day action plan:

1. Assign ownership
   Appoint a single executive owner to oversee the PQC migration. This is an interdisciplinary effort that requires alignment between legal, procurement, and IT. We recommend delegating this to the chief information security officer (CISO) or chief information officer (CIO), with a clear mandate and budget.

2. Perform a cryptographic inventory
   Work to rapidly identify:

   1. Where encryption and signatures are used.
   2. Data that has a "security life" exceeding five years.
   3. Legacy systems that are "hard-coded" and lack crypto-agility.
   4. Revisit today the current policies for certificates to force more frequent changes.
   5. Require PQC roadmaps from all critical cloud and software providers.
   6. Embed "crypto-agility" requirements into all new contracts and renewals to avoid any additional legacy problems.
3. Protect revenue and trust first
   Prioritize systems that underpin revenue and core trust. If customer-facing portals or inter-bank settlement systems rely on vulnerable signatures, these move to the top of the list.  
4. Make vendors commit
   

   Supplier security will be crucial.

   • Require PQC roadmaps from all critical cloud and software providers.
   • Embed "crypto-agility" requirements into all new contracts and renewals to avoid any additional legacy problems. 
5. Approve a staged roadmap
   Fund initial pilots (e.g., upgrading a specific VPN tunnel to PQC) to learn about performance impacts. Set clear milestones and decision gates for a full-scale rollout.
   
6. Track PQC as a top enterprise risk
   Establish a steering cadence. Board-level reporting should focus on a small set of key performance indicators (KPIs), such as the percentage of "long-life data" protected by PQC or the percentage of "quantum-agile" vendors in the supply chain.

Controlled transition versus crisis management

Q-Day is a certainty of physics and mathematics, not an "if" but a "when." For leadership, we see a choice between two futures.

In the first, the enterprise or organization ignores the warnings, continues to accumulate cryptographic debt, and eventually faces forced migration under extreme duress. This leads to system outages (possibly catastrophic), legal disputes over signatures (potentially ruinous), and a loss of customer trust (partial or total).

In the second, the enterprise acknowledges the risk early, builds crypto-agility into its DNA, and executes a controlled, staged transition. In this scenario, the impact of Q-Day is minimized or eliminated, much like Y2K and GRDP when these were managed proactively and successfully.

Post-quantum cryptography is here, and it's vital to protect enterprises. The roadmaps are clear.

How Altman Solon Can Help

Altman Solon, with support from senior QC advisors, including MIT experts, can help enterprises and organizations to achieve the required direction and speed of leadership with:

• PQC readiness and migration road‑mapping.
• Quantum security strategy and risk prioritization.
• Quantum computing technical and commercial due diligence.
• Evaluation of quantum computing threat timelines.
  

Special thanks to Jeff Grover, Ph.D. Principal Research Scientist in the EQuS group.