Future Encrypted: Post-Quantum Cryptography Tops the Cyber Agenda – Key Insights for CISOs

15 Jul 2025 – A new Capgemini Research Institute report, “Future Encrypted: Why Post-Quantum Cryptography Tops the New Cybersecurity Agenda”, reveals that while awareness of the quantum threat is rising at the executive level, organizational readiness is dangerously lagging. Nearly two-thirds of businesses now see quantum computing as the most critical cybersecurity threat of the next 3-5 years. “Quantum readiness isn’t about predicting a date – it’s about managing irreversible risk. Every encrypted asset today could become tomorrow’s breach if organizations delay adopting post-quantum protections,” warns Capgemini’s Global Head of Cybersecurity Marco Pereira. For CISOs, the message is clear: waiting until “Q-day” (the day quantum computers can break current crypto) is not an option – the groundwork for post-quantum cryptography (PQC) must begin now.

Awareness vs. Readiness: A Reality Check

The good news is that quantum safety is finally on the C-suite agenda in many organizations. 70% of large enterprises surveyed are either assessing or already deploying quantum-safe measures (these are the “early adopters”). Regulatory pressure is a big driver – in fact, 70% cite new mandates as pushing them toward PQC adoption. Industries handling high-value secrets are leading the charge; defense and banking firms are moving fastest on PQC, whereas consumer sectors like retail are showing far less urgency.

However, this surge in awareness masks a critical gap: readiness. Capgemini’s data shows that only 15% of those early adopters qualify as “quantum-safe champions” with truly mature programs. In other words, barely one organization in ten is combining strong governance with technical execution to tackle the quantum threat. The majority, 85%, remain in the early stages. About half of the “early adopters” are merely experimenting or running pilot projects with PQC (often alongside cloud or specialist vendors) and few have a clear roadmap for enterprise-wide transition. Virtually none have fully transitioned their IT stack to PQC yet. And alarmingly, 30% of companies are still ignoring the quantum threat entirely – treating it as a distant problem, with no budget or staff allocated to cryptographic migration. This complacency is a strategic mistake: these laggards are risking a “crypto gap” where data harvested today could be decrypted in the near future. As Pereira puts it, every month of delay increases the window of exposure.

Even among the aware, many organizations underestimate the scale of the challenge. Migrating to PQC isn’t a simple patch; it’s a massive overhaul of applications, libraries, keys, and infrastructure. “CISOs underestimate the scale of transformation… Migration involves recompiling apps, replacing crypto libraries, rotating keys and updating HSMs, reissuing certificates – everyone soon will be scrambling for the same scarce quantum-safe talent,” the report cautions. In short, the clock is ticking, and those who aren’t preparing now may find themselves years behind when the quantum breakthrough arrives.

Meet the Quantum-Safe Champions (and Everyone Else)

Capgemini identifies a small vanguard of “quantum-safe champions” – about 15% of organizations – that are significantly ahead in their post-quantum preparations. What sets these leaders apart? In a nutshell, they treat PQC as urgent and strategic, not as a science experiment. Compared to others, champions exhibit several distinguishing behaviors and investments:

• They foresee the threat sooner: 44% of champion organizations believe Q-day will strike within five years, versus just 17% of typical early adopters. This drives urgency in their planning.
• They’ve secured budget and approvals: 23% of champions already have budgeted or approved PQC initiatives in the near term, compared to only 10% of others. On average, champions are dedicating 2.7% of their cybersecurity budgets to quantum-safe programs – versus about 2.0% among other early adopters.
• They have a transition timeline: Nearly half (48%) of champions plan to start the PQC transition in the next 1–2 years, whereas most others have more distant or undefined timelines (only 28% of typical firms plan to start within two years). Champions aren’t waiting for the threat to become immediate; they’re acting proactively.
• They’re taking a comprehensive approach: Champions excel in both organizational strategy (governance, planning, policies) and technical groundwork (cryptographic inventory, infrastructure upgrades). They are more likely to have a formal roadmap, updated crypto policies, skilled personnel, and vendor engagement for PQC, whereas others often lack one or more of these pillars.

To illustrate the gap, the table below summarizes how quantum-safe champions differ from the rest across key preparedness factors:

The practices of these champions offer a blueprint for everyone else. Not every organization will move at the pace of a telecom or defense contractor (sectors which, notably, have the highest share of champions), but every CISO can learn from their playbook. The takeaway is that PQC preparedness isn’t piecemeal – it requires holistic effort spanning governance, technology, and ecosystem collaboration. Organizations that fail to address any of these areas will have an Achilles’ heel for adversaries to target.

Crypto-Agility and Supply Chain: Mind the Gaps

A recurring theme in Capgemini’s report is the importance of crypto-agility – the ability to rapidly swap out cryptographic algorithms and protocols without major disruption. In a post-quantum world, crypto-agility is king. Standards will evolve (NIST has selected initial PQC algorithms, but new threats or improvements could emerge), so systems must be designed to adapt easily. Leading organizations are already baking this agility into their architectures and policies. For example, some have upgraded libraries and hardware security modules that support new algorithms, and they enforce upgrade timelines in vendor SLAs to avoid getting stuck with non-compliant products. The report explicitly recommends “designing for crypto-agility to adapt as standards evolve.”

Unfortunately, most companies are far from crypto-agile today. Many cannot even answer the basic question: “What cryptography are we using, and where?” According to the research, a large number of firms have never performed a full cryptographic inventory of their applications and data. This blind spot makes a PQC migration exponentially harder – you can’t secure what you don’t know you have. CISOs should urgently maintain a live cryptographic inventory (as a few forward-thinkers do) that maps out all encryption in use. This inventory is the foundation for crypto-agility: it tells you what to fix, update, or replace when new cryptographic standards arrive.

Vendor and supply chain readiness is another glaring gap. The report highlights that most organizations have not yet looped in their suppliers, cloud providers, and technology partners into their quantum-safe planning. Few are asking vendors about PQC support or including PQC requirements in procurement. This is a serious concern – your security is only as strong as the weakest link in your ecosystem. If a critical vendor (say, a software library, cloud platform, or hardware device maker) isn’t prepared to offer quantum-safe encryption, your data could be exposed via that third party. The top-performing organizations – the quantum-safe champions – distinguish themselves here by actively engaging their supply chain: they conduct vendor PQC assessments, insist on crypto-agile product roadmaps, and even work on joint proofs-of-concept with suppliers.

CISOs should take a page from this approach. Start including PQC and crypto-agility clauses in new contracts and RFPs. Ask your vendors about their post-quantum strategy – do they have one? If not, press the issue or explore quantum-safe alternatives down the line. In many cases, vendors themselves are waiting for customer demand to act; by raising the issue now, large enterprises can nudge the whole ecosystem forward. Regulators are certainly not waiting: NIST has already standardized PQC algorithms and urges immediate integration, the U.S. NSA will deprecate RSA/ECC by 2030 and ban them by 2035, and the EU has recommended critical infrastructure begin PQC transitions by end of 2026 (with a 2030 hard deadline). The writing is on the wall – if your partners aren’t preparing, your organization won’t be compliant or secure in time. Supply chain crypto-agility must become a pillar of your overall strategy.

Strategic Recommendations: A Quantum-Safe Roadmap for CISOs

To close the quantum readiness gap, CISOs and cybersecurity leaders should take immediate strategic actions. Based on Capgemini’s findings, here are the top recommendations and actionable takeaways:

1. Conduct a Quantum Risk Assessment & Crypto Inventory: Assess how quantum-vulnerable your organization’s data and systems are. Inventory all cryptographic assets (keys, certificates, algorithms in use) and map where sensitive data is protected by long-lived encryption. This “crypto baseline” will identify your highest risk areas (e.g. data that needs protection beyond the expected arrival of Q-day). Maintain this inventory as a living document.
2. Elevate PQC to a Board-Level Priority: Treat post-quantum migration as a strategic, long-term program, not a one-off IT project. Establish governance structures – e.g. a cross-functional steering committee or task force – to keep PQC on the executive agenda. Educate senior leadership on the stakes (using scenarios like harvest-now/decrypt-later impacts) so that you secure buy-in for a multi-year effort. Quantum security should be part of enterprise risk discussions, not just an R&D experiment.
3. Develop a Roadmap and Budget for Crypto Migration: Don’t wait for the standards to finalize completely – start plotting your migration journey now. Define a high-level roadmap for updating or replacing cryptography in critical systems, aligned with expected timelines from NIST and regulators. Set target dates (for pilot, for hybrid deployments, for full rollout) and earmark budget specifically for PQC activities. Having a board-approved transition plan and dedicated funding is a hallmark of the quantum-safe champions. It also sends a message to your teams (and auditors/regulators) that this is a serious commitment.
4. Invest in Crypto-Agility Across People, Process, and Technology: Update your cryptographic standards and policies now to be algorithm-agnostic. Wherever possible, deploy solutions that are crypto-agile by design – for example, applications that can easily switch cryptographic libraries or accept larger key sizes, and hardware that supports upgradable firmware for new algorithms. Train your architects and developers on PQC concepts so they can build agility into new systems. Essentially, bake in flexibility so that future cryptographic swaps (PQC or even next-gen classical algorithms) are routine and not disruptive.
5. Run Post-Quantum Pilots and Trials: Follow the lead of the ~50% of organizations already piloting PQC solutions – start testing quantum-safe algorithms in controlled environments. For instance, experiment with PQC in one domain (such as VPN encryption or internal APIs) to evaluate performance and compatibility. Partner with cloud providers or PQC vendors for pilot programs if needed. Early pilots will surface practical challenges (latency, integration issues, key management changes) now, while you still have time to adjust. They also help build internal expertise. Make sure to pilot not just algorithms, but also crypto-agility processes – e.g. simulate swapping out one PQC algorithm for another to prove you can do so with minimal pain.
6. Engage and Harden Your Supply Chain: Initiate conversations with all critical technology suppliers about their quantum-safe roadmaps. Integrate PQC readiness into vendor risk management – include it in security questionnaires and contract renewals. Where key vendors (e.g. certificate authorities, database providers, IoT device makers) lack a plan, consider jointly exploring solutions or at least pressuring them for one. Collaborate with industry groups or forums on setting quantum-safe standards for the supply chain. Remember, your organization could do everything right internally and still be exposed through a third-party service that gets cracked. Don’t let your vendors become your weakest link.
7. Build the “Quantum-Ready” Talent Pipeline: Given the anticipated scramble for experts, start developing your post-quantum talent now. Identify and upskill members of your crypto and security teams in PQC (through training, conferences, or hands-on projects). Recruit advisors or partners with cryptography expertise to guide your strategy. Some leading firms have even created dedicated cryptography or quantum security groups to lead the charge. Whether or not you form a new team, ensure clear ownership of the PQC initiative internally. The goal is to avoid being caught flat-footed when quantum incidents or regulatory deadlines hit – you want people in-house who know how to respond.

Urgency and vigilance underpin all these recommendations.

The bottom line for CISOs: ensuring quantum security is now a core part of your cyber resilience strategy. The organizations that move early – inventorying their cryptography, fortifying systems with crypto-agility, and demanding quantum-safe assurances from vendors – will buy down a massive future risk and even gain a competitive edge (as customers and regulators come to value quantum safety). Those that delay will face a scramble to retrofit security under duress, or worse, suffer breaches of data thought safe. As one section of the Capgemini report was aptly titled, “Time is running out.” The window to prepare for PQC before the quantum storm hits is narrowing.