Steve Goddard | VP EMEA Marketing
More About This Author >
Steve Goddard | VP EMEA Marketing
More About This Author >
For years, discussions about quantum risk focused on distant possibilities and theoretical timelines. That has all changed.
During the Thales latest Trust Horizon webinar, speakers from industry, academia, and research institutions delivered a consistent message: there is no doubt that quantum computing will impact cybersecurity; the question is whether organizations can prepare quickly enough.
Across the session, experts returned to a challenge. The timeline for when we can expect to see cryptographically relevant quantum computers is beginning to overlap with the timeline for migrating away from vulnerable cryptographic systems.
"Protecting ourselves against new and emerging threats is not a future problem; it's a present responsibility,” argued Lory Thorpe, Quantum Safe Industry Lead and Senior Quantum Ambassador at IBM Research.
It’s this overlap that is turning quantum risk from a future ‘event horizon’ into a present-day business priority.
Dr. Michele Mosca, Professor at the Institute for Quantum Computing at the University of Waterloo, argued that organizations have moved beyond the stage of monitoring developments and waiting for greater certainty.
He said, "Quantum is not really the problem. Quantum showed us the fragility that was already there, thankfully, because now we have a chance to do something about it.”
Mosca reflected on how the conversation has evolved over the past decade. Ten to fifteen years ago, many businesses viewed quantum threats primarily through the lens of long-term confidentiality and "harvest now, decrypt later" attacks. Today, the concern is broader. As advances in fault-tolerant quantum computing continue, the risk increasingly extends to operational disruption and systemic business impact.
He warned that migration timelines and threat timelines are now converging. Governments, standards bodies, and industry groups are already working towards deployment targets that will take us into the next decade. Waiting for certainty before acting risks forcing organizations into rushed migrations that come with a host of new vulnerabilities and operational challenges.
Perhaps most importantly, Mosca reframed the issue entirely, saying, "It's important to understand and communicate to leaders that post quantum readiness is not actually a cryptography problem, it's an enterprise resilience problem.”
He said that rather than focusing exclusively on algorithms, companies need to ask themselves whether they know the impact of a failed cryptographic trust assumption on their business, whether their systems would continue to work if such a failure occurred, and whether there would be a way to recover. "Delaying is not an option anymore,” he added.
Zygmunt Lozinski, Quantum Safe Networks, IBM Research, reinforced this urgency, saying, "Quantum computing is real, it's moving out of the lab, and it's moving into places where you can actually use it.”
Lozinski spoke about investments, accelerated research progress, and government involvement as evidence that quantum computing has moved beyond academia and into other sectors. There were significant investments in quantum infrastructure, along with efforts to develop migration policies and post-quantum cryptography roadmaps.
Importantly, his message was not one of alarm: "Don't panic, plan.”
The focus, he argued, should be on understanding the opportunities and the risks. Quantum computing promises breakthroughs in areas ranging from life sciences and materials engineering to financial modeling.
At the same time, those advances make it vital for businesses to begin preparing for the cryptographic implications now.
Lozinski said a growing number of countries, regulators, and industry bodies are already publishing guidance and migration frameworks.
The challenge for business leaders is ensuring that preparation becomes an owned program rather than an abstract future concern, because “loss of trust scales at light speed.”
Louise Davey, Quantum Readiness Advisor and President of LDIQ, focused on board accountability.
"Failure to act is a failure of fiduciary duty,” she said.
According to Davey, a major reason why many organizations get stuck in the same place is that quantum risk is treated as a technical issue rather than a business one. Talks on algorithms and cryptography do not resonate with the board, but talks on exposure, accountability, timing, and suchlike do.
She says the responsibility lies partly with security and technology leaders themselves: "No board will ignore operational risk to resilience with systemic impacts. They will only ignore poorly framed messages that are delivered in a language they don't understand.”
Her advice was to stop leading with technical details and start focusing on consequences.
She also challenged organizations to stop viewing boards as obstacles: "Nothing will move your organization faster than an engaged, inquiring board.”
When directors understand the true business implications of quantum risk, they can become one of the most powerful accelerators of organizational action. In an environment where migration programs compete with a slew of other priorities, she said board engagement can mean the difference between preparation and procrastination.
The reliance on digital infrastructure has changed the very nature of cybersecurity. The finance industry, health services, telecommunication, transport, and supply chain management were all based on trust in digital infrastructure, Thorpe explained.
That trust, Lory Thorpe warned, cannot be treated as an optional enhancement or compliance exercise: "Security can't be optional, and building resilience can't be optional.”
The emergence of quantum computing is part of a broader reality: security must become a foundational design principle. Organizations that delay building resilience into their infrastructure risk losing the trust that underpins digital transformation itself.
This message resonated with a common theme throughout the session: achieving quantum readiness requires cooperation. Governments, vendors, standards organizations, tech companies, and organizations all have roles to play in achieving a resilient future.
Blair Canavan, Alliances Director for PQC and PKI at Thales, discussed the practical momentum that is already building across the post-quantum ecosystem.
He said quantum readiness should not be viewed as a crisis discussion, but as an opportunity for businesses to better understand their environments, strengthen and modernize their cryptographic foundations, and build on the existing solutions they already rely on.
Canavan argued that many organizations have moved beyond abstract discussion and are now looking inward at what preparation means for their own infrastructure. That includes understanding where cryptography is used, where technical debt has accumulated, and where certificate lifecycle management, key management, and encryption hygiene need to improve.
He added a caveat that the transition will not be as simple as “a flip of the button or a click to transition.” Organizations will need evidence, testing, interoperability, vendor engagement, and a clear view of how new algorithms affect performance and operations.
For Canavan, the near-term priority is measurable progress. “You can do a lot in 90 days,” he said.
That means discovering what exists, validating potential approaches, testing hybrid or pure post-quantum models, and setting practical milestones for the next phase. As he said, 2026 is “a year of action.”
While much of the event focused on strategy and leadership, Robert Burns, Thales Chief Security Officer, concentrated on practical execution.
Using an updated version of Schrödinger's famous quantum superposition experiment, Burns captured the industry's position in a single line: "The experiment's over, the box is open, the cat is alive, and its name is Quantum Safe Crypto.”
For Burns, the question is no longer whether organizations should prepare. Regulatory timelines, market forces, and technology roadmaps are already pushing organizations toward post-quantum cryptography.
His practical methodology revolved around five phases: discovery, planning, testing, deployment, and iteration. Discovery is crucial as organizations cannot safeguard what they do not understand. The discovery phase requires business visibility into their use of encryption, the location of sensitive information, the time period during which the information is relevant and useful, and the extent to which they depend on encryption assumptions.
Burns said it is not necessary to have complete visibility before taking action. Discovery takes time, but that should not stop an organization from doing anything. They should focus on the areas that have the highest risk.
That starts with protecting data in transit against harvest now, decrypt-later threats. It also means identifying keys that are difficult to replace, understanding cryptographic dependencies, and engaging vendors on their post-quantum roadmaps. Vendor readiness, he noted, will be a critical factor because few organizations control every component of their technology stack.
He also stressed that the ultimate aim is not to replace today’s algorithms with newer ones, but to develop crypto agility within organizations so they can adapt to evolving standards and threats.
His final message was reassuring: "We can do this. This is something that's achievable.”
The session also featured a keynote conversation with Brian Cox, a Professor of Particle Physics at the University of Manchester, who provided scientific context for the technology reshaping the cybersecurity environment.
He helped demystify the science behind quantum computing itself. Discussing concepts such as qubits, superposition, and entanglement, he explained why quantum systems are fundamentally different from classical computers.
Unlike a classical bit, which exists as either a zero or a one, a qubit can exist in a combination of both states simultaneously. When multiple qubits become entangled, the amount of information required to describe the system grows exponentially. He said:
If you have 270 physical qubits entangled together, how many numbers do you need to specify that configuration? That number is in excess of 10 to the power 80, which is an interesting number because it's comparable to the number of atoms in the observable universe, in which there are around 2 trillion galaxies.
That extraordinary complexity is what gives quantum computing its potential power. As Cox explained, the goal is not simply to build faster computers, but to harness the same quantum behavior that already governs the natural world.
This is why quantum computing has become such an important cybersecurity issue. More than their speed, quantum computers work differently, using the principles of quantum physics to solve certain mathematical problems in ways that are beyond the reach of classical computers.
Many cryptographic algorithms that protect digital identities, software updates, financial transactions, critical infrastructure, and sensitive data depend on the problems they solve being incredibly difficult to solve. If that assumption changes, so must the cryptography that organizations rely on.
Moving away from the extraordinary mechanics of quantum computing itself, Cox also offered a view on why the technology matters, saying, "Understanding nature at a deeper level leads to tremendous advances.”
According to Cox, quantum computing is yet another instance of humankind learning to harness the fundamental structure of nature. Apart from cybersecurity issues that must be taken into consideration, the technology holds the promise of advancing discovery and creating new capabilities.
His advice for leaders was simple, and a theme that ran throughout the webinar: "The key is to take it seriously.”
To hear the full discussion, including audience questions and deeper insights from the expert panel, watch the Thales Trust Horizon on demand.