Post-Quantum Cryptography: Why “Encrypted” IS No Longer “Safe Forever”

Nov 18, 2025

Most leaders work on the assumption that “It’s encrypted” and “We’re safe.” That guess now has a deadline.

The new risk is clear: a big quantum computer in the future could break the RSA and elliptic-curve public-key cryptography that keeps most of our digital world safe. If this happens, an enemy could decrypt any encrypted data you send today if they intercept it and store This technique, known as the “harvest now, decrypt later” attack, transforms long-term data assets such as M&A archives, health records, intellectual property, and state secrets into a time bomb that can detonate at any moment.

The answer is starting to take shape now.

The answer is post-quantum cryptography (PQC). PQC replaces the weak math problems used by RSA and ECC with new ones believed to be safe from quantum attacks.

Diversification is the most important thing for executives to remember. We are not switching out one “magic” algorithm for another. The global cryptographic community is building a new, diverse base on a number of different mathematical families:

  1. Lattice-based: This family is the new leader in most signing and encryption, and it is likely to become the default.
  2. Hash-based: A safe and reliable choice for digital signatures that people like because they know how secure it is.
  3. Code-based: A well-studied, mature method that adds important variety to the ecosystem.

This plan with many parts makes sure we don’t put all our eggs in one basket.

The Standards Are Here: From Theory to Mandate

For leaders, the most important mental shift is that PQC is no longer a research topic. It is a program for moving people.

Thanks to Raimundo Jiménez, the Group Chief Information Security Officer at Zehnder Group International AG, who recently explained the following to me. The National Institute of Standards and Technology (NIST) has already completed the first set of PQC standards:

  • FIPS 203 (ML-KEM) is the main replacement for RSA/ECC for key exchange, like when you use TLS to browse the web or connect to a VPN.
  • FIPS 204 (ML-DSA): The main standard for digital signatures, which are used to prove your identity and sign software.
  • FIPS 205 (SLH-DSA): A strong signature scheme based on hashes that acts as a safety net.

There are already more standards in development that will make the cryptographic toolkit even more diverse and strong. The question for leaders is no longer whether this change will happen, but whether we will be ready when regulators and big partners want it to happen.

Trust, Risk, and Time

You don’t have to know the math, but you do need to know the risk profile:

  1. Data Lifespan vs. Quantum Timeline: Your sensitive data needs to be safe for 25 to 30 years, even if a powerful quantum computer isn’t available for another 10 years. This data has been around for a long time, so the threat is already there.
  2. Moving is like a marathon: updating cryptographic systems across an entire business, including old apps, embedded systems, and third-party integrations, is a long and complicated process that can take years. Now is not too early; it is necessary.
  3. Regulatory Pressure Is Growing: The financial services, healthcare, and critical infrastructure sectors are already being told to look into quantum risk and plan for PQC migration.
  4. Trust is an Edge in Business: “Are you quantum-resistant?” will soon be a common question in RFPs, security audits, and due diligence. Being proactive will set you apart in the market.

Your Action Plan: Four Things to Do Right Now

Understanding this indicates that the plan to move forward on this subject should be clear and initiated immediately. Here are four actions that every business can take to create an initial action plan:

  1. Get a Crypto-Inventory: Find out where your company uses weak cryptography (RSA/ECC) in TLS, VPNs, signing software, and data archives. Give systems that handle sensitive data that will be around for a long time top priority.
  2. Demand Crypto-Agility: Make sure that your technology stack and vendor solutions can change cryptographic algorithms without having to completely redesign the systems. Cryptography should be a module that can be changed, not something that is hard-coded.
  3. Think of PQC as a strategic program, not an IT project. It is a business-level project, not just an IT internal activity. It needs dedicated ownership, a budget, and board-level visibility.
  4. Get your vendors involved: Ask your cloud providers, software vendors, and hardware suppliers how they plan to support the new NIST PQC standards.

Quantum computing is not a fantasy from science fiction; it is an inevitable change in technology. The rules are out there, the advice is clear, and the strategic risk is real. The leader doesn’t need to know how the lattice-based algorithms work; they just need to make sure the company has a plan to use them. The time frame for action has already started.