The fact that the date of ‘Q-Day’ is unknown may ultimately be irrelevant, since post-quantum encryption is on track to become a business and compliance obligation in coming years, experts tell CRN.
For cybersecurity teams continually bombarded with new threats, turning their attention toward an uncertain, future risk like quantum computing can feel a bit ridiculous.
The question — “‘why are we even talking about this?’” — is not at all uncommon when it comes to the potential data security threat from ultra-powerful quantum computers, according to veteran cryptography specialist Jason Soroko.
“There are so many problems in front of a CISO right now that something that’s even six months away sounds like forever,” said Soroko, senior fellow at Sectigo, a provider of digital certificate management. “Something that’s five years away — that’s an eternity.”
[Related: Cybersecurity Week 2025]
As has been known for years, the advancement of quantum computers — an entirely new form of computing power based on the principles of quantum mechanics — could render existing data encryption methods obsolete in the future.
However, the date when this unprecedented threat to data could manifest, referred to as “Q-Day,” is impossible to predict. That has made preparing for the transition to post-quantum cryptography difficult to prioritize for many organizations.
What many don’t realize is that preparations need to begin well in advance if organizations want to have a chance of protecting their data from potentially quantum-empowered threat actors of the future, experts told CRN.
Soroko, for instance, said he has spoken with numerous teams at risk-averse organizations that have already begun post-quantum preparations, and there’s a common theme in their experiences.
“For everybody who has put resources on it, they come to a stage where they’re having a ‘holy smokes’ moment — ‘Wow, this is going to be a lot bigger than I thought it was going to be,’” he said.
It’s also becoming increasingly clear that undertaking preparations for shifting to quantum-resilient cryptography may not be optional for much longer. In fact, post-quantum encryption appears on track to become a business and compliance requirement in coming years, regardless of uncertainties around the date of “Q-Day,” according to experts.
Countdown To 2030
A number of government standards bodies, including in the U.S., have sought to expand the focus beyond the hypothetical Q-Day as an incentive to spur action on the post-quantum data security threat.
Instead, many of the standards setters are targeting 2030 as the timeframe for the shift to post-quantum cryptography, at least for essential IT assets.
“They’re all making recommendations on, at a minimum, moving your most critical workloads to quantum resistance by 2030,” said Ted Shorter, CTO of identity security vendor Keyfactor, which provides capabilities for assembling a cryptographic inventory.
“That makes the actual Q-Day irrelevant,” Shorter said. “Because these [guidelines] are going to find their way, as they always do, into compliance frameworks and things that have actual financial repercussions.”
Initial Steps
The first phase of preparations for most organizations should focus on assembling an inventory of all cryptographic assets — creating a map of all the places and ways that encryption is used across an organization, experts said.
Even that initial step, however, is proving to be a struggle in many cases, according to Doug Saylors, partner at research and advisory firm ISG.
“They don’t know enough about their concurrent computing platforms to know what applications run on which computers,” Saylors said.
As part of its major push around the post-quantum encryption shift, DXC Technology, No. 14 on CRN’s Solution Provider 500 for 2025, is working with a number of customers on getting their cryptography assets organized. Without a doubt, it’s a “fairly steep hill to climb,” said Douglas Skirving, lead consultant for key and certificate services EMEA at DXC.
“There’s no formal inventory, so they don’t really know what they have,” Skirving said. “Because if you don’t know what you have, then you’re unable to pivot away from classic encryption to quantum resilience.”
To stay on track for the targeted 2030 migration date to post-quantum encryption, many organizations should be aiming to complete their cryptography asset inventory by the end of 2026, according to Saylors.
After that, the planning and performing of replacements for encryption systems can get underway — “and then you should be good by 2028-2029,” he said.
The work is not done at that point, however, experts said.
Supply Chain Considerations
Among other things, the post-quantum preparedness of vendors and supply chains will need to be assessed as well, said Naasief Edross, chief security strategist at World Wide Technology, No. 9 on CRN’s Solution Provider 500 for 2025.
“No amount of work that a customer does [on post-quantum encryption] will hold the security fabric together, if a supplier that they use is not going to do that,” Edross said.
For example, if an organization transfers their data to a supplier — but the supplier hasn’t transition to quantum-resistant encryption — “then my data that’s transferred out of my walls, that was secure, is now vulnerable,” he said.
Therefore, “you have to ask the question of your vendors, of your suppliers — ‘How are you dealing with getting to quantum-safe levels of encryption?’” Edross said.
Coming To Contracts?
Eventually, the shift to post-quantum encryption may be obligatory for organizations if only for the sake of winning or keeping business with clients, experts told CRN.
While it’s still a bit early for quantum-resilient cryptography to become part of due diligence and contractual processes, this is certainly a possibility for the future, according to Edross.
“I think that it could show up on security questionnaires,” he said. “A facet of the security questionnaires could be, ‘Tell us what you’re doing to get to quantum-resistance.’”
Crucial Role For MSPs
Given the near-universal implications from the post-quantum shift — and the likelihood of regulations and contractual obligations coming down the road — SMBs will be affected and will need to prepare like everyone else, experts said.
In many cases, however, they will be looking to their MSPs to lead the way, according to Keyfactor’s Shorter.
The typical SMB will be “expecting that it’s not their problem. It’s [the MSP’s] problem to fix for them, and make sure that they’re moved in time to be compliant,” he said. “The MSPs are going to need to be planning for that. Because by the time their customers come to them asking about it, there will be a very short timeframe that they’ll have to do all of this.”
Without question, the quantum computing threat to data security is not just about the risk-averse enterprise, according to Sectigo’s Soroko.
“It is absolutely everyone. So the MSPs have a gigantic role to play here,” he said. “And what I would tell any MSP organization right now is, you are in a perfect position as a service provider to start taking overall inventory of cryptographic assets.”
Not Just ‘Another Y2K’
While the post-quantum cryptography shift ahead of Q-Day has drawn frequent comparisons to circa-1990s preparations for Y2K, the similarities only go so far, experts told CRN.
Where the analogy does work is around the need for preparedness and coordination well in advance of the event itself.
But the most obvious contrast — Y2K had a fixed date, while the timing of Q-Day may never be known in advance — is just one of many major distinctions, according to experts.
Other differences include the fact that the post-quantum shift is likely to be far more complex and multi-faceted than the comparatively basic fixes to computer systems that were necessary to address the Y2K issue.
“The challenge with IT and legacy software systems is that it’s very hard to find where the problems might be. And there’s always going to be things that aren’t patched,” said Kurt Rohloff, co-founder and CTO of Duality Technologies, a secure data collaboration platform provider. “If you even just look at day-to-day software patching — things are never patched fast enough.”
Additionally, while the world was able to move on from Y2K almost immediately, Q-Day could be just the beginning of the need to stay ahead of threat actors, such as hostile nation states that might develop or acquire quantum computing technology down the road.
At IBM, which is a major developer of quantum computers (pictured above), the expectation is that encryption posture will need to be continually kept up to date as a result of ongoing advancements in the technology, according to Suja Viswesan, vice president for security and runtimes products at IBM.
“With Y2K, once you crossed it, you were done,” Viswesan said. “This time [with Q-Day], that is not the case.”
At the same time, it’s certainly crucial for the preparations for Q-Day to be a top-down exercise in most organizations, as they were for the ultimately successful push to prevent a Y2K catastrophe, experts said.
“Y2K wasn’t solved because a bunch of people in the trenches decided to solve a big problem,” Soroko said. “They were directed to do so. And the resources to do it right were put together by the people who own the risk.”
Whether that happens again, in the run-up to Q-Day, “will determine whether we’re successful as a society in getting through this.”