It may be a while more before quantum computing is able to break current cryptography, but the pave to quantum-safe systems is long and companies that are tardy in their transition will face higher risks.
Cryptography today is applied in daily tasks, including data protection, and its security has been guaranteed by the complexity of the algorithm used. It has remained impenetrable because no compute power is available to crack it.
However, this will change with advancements in quantum computing, said James Cook, Asia-Pacific head of DigiCert.
He pointed to Gartner’s forecast that, by 2029, advances in quantum computing will make conventional public key cryptographic algorithms unsafe to use.
The research firm also predicts that quantum computing will fully break asymmetric cryptography by 2034.
“2029 isn’t that long away,” Cook said in a video call with FutureCIO, stressing the need to act now because significant work is required to prepare for a post-quantum environment. “The quicker you start, the better you can deal with that future.”
Migration timelines are long and dependencies are complex, concurred Alexandra Beckstein, CEO and founder of QAI Ventures, a Switzerland-headquartered venture capital that focuses on quantum technology. It also has outfits in Singapore and Tokyo.
Beckstein noted that most businesses do not have a full inventory of where cryptography sits within their infrastructure.
Replacing or upgrading systems would involve vendors, hardware, embedded software, and global supply chains, she told FutureCIO.
Waiting until quantum capability is fully mature to do something would compress transition timelines into a high-risk window, she cautioned.
Furthermore, quantum isn’t just a defensive play about security. “It is an offensive opportunity,” she noted. “Institutions that build internal literacy early will be positioned to explore optimisation, simulation, and risk modelling advantages before their competitors.”
“The real differentiator will not be access to a quantum computer. It will be readiness,” Beckstein said. “Governance, talent, and infrastructure alignment must begin well before large-scale systems are commercially widespread.”
Cook expects companies to take definitive action this year and build specific plans to manage what they now see as a real challenge, rather than simply a science project, that needs a real strategy to address.
Tech vendors, too, have started building quantum-safe solutions into their products, further signalling the urgent need to transition to these systems, he said.
Quantum readiness critical as machine identities rise
DigiCert further believes that machine identities will outnumber humans 100 to 1. This will push the need for PQC-ready (post-quantum cryptography) identity frameworks to be mandatory, as standards industry bodies embed quantum-safe algorithms into device ecosystems.
Security increasingly will go beyond simply protecting systems and about proving integrity across every digital interaction.
Cook explained that the definition of end-points has changed as the number of devices, including IoT (Internet of Things) sensors, has outpaced users, and will continue to grow exponentially with the emergence of agentic AI.
It means that digital certificates and PKI (public key infrastructure), the most common way to secure devices, including AI agents, also will increase significantly.
This proliferation of devices, alongside certificates, will add even more complexity for companies looking to migrate to post-quantum algorithm, Cook said.
According to DigiCert, organisations looking to initiate post-quantum security pilots will likely face interoperability hurdles, as certificate and software systems adapt to quantum-safe requirements.
Quantum computing will fundamentally alter the foundations of modern cryptography, Beckstein said.
Much of today’s digital security, from banking systems to government communications, relies on encryption methods, such as RSA and elliptic curve cryptography. These are secure against classical computers, but vulnerable to sufficiently advanced quantum machines, she said.
“Quantum doesn’t just threaten encryption; it rewrites the rules of trust in the digital economy,” she noted. “The real risk is not only future attacks, but the ‘harvest now, decrypt later' threat, where encrypted data captured today could be decrypted once quantum capability matures, exposing long-lived sensitive information.”
To safeguard themselves, organisations need early, structured preparation rather than reactive change, she said.
They should move towards crypto-agility, with the ability to upgrade cryptographic standards to new quantum-secure post-quantum-cryptographic algorithms, without having to overhaul entire systems.
They also will need to map where encryption sits across infrastructure, vendors, and supply chains, Beckstein said.
Quantum is not only a disruption, but an opportunity, enabling stronger security models such as quantum key distribution, she said.
“The strategic question is not whether quantum will impact security, but whether organisations are preparing early enough to transition on their own terms rather than under pressure,” she noted.
Forrester’s 2026 predictions highlight that more than 90% of Asia-Pacific organisations will invest in post-quantum technologies, amidst concerns about “harvest now, decrypt later” attack tactics.
The research firm pointed to government initiatives across the region that would drive investments in quantum security, focusing on migration planning and cryptographic inventory solutions. These include Singapore’s National Quantum-Safe Network Plus and India's National Quantum Mission.
Singapore to offer quantum handbook
Singapore’s Cyber Security Agency (CSA) in October unveiled its quantum-safe handbook and readiness index for public consultation. The two initiatives aim to offer organisations, including government agencies and critical information infrastructure owners, guidance on preparing for and transitioning to quantum-safe systems.
CSA noted that while quantum computing has the potential to drive transformative breakthroughs across industries, it also poses the “quantum threat”, where sufficiently powerful quantum computers could undermine the cryptographic systems safeguarding existing digital infrastructure.
This would put critical data and core business functions at risk, including secure communications, financial transactions, and identity management.
“Although the timeline for quantum threat remains uncertain, proactive preparation is essential,” CSA said. “The migration to quantum-safe solutions is a complex multi-year endeavour that needs early planning, resource allocation and coordination across systems, products, and processes.”
A quantum-safe handbook should move beyond abstract awareness and provide a structured pathway from assessment to implementation, Beckstein said.
It should guide organisations through cryptographic asset discovery, risk prioritisation, vendor engagement, and phased migration planning, she added.
Practical checklists and sector-specific examples also will be critical to ensure adoption, she said.
As for the readiness index, it should create a shared maturity language across industries, she noted.
“Clear stages, from initial awareness to operational quantum-safe deployment, allow boards and regulators to track progress consistently,” Beckstein said. “It should not merely score organisations. It should generate actionable next steps and highlight ecosystem dependencies, particularly in supply chains and managed services.”
Cook also advised companies to carry out discovery exercises, including where their crypto assets are, what certificates are being used, and the services and applications they secure.
This will enable enterprises to better understand what they are dealing with, he said.
They then should determine what to prioritise in their quantum-ready migration, he added. For example, customer data that must be secured and retained for 25 years due to regulatory requirements, is probably an area that businesses need to focus on first.
They also should run tests using the latest quantum-resistant algorithm to ensure it does not break their applications, before proceeding with the migration, he said.
