Although quantum computing isn't quite here yet, the expectation is that by around 2035, quantum computers will be powerful enough to threaten older encryption techniques. Therefore, organizations must begin implementing quantum-safe cryptography now.
Quantum computing was a buzz word at RSACTM 2025 Conference’s Cryptographer's Panel, and the panel asked questions like: How will quantum computing impact encryption? How do we prepare for a possible quantum world?
This blog shares information from an interview RSAC conducted with Walt Powell, Lead Field CISO at CDW, and provides an introduction into quantum computing evolution, the biggest challenges, and what organizations can do today to get ready for quantum computing, also known as Q-day (the point at which quantum computers can break current encryption).
Q. What is the Current Landscape of Quantum Computing?
A. Quantum computing is still in its early stages. Powell noted that while there have been minor advancements, such as proof of concept that quantum algorithms can break small-key cryptography, we have yet to see major advancements in quantum computing as far as cybersecurity goes.
While NIST has made advancements by approving initial post-quantum encryption standards, the broader industry has not yet fully adopted this as a priority. The lack of urgency is a significant issue, as organizations should be actively planning for Q-Day.“Many people don't see it as a today problem, so there is little motion in quantum computing, but it's a today problem, not a future problem, as implementing and deploying quantum-safe solutions takes years,” Powell said.
Q. What Happens When Quantum Computing Becomes Powerful?
A. Quantum computing poses a significant threat to current encryption methods. When quantum computers become powerful enough—a matter of when, not if—two specific quantum algorithms, Shor's Algorithm and Grover's Algorithm, will be usable to break or significantly weaken encryption. Powell outlined:
1. Shor's Algorithm
Shor's Algorithm can be used to completely break asymmetric encryption (also known as public-key cryptography). This type of encryption is defined by the fact that the two communicating parties do not use the same key. Instead, they exchange public information to securely agree upon a shared secret key.
With a fully functional quantum computer, Shor's Algorithm would be able to break the encryption wherever it is used. This includes crucial systems like the Internet, Transport Layer Security (TLS) communication, and the initial handshake phase of VPNs. These are all systems underpinned by asymmetric cryptography, and their failure would compromise confidentiality and trust on a global scale.
2. Grovers Algorithm
Grover's Algorithm impacts symmetric cryptography, where both parties share and use the exact same secret key. Grover's Algorithm does not break the encryption completely, but it provides a way to reduce the number of brute-force attacks, which effectively halves the key strength. For instance, a 128-bit key would be reduced to a 64-bit key, making it much easier to crack. To maintain current security levels, all symmetric cryptography must be updated by doubling the key size (e.g., from 128 bits to 256 bits).
Q. When Should Organizations Start Planning?
A. According to Powell, the biggest challenge with planning for Q-Day is a misunderstanding of the timeline--many people think this is a 10-year problem.
He discussed how the Mosca Model provides a theoretical framework to determine when organizations need to start preparing. The model poses two critical questions:
1. How long does data need to remain secret?For example, will the data—such as healthcare records, personal information, or government secrets—still be sensitive in five or ten years?
2. How long will it take organization to fully remediate? This means calculating the time required to apply all of the new quantum-safe algorithms across every system that uses cryptography.
For example, if an organization has data that needs to remain confidential for 10 years and it will take the organization 10 years to fully implement quantum-safe replacements, the total required preparation window is 20 years. If Q-Day is only 10 years from now, then based on this timeline, the organization needed to have started 10 years ago, Powell emphasized.
Q. What are Good Quantum Computing Frameworks to follow?
A. Preparing for quantum computing is a complex journey. Powell recommended that organizations should focus on Phase One and Phase Two:
Phase One: Discover and Inventory
Organizations need to go through the discovery phase to identify and catalog all their cryptographic assets, systems, and third-party dependencies—in short, to create an inventory.
“This is often the most daunting step,” Powell said. Many folks believe they can do this manually, but when they start asking developers and systems engineers questions like, "Where do we have cryptographic assets or artifacts?" The common answer is, "I don't know." Which is why this phase can take six months to a year.
Phase Two: Planning
Powell said that Phase Two is planning, which involves establishing governance, prioritizing risks, and defining use cases, among other tasks.“Organizations need to establish a cross-organizational steering committee, essentially identifying a "PQC Czar” to get the effort organized and underway,” Powell said. This phase can take a year or two.
The other three phases of planning for quantum computing as Powell outlined are (3) Implement, (4) Validate, and (5) Maintain (as shown in Figure 1)— these phases will take several years. Phase three alone can take a few years because algorithms aren't permanent. Organizations may need to swap them out, deploy new ones, and repeat this process until they are quantum-safe. Since post-monitoring is vital, Phase five is also crucial once organizations reach that point in their timeline.
Figure 1.
While NIST has put out some guidance (NIST SP 1800-38), which is a good starting point, the cybersecurity community needs to work on more structured and detailed frameworks for post-quantum computing (PQC).
As Powell highlighted, "One of the challenges is also waiting for other people to act." This complex transition to Q-day requires essential coordination and clear, shared guidance.
The time to act is now, before the quantum future becomes our quantum present.