Cryptography is the unsung hero of digital security. It is the technology that lives at the heart of every message we send, every digital payment we make, and every secure website we visit. Despite its ubiquity, cryptography has remained largely unchanged for decades because it’s stable, reliable, and – simply – it works.
But for the first time in a generation, things are changing drastically and this is requiring every organization to pay attention and adjust their security infrastructure. Quantum computing is making the previously impenetrable systems vulnerable, thanks to the sheer computing power of next generation machines. As such, companies must switch to quantum-resistant cryptography.
Before you can migrate, you need a cryptographic inventory and a risk assessment. In other words, you need to know what cryptography you are using, where it is deployed, and how critical it is to your systems and data.
That is where many organizations realize they have a problem. Far too often, they don’t know the answer to these questions.
Back to basics: What cryptography protects
QuantumGate joined CyberQ, a global forum hosted by the UAE Cybersecurity Council and the Technology Innovation Institute, focused on the intersection of AI, quantum computing, and next-generation cybersecurity. During the event, the company’s CTO Janne Hirvimies discussed the four fundamental goals of cryptography: confidentiality, integrity, authenticity, trust. He also explained that cryptography protects data in transit (moving between devices) and data at rest (stored on servers, laptops, phones and cloud environments).
Decades of only incremental upgrades, rather than fundamental change, have enabled public keys, which manage digital trust, to spread everywhere. And because it ‘just worked,’ most organizations never tracked where cryptography was deployed. Now, we have widely used security algorithms quickly becoming obsolete and companies are struggling to take stock of their current infrastructure.
Why a once-stable foundation is now at risk
Over the years, public-key cryptography has remained reliable because the mathematical problems behind it were too complex for classical computers to solve. That assumption is now changing. Advances in quantum computing are accelerating rapidly, with new breakthroughs emerging almost monthly. Researchers are optimizing quantum algorithms like Shor’s, while hardware capabilities continue to improve. Taken together, these factors are shrinking the timeline for when quantum attacks become feasible.
As Janne Hirvimies noted in his CyberQ keynote, the global ‘quantum threat clock’ has moved faster than anyone expected, compressing multi-year forecasts into just a few. Once a cryptographically relevant quantum computer exists, today’s widely used public-key algorithms can be broken, leaving current systems exposed. We don’t have to wait until that day to arrive for the threats to become real because of the risk posed by ‘harvest now, decrypt later’ attacks. Bad actors can intercept encrypted data today, store it, and decrypt it in the future when quantum technology enables them to.
You can’t migrate what you can’t see
After creating a strategy, which informs the action you will take, the first vital steps in preparing for post-quantum cryptography are discovery and inventory. Most organizations don’t know where their cryptography currently lives because ownership is fragmented across network, application and system teams. Each team assumes cryptography responsibility lies with one of the other teams, and as a result management falls through the cracks.
Discovery starts with a detailed assessment, identifying keys, certificates, libraries, protocols, and algorithms across systems, applications and networks. The process can be manual, automated or hybrid, although fully automated discovery is not yet realistic for many organizations. This stage is important because environments are complex, with legacy systems, third-party components and embedded devices to consider.
During the discovery stage, organizations sometimes uncover issues unrelated to post-quantum cryptography, such as already obsolete or insecure algorithms, which is a sign that discovery should have been happening for years.
Then comes the inventory process. Here, you map the assets you discovered at the previous step and start to develop a structured understanding of where the cryptography is deployed, which systems rely on it, which keys and certificates underpin critical functions, and how assets tie to data classifications and system topology.
From visibility to migration: A long-term journey
Migration is a journey that involves years of iteration. Starting the discovery and inventory process early accelerates planning, while delaying discovery pushes organizations into rushed and risky transitions. The journey begins with strategy, followed by discovery and inventory, assessment, remediation, and ongoing monitoring.
Underpinning each stage of the journey is an understanding of the fact that post- quantum cryptography is no longer a theoretical concern. The timelines are compressing, regulations are emerging, and adversaries are already planning for the future.
For organizations, the challenge begins with understanding the foundations they already rely on. Cryptographic discovery and inventory provide that visibility, turning an abstract risk into an actionable plan. By starting now, organizations can move deliberately rather than reactively, building resilience into their security infrastructure and ensuring trust remains intact in a post-quantum world.