Ideas lab
Before you scale AI, fix your foundation
Article
8 Sep 2025
By Paul Savill, Global Network and Edge Practice Leader at Kyndryl
As quantum computing rapidly develops into a disruptive force with the power to revolutionize industries from healthcare to retail, the encryption that underpins the security of global digital infrastructure is at risk.
On the horizon looms “Q-day,” the point when quantum machines — computers that harness the unique science of quantum physics to produce almost unimaginable processing power — will be able to crack today’s cryptography. That means there’s an immediate need to fortify key systems and networks against this oncoming wave of superior technology.
We regularly field questions from large enterprise customers about their mission-critical technology services requirements when it comes to quantum, and it often begins with, “Can we afford to wait?” I recently had the opportunity to join a roundtable — facilitated by The Financial Times in London with Kyndryl, Nokia, and a host of C-suite leaders across insurance, financial services, and other industries — to address these topics and more. Every attendee largely agreed that Q-day will arrive by 2030, which isn’t very far away.
I have summarized a few key points from our discussion below.
Source: Kyndryl Readiness Report 2025, a global survey of C-suite and executives from 21 countries.
What are some proactive steps C-suite leaders and their businesses can take now to prepare for Q-day?
If we consider for a moment that 2030 is only a handful of years away, there are practical steps that may be taken now.
The first is completing a quantum assessment. Identify the risks, categorize the exposures, and classify the findings for prioritization, planning, and budgeting. That includes sorting systems into the following categories:
Infrastructure software that we know isn’t quantum-safe and can’t be made quantum-safe
Infrastructure that can be made quantum-safe with new software updates
Infrastructure that’s quantum-safe now
Our assessments commonly include the classification of systems and services based on data sensitivity — providing a guiding compass as we identify what must be protected, beginning with the most sensitive assets that oftentimes include financial records, health data or intellectual property.
What types of strategic planning and due diligence questions should the C-suite be prepared to address?
While the quantum risk may be a few years ahead, there are strategic and fundamental questions — not just technical ones — that can help translate the threat from a theoretical future into a present-day roadmap. Quantum Assessments are one way to help your leadership team and board manage the conversation. We tackle key considerations, such as:
Which systems and data are most vulnerable to quantum threats? Identifying where sensitive information lives — and assessing its exposure to “harvest now, decrypt later” attacks is a reasonable place to begin.
What is your timeline for migrating to post-quantum cryptography (PQC)? With deadlines like NIST’s 2030 deprecation of current algorithms — a government-mandated phase out of vulnerable cryptography methods — organizations must set realistic, phased transition plans to avoid last-minute scrambles.
Do your current vendors and technologies support quantum-safe standards? Evaluate whether your supply chain and tech stack are aligned with emerging PQC standards, and require compliance certifications going forward.
Who owns quantum risk internally at your company — and is there a governance structure in place? Assign accountability, establish a quantum readiness task force, and embed quantum risk into broader enterprise risk-management strategies.
How agile is our cryptographic infrastructure? Assess your ability to quickly replace vulnerable algorithms. Cryptographic agility is key to staying ahead of evolving threats and standards.
What’s the risk of waiting?
Don’t wait. The time will never be just right. While NIST standards have not been fully published yet, there are sensible investments that may be applied today regardless of future regulatory shifts. Being proactive avoids big and risky budget bubbles later and also the monsoon of work that must follow because these projects can be large and time-consuming, as well as require highly specialized skills.
