Kumar Mehta, Founder and Chief Development Officer, Versa
Most executives are not losing sleep over cryptographic algorithms, and they should not have to. But they should pay attention to what happens when the security assumptions underneath digital business begin to change. That is what makes post-quantum cryptography (PQC) important.
At first glance, PQC sounds like a discussion reserved for mathematicians and researchers. In reality, it is a business continuity issue. Every modern enterprise depends on cryptography to establish trust across networks, applications, devices, cloud platforms and software updates. If that trust model weakens, the consequences extend far beyond IT; they affect operations, customer confidence, regulatory exposure and long-term risk.
The challenge is not that quantum computers are suddenly arriving tomorrow. The challenge is that enterprise migration timelines are measured in years, while attackers can begin collecting encrypted data today. That creates a dangerous asymmetry, where organizations that wait for certainty may discover they waited too long.
Why This Matters Now
Modern security relies on two major forms of cryptography:
1. Symmetric cryptography, such as AES, encrypts large volumes of data efficiently.
2. Public-key cryptography, including RSA and elliptic-curve cryptography, establishes secure sessions, authenticating endpoints and signing software.
Quantum computing primarily threatens the second category. If public-key cryptography becomes breakable, attackers can impersonate services, weaken the handshakes that set up secure sessions and forge signatures that make malicious code look legitimate.
For enterprises running SASE and SD-WAN architectures, this threat is concentrated into a small number of high-value control points. SD-WAN environments rely on encrypted handshakes to establish secure tunnels between branches, cloud gateways and data centers. SASE service edges terminate huge volumes of TLS sessions for secure web access, SaaS access, ZTNA and inspection. Orchestration systems distribute security policy across thousands of distributed edges.
Cryptography is not sitting quietly in the background. It is carrying the trust model of the entire platform.
The Threat Executives Often Overlook
One of the most consequential concepts in PQC is known as harvest now, decrypt later. Attackers do not need a quantum computer today to create future damage. They can capture encrypted traffic now, store it and decrypt it later once quantum capabilities mature.
For organizations handling intellectual property, financial records, healthcare information, legal archives or sensitive product roadmaps, that matters significantly. Many forms of enterprise data retain value for years. And because SASE and SD-WAN route more sensitive traffic over public networks, the value of those captured sessions increases.
The companies most affected may not be the ones breached tomorrow. They may be the ones with historical data that becomes readable years later because migration started too late.
What PQC Actually Protects
At its core, PQC protects the trust scaffolding of digital business. It preserves confidentiality by preventing future attackers from retroactively decrypting captured sessions. It protects authenticity by making it harder to impersonate legitimate systems, gateways or services at scale. And it protects integrity by preserving the validity of digital signatures used to distribute software, enforce policy, and verify updates. For SD-WAN, this protects overlays that carry branch-to-cloud and branch-to-branch traffic. For SASE, it protects user-to-service-edge sessions carrying credentials and sensitive uploads.
That last point deserves particular attention. Code signing is an existential control: it is how you prevent “updates” that are actually malware. In a SASE deployment, one compromised update path can propagate quickly across service edges or endpoint agents. PQC-ready signing (often deployed in hybrid form during transition) reduces the risk of future signature forgery. This is why PQC is increasingly part of supply chain security conversations, not just cryptography discussions.
What PQC-Compliant Should Actually Mean
The term PQC-compliant is already being overused in the market, often without much precision. For enterprises, it should mean four practical things:
1. Alignment to recognized standards rather than proprietary claims. Enterprises need ecosystem consistency across vendors, auditors, governments and partners.
2. Hybrid deployment support during migration. Classical and post-quantum approaches will need to coexist for years while organizations roll upgrades across branches, service edges and endpoint agents.
3. Crypto agility, which is the operational ability to inventory where cryptography lives, swap algorithms cleanly, enforce policy consistently and evolve without disrupting infrastructure.
4. Integration with validated quantum key distribution infrastructure as the broader ecosystem matures.
If a vendor cannot explain specifically where PQC is implemented, how it is enforced and what the upgrade path looks like across TLS, VPN, PKI and code signing, the compliance claim is not credible.
The Business Takeaway
Quantum is the rare security shift where waiting for certainty can be the wrong move. The threat is not only “when quantum arrives.” The threat is that sensitive data can be collected today while your migration timeline is measured in years. Post-quantum cryptography matters because trust is the foundation of digital business.
This is not simply about advanced mathematics or theoretical computing breakthroughs. It is about protecting the systems enterprises already depend on to operate securely at scale. The organizations that approach PQC early and methodically will treat it as a manageable modernization effort. The organizations that wait too long may face it as a large-scale operational recovery project.
That is why post-quantum cryptography is ultimately a business problem hiding inside a math problem. The math may change first, but the business consequences arrive immediately after.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
