As a security leader, your desk is piled high with immediate threats. Ransomware. AI-driven phishing. Supply chain vulnerabilities. It’s tempting to label the quantum readiness challenge as a problem for “Future You”, something to tackle closer to the 2030s.
But a groundbreaking 2025 analysis reveals a dangerous misconception. The quantum threat isn’t a distant storm on the horizon; it’s a silent risk accumulating in your systems right now. The paper, which synthesizes findings from sources like NIST and ISACA, uncovers a stark reality: while most security professionals are aware of the threat, a staggering 95% of organizations have no formal plan to address it. This has created a massive quantum readiness gap, leaving today’s most sensitive data dangerously exposed.
This isn’t a failure of technology. It’s a failure of timing. And for CISOs, closing that gap has become a strategic imperative.
The Real Threat Isn’t Decryption Tomorrow: It’s Data Theft Today
The most critical insight from the research isn’t about when a quantum computer will break RSA encryption, but what adversaries are doing in the meantime. They are actively engaged in a strategy known as “Harvest Now, Decrypt Later” (HNDL).
Imagine this: a sophisticated state-sponsored actor, like the Volt Typhoon group mentioned in the research, infiltrates your network. They don’t need to decrypt anything on the spot. They simply steal vast amounts of your encrypted data – intellectual property, long-term financial plans, customer data, trade secrets – and store it. They are patiently waiting for “Q-Day,” the moment a cryptanalytically relevant quantum computer (CRQC) comes online, to unlock it all.
This fundamentally changes the timeline. The vulnerability isn’t in 2035; the vulnerability is now. Every piece of sensitive, long-lived data encrypted with today’s standards is a ticking time bomb. This reality forces a critical question: is your organization’s quantum readiness posture prepared for a threat that is already in motion?
A 360° View on the State of Quantum Readiness
The new research analyzes the situation from three critical perspectives, revealing a clear disconnect between the available tools and their adoption.
The Technologist’s View: The Tools Are Here
The good news? The technology to defend against this threat is no longer theoretical. The paper highlights that the U.S. National Institute of Standards and Technology (NIST) has already finalized its first set of Post-Quantum Cryptography (PQC) algorithms, such as CRYSTALS-Kyber and Dilithium. These are the new standards, designed to run on classical computers while resisting quantum attacks. Technology isn’t the bottleneck.
The Enterprise View: A Story of Inertia
This is where the quantum readiness gap becomes glaringly obvious. According to the analysis, industry surveys show that despite widespread concern, action is alarmingly scarce. Key barriers identified in the research include:
- Organizational Inertia: The belief that other threats are more immediate.
- Skills Gaps: A severe shortage of talent with expertise in PQC.
- Budgeting Challenges: Difficulty justifying ROI for a threat perceived as long-term.
A clear divide is emerging. Proactive sectors like finance, telecommunications, and government are already budgeting and planning their transition. Those who wait risk being left behind, facing a chaotic and expensive scramble when the threat becomes undeniable.
The Threat Actor’s View: The Clock is Ticking
While experts place a CRQC in the 2030s, adversaries are operating on the principle that the timeline to prepare is much shorter than the timeline to the threat. They are exploiting the current period of enterprise inaction. Their “harvest now” strategy is a direct bet against your organization’s ability to achieve quantum readiness in time.
From Awareness to Action: Your 5-Step Roadmap to Quantum Readiness
The research makes it clear that waiting is no longer a viable strategy. To help CISOs move forward, the paper outlines a clear, actionable roadmap. Here are five steps drawn directly from its recommendations:
-
Conduct a Full Cryptographic Inventory
You cannot protect what you cannot see. The first step is to discover every instance of cryptography across your enterprise: in applications, hardware, databases, and third-party services. Identify all quantum-vulnerable algorithms (like RSA and ECC) to understand the full scope of your exposure.
-
Develop a Formal Quantum Security Roadmap
Move your organization from the unprepared 95% to the proactive 5%. Establish a formal plan with timelines, budget estimates, and clear ownership. This roadmap should prioritize systems based on data sensitivity and longevity. Brief your board and treat quantum readiness as a core component of your enterprise risk management strategy.
-
Architect for Crypto-Agility
The era of static, hard-coded cryptography is over. Design and procure systems that are crypto-agile: meaning you can swap out cryptographic algorithms without a massive overhaul. This not only prepares you for PQC but also future-proofs your infrastructure against any future cryptographic shifts.
-
Prioritize Early PQC Deployments
Don’t attempt a “big bang” switch. Start now by identifying high-value, lower-risk areas for early PQC implementation. Encrypted archives, internal PKI, or code-signing for long-life software are perfect candidates. These pilot projects build invaluable hands-on experience for your team.
-
Invest in Your People and Partnerships
Address the talent gap head-on. Sponsor training for your current engineers in PQC, collaborate with industry consortia, and demand transparency from your vendors on their quantum roadmaps. Building internal expertise now will be a significant competitive advantage as the talent crunch intensifies.
The Future is Quantum-Safe: and it Starts Now
The transition to a quantum-safe future is a marathon, not a sprint. But the starting gun has already fired. By framing quantum readiness not as a distant technical problem but as an immediate strategic risk, you can secure the buy-in and resources needed to protect your organization’s most valuable assets for decades to come. The question is no longer if you need to act, but how fast you can build your roadmap and turn awareness into action.
For Further Reading:
This blog post is based on the insights and analysis presented in the article: Le, T. D., Do, P. H., Dinh, T. D., & Pham, V. D. (2025). Are Enterprises Ready for Quantum-Safe Cybersecurity? arXiv preprint arXiv:2509.01731. Available at: https://arxiv.org/abs/2509.01731
