Post-Quantum Readiness Is an Inventory Problem
The first step toward post-quantum security isn't buying a new product. It's discovering where current cryptography already lives.
By Max Fischer ·
The arrival of cryptographically relevant quantum computers remains uncertain in timing, but the consensus among national standards bodies is that organisations cannot afford to wait for certainty before acting. The United States National Institute of Standards and Technology published its first suite of post-quantum cryptographic standards in mid-decade, and migration timelines assume organisations will need years, not months, to complete the shift. The core obstacle is not technical readiness—suitable algorithms now exist—but operational visibility. Most enterprises do not maintain a comprehensive record of where cryptographic operations occur across their technology estate, and without that baseline, coordinated replacement becomes effectively impossible.
Cryptographic inventories reveal complexity that infrastructure diagrams typically conceal. Public-key cryptography underpins authentication in digital certificates, which proliferate across web servers, email gateways, code-signing processes, and device provisioning systems. Payment networks rely on asymmetric encryption to secure transaction flows between merchants, processors, and issuing banks. Industrial control systems, medical devices, and automotive components increasingly depend on embedded cryptographic modules that were designed for decade-long operational lives. Archived data presents a distinct challenge: encrypted backups and long-term records may become unreadable if their encryption keys are later compromised by quantum decryption, a threat model known as "harvest now, decrypt later." Each of these categories requires different tooling, access levels, and stakeholder engagement to map comprehensively.
The difficulty compounds when dependencies extend beyond direct organisational control. Third-party software packages, cloud services, and supply-chain partners all introduce cryptographic dependencies that may not be documented in procurement agreements or technical specifications. A payroll platform, for instance, might rely on a specific version of a cryptographic library maintained by a vendor who has not yet published a post-quantum migration plan. Network appliances frequently contain proprietary firmware where cryptographic implementations are opaque to the operator. Contracts rarely include explicit commitments around algorithm updates, and legal frameworks for enforcing cryptographic agility remain underdeveloped. The inventory task therefore extends into governance: identifying not only what cryptography is in use, but who holds responsibility for updating it and under what terms.
Prioritisation becomes essential once the inventory is visible. Not all cryptographic assets face equal risk or carry equal consequence if compromised. Systems handling sensitive data with long secrecy horizons—such as health records, intelligence communications, or proprietary research—merit earlier attention than ephemeral session keys. Internet-facing services that negotiate encryption transparently can often adopt hybrid schemes that combine classical and post-quantum algorithms, easing migration without breaking backward compatibility. Legacy systems lacking cryptographic flexibility may require hardware replacement or network segmentation rather than in-place updates. The goal is to sequence migration so that the highest-risk, longest-replacement-cycle elements move first, creating a roadmap measured in budget cycles rather than sprints.
Crypto-agility—the ability to swap cryptographic algorithms without redesigning entire systems—emerges as the strategic objective rather than a narrow technical feature. Organisations that hardcoded cryptographic choices into application logic, database schemas, or network protocols now face costly refactoring. Those that abstracted cryptographic operations behind standardised interfaces or configuration files can redirect calls to new algorithms with comparatively modest effort. Hardware security modules, certificate management platforms, and key storage architectures designed with algorithm flexibility in mind reduce both the cost and the risk of future transitions. The lesson applies beyond the quantum threat: cryptographic standards have evolved repeatedly over recent decades, and the pace of revision is unlikely to slow.
The practical implication is that post-quantum readiness begins with documentation, not deployment. Organisations should expect to spend initial effort mapping certificate lifecycles, cataloguing cryptographic dependencies in procurement pipelines, and establishing governance for algorithm decisions that currently sit undocumented in engineering teams. The inventory itself becomes an asset, enabling faster response not only to quantum developments but to any cryptographic vulnerability that demands coordinated patching. Migration timelines that assume "flipping a switch" underestimate the depth of cryptographic integration in modern infrastructure; realistic planning accounts for discovery, testing, and phased rollout across diverse technical environments. The transition may not be imminent, but the work required to execute it competently is already overdue.