As a post-quantum cryptography (PQC) consultant and doctoral researcher, I have observed an increasing awareness among organizations about the future quantum threat. While awareness is growing, the path toward adopting PQC and achieving crypto agility remains challenging, with obstacles that greatly differ across industries.
Understanding customer maturity
When it comes to PQC readiness, most organizations fall into three categories:
- Explorers: These organizations are just beginning to learn about PQC. They often lack internal expertise, which makes understanding the urgency and technical requirements difficult. For instance, a mid-sized healthcare provider may recognize the quantum threat but struggle with the technical complexities of PQC integration. The healthcare industry, indeed, often faces additional obstacles where they need to invest heavily in patientcare and compliance, leaving minimal resources for advanced cybersecurity initiatives or they may have to deal with an outdated IT infrastructure, which is not designed for easy upgrades.
- Early adopters: Financial services companies are leading the way here, experimenting with PQC in specific areas like secure communications. But their legacy systems make full-scale adoption overwhelming. For example, a financial institution might be eager to pilot quantum-resistant algorithms but find it difficult to integrate those into older applications critical to daily operations.
- Leaders: A select few, often in the technology sector, are proactively pursuing quantum-resistant solutions. However, even they struggle to apply these advancements across their entire infrastructure. A global tech firm may successfully implement PQC for cloud services yet face difficulties extending it to on-premises systems used by their clients.
Why are there such disparities among the ecosystem actors?
Several recurring common challenges are slowing PQC adoption progress. Here are the leading ones:
Many organizations lack the necessary expertise and financial resources to assess and implement PQC solutions effectively. This is particularly evident in industries like healthcare, where cybersecurity is often underfunded, leaving little room for innovation.
Governments and defense organizations often operate on outdated systems that were not designed with crypto agility in mind. Upgrading these systems to accommodate PQC is complex and costly.
The absence of standardized global regulations creates uncertainty, causing organizations to hesitate in adopting PQC solutions without clear compliance guidelines.
Industry progress: Who is leading the way?
The adoption of PQC varies significantly across industries, with leaders and late adopters facing unique challenges and opportunities.
- Financial services: With a strong focus on protecting sensitive data, financial institutions are the most proactive, but balancing innovation with regulatory demands remains a challenge here.
- Healthcare: Despite handling highly sensitive information, PQC adoption in this industry is delayed because of competing priorities and limited resources.
- Government and defense: Progress is restrained due to the complexity of integrating PQC into huge, critical systems. However, their awareness of quantum threats is strong.
- Technology: Tech companies, particularly in cybersecurity and cloud computing, are agile enough to adopt PQC quickly. Their challenge lies in scaling these solutions for diverse customer needs.
2025: The year for crypto agility?
If 2025 is to be the year of crypto agility, organizations need to embrace its value beyond just security. Crypto agility is about resilience, the ability to adapt seamlessly to new cryptographic standards as threats evolve.
- Why it matters
Imagine a logistics company with an extensive digital supply chain. Without crypto agility, a cryptographic vulnerability could disrupt operations, exposing sensitive data. With agile systems, the company can quickly spin to quantum-resistant algorithms, avoiding downtime and reputational damage.
- How it’s happening
More organizations are designing modular cryptographic architectures, making transitions less disruptive. For example, for a company that implements dual cryptographic layers, this setup would allow them to continue using traditional encryption while testing and gradually deploying PQC.
Learn more about how crypto agility is evolving in 2025 as explained by Vasco Gomes in this article.
Towards the quantum shift: Strategic imperatives for 2025
The quantum era is no longer a distant possibility. It is quickly approaching. As organizations prepare for this shift, PQC and crypto agility are not just technical upgrades; they are strategic business imperatives. Transitioning is not easy, but those who invest in understanding their cryptographic landscapes, address internal challenges and adopt a phased approach will lead in a quantum-secure future.
Find out more about crypto agility and how you can get started on your own cyber resilience journey. Connect with me.
Speak to Eviden’s cybersecurity experts to partner with the digital transformation expert and cybersecurity consultant for a transformative experience.
