Quantum is "creating anxiety" for security leaders. Here's what to do about it

Organisations are approaching a turning point in computing power as quantum technology accelerates at an unprecedented pace. The momentum has been so significant that the United Nations designated 2025 as “The Year of Quantum Technology.”

For cybersecurity leaders, however, it has felt less like a breakthrough moment and more like a period filled with unanswered quantum questions. Under growing pressure from boards to define an approach, many organisations have found it difficult to separate genuine progress from exaggerated claims surrounding quantum computing. 

On the one hand, quantum computing holds enormous promise for innovation. On the other, it is creating real anxiety for security leaders tasked with deciding where to focus and how to mitigate serious security and reputational threats.

Adding to the challenge are vendors flooding the market with a constant stream of quantum-safe offerings, often framed with urgency and worst-case scenarios. At the same time, many organisations are operating with limited resources and are diverting budgets and attention towards other critical priorities such as AI adoption and cloud resilience. 

So where should security leaders focus their efforts? How do they strike the right balance between moving too slowly and acting prematurely? To chart a sensible course, there are three practical steps organisations can take to improve quantum preparedness. By assessing the current maturity of quantum technology and adopting a more considered strategy, organisations can maximise its potential benefits while protecting themselves against genuine risks. 

Quantum computing today: progress, potential and limitations 

The global market for quantum technology is expected to reach up to £72 billion by 2035, with revenue from quantum computing alone reaching £51 billion.

Many analysts agree that the technology is reaching an inflection point, shifting from theoretical research to tangible, real-world outcomes. Estimates today suggest there are between 45 and 130 complete quantum systems deployed for practical applications. 

Quantum systems are now commercially available through on-premise installations and cloud platforms through Google, IBM, Honeywell, IonQ, and D-Wave.

These systems range from hundreds to thousands of qubits (the quantum computing basic unit), and perform well with specialised tasks like optimisation, artificial intelligence development, and cryptography research. Yet, most experts note that quantum computers capable of cracking heavily used encryption remain several years out. 

Why organisations are falling behind on quantum preparedness 

Even with an uncertain timeline, ubiquitous encryption methods like RSA and ECC are expected to become vulnerable once quantum computers reach meaningful commercial scale. Organisations need to prepare for this day, but the process is far from simple.

The market is filled with conflicting guidance on when to act, how far to go, and what investment is really required. Some vendors recommend costly full-scale infrastructure overhauls, while others advocate for immediate migration to post-quantum algorithms that are still being standardised. 

Recent research highlights a troubling disconnect in organisational preparedness: 62% of global technology professionals believe that quantum computing could undermine today’s internet encryption standards, however, only 5% view it as a near-term priority. The same small share says their organisations have a defined plan to address the threat. 

This action gap is particularly concerning, given that bad actors are actively capturing encrypted data today with the intention of decrypting it once quantum capabilities mature.

Those organisations at increased risk due to managing sensitive long-term data, such as financial institutions, healthcare providers, and government agencies, need to pay close attention, or risk allowing hackers to get the upper hand. 

Three practical steps towards quantum readiness 

To build a plan for quantum maturity, security leaders should proceed with measured preparedness to avoid costly overreaction. These few focused actions can help organisations strengthen their readiness without disrupting operations. 

1. Build shared quantum security knowledge across the organisation 

No new technology can be successfully managed without employee buy-in and expertise. Organisations should invest early in training initiatives to set the right foundation. In more heavily regulated industries, teams should be encouraged to earn quantum security certifications. 

With the speed at which the technology is advancing, teams should also become familiar with the latest post-quantum cryptography research. In the US, The National Institute of Standards and Technology (NIST) continues to publish updates on its effort to evaluate and standardise quantum-resistant public-key algorithms. Tracking this work will enable security leaders to understand both the threat horizon and which protections are most viable. 

2. Map out a governance plan for quantum 

Security leaders should advocate for crypto agility throughout their organisation to ensure quantum considerations become part of everyday decision-making. When designing or updating systems, leaders should determine how adaptable they will be when quantum-scale threats emerge and what additional investments may be needed to reach that threshold. 

Adopting architectures that separate cryptographic components from business logic can help create long-term flexibility. This structure makes it easier to replace or upgrade encryption algorithms without major re-engineering. Automated monitoring, discovery, renewal, and revocation of digital certificates further reduces risk by eliminating manual tracking and enabling faster responses when standards shift. Leaders should also confirm that their new systems will be able to support updates to post-quantum standards and remain compatible with multiple cryptographic approaches in order to avoid being locked into unadaptable vendor systems. 

3. Prioritise systems and risks that matter most 

Perhaps most important is deciding where to act first. Organisations should map their risks and identify which systems need to be prioritised. Mapping takes time but is exponentially beneficial to determine where to act and where to wait. 

Some financial institutions are already testing their quantum readiness and determining which targeted updates to their critical systems can be implemented while pausing less urgent migrations. Several European banks successfully moved their payment systems to post-quantum cryptography. This type of targeted approach delivers security improvement within budget constraints and strategically allocates resources.  

From quantum risk to long-term resilience  

Quantum-driven change is inevitable. Preparing through education, crypto-agility, and deliberate prioritisation can strengthen organisational resilience today without requiring excessive spend in the future. Taking these balanced steps enables security leaders to cut through the noise and establish practical readiness early, and at a manageable cost. Even if quantum computing takes longer than anticipated to reach full commercial maturity, investing in stronger security foundations is never a decision organisations will look back on with regret. 

David McNeely is CTO of Delinea 

Follow Machine on LinkedIn