The Quantum Threat: Moving from Denial to Acceptance

Rob
Rob Stubbs
Updated:Apr 1, 2025
Reading Time:4mins
Copy-article Cite this article
quantum threat

The threat posed by quantum computing to cryptography, which underpins the security of our digital world, is a wake-up call for every business.

A powerful quantum computer, once created, will be able to break many of the cryptographic algorithms in use today, such as RSA and ECDSA [2]. This approaching singularity is sometimes referred to as “Y2Q” or “Q-Day”, and will render virtually all our electronic communications, websites, e-commerce, and even cryptocurrencies insecure.

As organizations try to process this impending catastrophe they pass through the classic “five stages of grief”, which supposes that those experiencing sudden grief following an abrupt realization or shock go through five emotions: denial, anger, bargaining, depression, and acceptance [1].

1. Denial

The first reaction for most organizations is denial: “I don’t think it will ever happen, so I don't need to worry about this".

Certainly, we don’t yet know when a cryptographically-relevant quantum computer (CRQC) will become feasible – 3 years? 5 years? 10 years? 15 years? And there is even a small, but finite, possibility that it may not happen in our lifetimes.

However, there is well-funded research going into quantum computing within government, academia, and the world’s largest tech companies. (Not just to break cryptography, but to solve other intractable problems, too.)

And we know that, when a CRQC appears, the impact will be devastating. And even before that, we face the threat of “harvest now, decrypt later” attacks. Mitigating the quantum threat will require a major effort over many years … which means starting today.

We have already seen guidance from national security agencies as well as industry bodies setting out guidance and timelines [3,4,5,6,7]. So clear is this guidance that, in many cases, it actually deprecates the use of today’s quantum-vulnerable algorithms within the next 10 years in favour of new quantum-safe algorithms or “post-quantum cryptography” (PQC).

Thus, whatever you think, you really have no choice. The rest of the world isn’t going to wait for you, so you’d better jump on board. Laggards will be the low-hanging fruit for malicious actors.

2. Anger

The next reaction is anger: “I really don’t need this - I’ve got enough problems already”.

Organizations face an unprecedented level of cyber threat today in an increasingly volatile world, accompanied by all the uncertainties and risks posed by AI technology. Budgets are stretched, resources are limited, skills are scarce.

Yes, there may be other crocodiles nearer the boat than the quantum computing threat; but quantum computing is the biggest crocodile you’ve ever seen, and you’re going to need a bigger boat! (Crocodiles, sharks – whatever!)

It’s time to get over it and start building that bigger boat.

3. Bargaining

What are you going to do? “Surely there is some other solution?”

Definitely, I can think of a few:

  • Pray that no-one succeeds in building a large quantum computer
  • Alter the laws of physics
  • Rub a magic lantern to get three wishes
  • Go off-grid and live in a cave

Will any of these work for you?!

BTW, beware “security vendors” pedalling non-cryptographic solutions – this is all snake oil, so don’t waste your time and money going down this rabbit hole.

4. Depression

Now depression sets in: “This is a disaster, how am I going to cope?”

You’re starting to get it! This is real, it’s happening, time to wake up and smell the coffee. Yes, it’s going to take a lot of work, and it’s going to cost a lot of money. There’s no time to waste.

But you’re not alone. Every organization faces the same problem, and there is a lot of advice available. Work with your suppliers, your partners, industry bodies. Attend conferences, read white papers. The best way to beat fear and depression is with knowledge. Arm yourself for the battle ahead.

5. Acceptance

Finally: “I guess I’m really going to have to do this.”

You made it! Congratulations, you’ve reached the final stage. Now the real work starts. Buckle up. Start making plans. Whatever you do, start doing something.

My thanks to Santosh Pandit (Senior Manager at the Bank of England Prudential Regulation Authority and creator of Kyber.Club) for suggesting what the next four stages should be: ambition, action, implementation, optimisation. 

6. Ambition

Set a goal: “We are going to do this ourselves and with stakeholders in 12 months for PoC.”

Create a plan. Build the team. Acquire the knowledge. Don’t be overly ambitious to start with.

One of the first things you need to do is discovery, i.e. assessing your estate to understand which services and infrastructure that depend on cryptography need to be upgraded to PQC. Tools like Fortanix Key Insight can assist with this.

Visit Kyber.club to familiarise yourself with post-quantum algorithms and learn how to use them.

Start liaising with your supply chain. Set PQC goals for your suppliers, build it into the contracts. Maybe you need to switch suppliers if your current ones are still in denial.

7. Action

Now you’re making progress! “We have a competent team of internal and external experts. Get on with it.”

Keep going. Learn and iterate. Complete your discovery, assessment and planning. Build a cryptographic inventory. Prioritise.

Remember, it’s a marathon, not a sprint. Indeed, the goal is not a one-time migration to PQC algorithms, but achieving true, on-going crypto agility – i.e., the ability to switch algorithms quickly and painlessly whenever necessary.

8. Implementation

This is where the rubber hits the road: "We’re rolling it out - systems update, teams adapt."

This is going to be a whole lot easier if you have a holistic view of all your cryptographic keys and consuming applications across your on-prem and cloud estate. This is where an enterprise key management system (KMS) like Fortanix Data Security Manager is invaluable.

9. Optimisation

Success! "It’s working - refine, secure, scale-up."

You’ve conquered the quantum threat and got the battle wounds to show for it. Now you’re into continuous improvement territory.

The acid test is: are you prepared for one of the new PQC algorithms you’re using to be weakened or broken by advances in cryptanalysis or quantum techniques? Can you switch quickly to a different one?

References

[1] https://en.wikipedia.org/wiki/Five_stages_of_grief
[2] https://en.wikipedia.org/wiki/Shor%27s_algorithm 
[3] https://www.ncsc.gov.uk/guidance/pqc-migration-timelines 
[4] https://digital-strategy.ec.europa.eu/en/news/commission-publishes-recommendation-post-quantum-cryptography 
[5] https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/3498776/post-quantum-cryptography-cisa-nist-and-nsa-recommend-how-to-prepare-now/ 
[6] https://www.cyber.gov.au/resources-business-and-government/governance-and-user-education/governance/planning-post-quantum-cryptography 
[7] https://www.fsisac.com/knowledge/pqc

PQC
Share this post:

Platform

Fortanix Armor

Armet AI

NEW

Key Insight

Data Security Manager

Confidential Computing Manager

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of August 2025

SOC-2 Type-2ISO 27001FIPSGartner LogoPCI DSS Compliant

US

Europe

India

Singapore

3910 Freedom Circle, Suite 104,
Santa Clara CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712