Quantum Computing: Challenges of Threading PQC into Infrastructures, and Migrating Without Ripping Out Systems, Because Attackers Aren’t Waiting

Rebecca Krauthamer, CEO and Co-Founder of QuSecure, outlines why 2025 marks an inflection point for post-quantum cryptography. A longtime entrepreneur in quantum computing and AI ethics, Krauthamer previously led Quantum Thought and worked on emerging tech standards, giving her unique insight into innovation and technology.

She explains the rise of harvest now, decrypt later threats, the role of cryptographic agility, and the challenges of embedding PQC into existing infrastructures. 

Krauthamer also highlights how trust, compliance, and clear buyer criteria are shaping enterprise readiness for quantum-safe encryption.

Vishwa: You describe this moment as an inflection point for post-quantum cryptography (PQC). What has shifted in 2025 that turns enterprise adoption of quantum-safe encryption from an option into a necessity?

Rebecca: The inflection point is clear. Standards are finalized, deadlines are set, and attackers are not waiting. Last year, NIST published the new post-quantum cryptographic standards, and that was effectively the date non-quantum-safe encryption passed its "sell-by date". 

From that moment on, the direction of travel was set. Before this, cybersecurity leaders would sometimes debate whether the quantum threat was real or urgent. But standardization ended this discussion, and the quantum-safe migration has become about compliance roadmaps. 

Organizations are now taking stock and realizing they’re sitting on a mountain of cryptographic debt that has to be addressed to stay secure and compliant.

The other shift is that the old excuses no longer hold. For years, people said migration would take five years, cost hundreds of millions of dollars, and require armies of cryptographers. 

We now know that is not true. Migration can be done faster, with fewer resources, and without ripping out the systems that organizations have carefully built over decades.

Vishwa: The concept of “harvest now, decrypt later” signals a looming collapse of classical cryptography. What scenarios make this threat most urgent for organizations today?

Rebecca: The most urgent scenarios involve data with long-term sensitivity: think healthcare records, financial data, or government communications. Adversaries are already collecting this information, betting on decrypting it when the tools arrive. 

This isn’t a new tactic. It’s part of the history of cryptanalysis, and quantum makes the payoff dramatically bigger. That’s why “later” is misleading. For organizations that depend on trust and confidentiality, the threat is already here. 

This is why NIST released the new post-quantum cryptography standards long before a known cryptographically relevant quantum computer has come online: to outwit the Harvest Now, Decrypt Later attack, you do not need a quantum computer to fight a quantum computer. 

You just need the NIST-approved quantum-safe encryption algorithms. Organizations that wait for quantum hardware to arrive will already be too late.

Vishwa: Cryptographic agility is central to your approach. What architecture or operational practices must organizations adopt to achieve seamless, on-demand encryption updates?

Rebecca: Crypto-agility is about treating cryptography as an orchestrated service rather than a hidden detail buried in code or infrastructure. The right architecture separates policy from implementation so you can rotate or swap algorithms centrally without rewriting applications or re-engineering networks.

One of the major benefits of decoupling the encryption from the asset itself is that it means you do not have to rip and replace. It is legacy compatible, and it is far less costly and labor intensive than rewriting application code across the whole enterprise or overhauling network infrastructure.

Operationally, crypto-agility means ongoing awareness of where encryption is applied, centralized policy management, and the ability to update instantly when new standards or vulnerabilities emerge. It is the difference between a one-off migration and a durable, future-proof strategy.

Vishwa: You have worked with both public sector and commercial clients. What implementation challenges typically arise when threading PQC into existing infrastructures?

Rebecca: The real challenge is not the new algorithms. Those have already been standardized after more than a decade of work from some of the world’s brightest minds, who have proven them resistant to both classical and quantum attacks.

The challenge is the complexity of existing environments. Enterprises and agencies run a patchwork of legacy systems, cloud platforms, and embedded devices that were never designed for crypto change. 

Years ago, we got started with an initial grant from the Air Force, and it became clear immediately that real-world customers need a way to migrate without ripping out systems or disrupting compliance cycles they have invested years and millions of dollars into. That is true across both federal and private sector clients.

The solution is to integrate PQC in a way that is invisible to end users and minimally disruptive to operations. Orchestration allows you to thread PQC through even the messiest infrastructure without tearing it out and starting over.

Vishwa: With quantum-resistant encryption mandates growing, what features should tech buyers demand to ensure long-term and regulatory compliance?

Rebecca: Buyers should insist on three things: alignment with global standards, interoperability with their existing infrastructure, and true agility. Agility means the ability to change course without rebuilding. Compliance rules are already being enforced, and more are coming fast. 

Compliance is not static. A solution that cannot adapt will quickly turn into a liability. Adopt Crypto Agility that is directly policy-driven. You define a policy, get visibility into what encryption is still outside of that policy, and use that tool to immediately rotate into cryptographic compliance with the ability to export reporting that simplifies compliance auditing.

One of the traps organizations should avoid is running exhaustive discovery and inventories just because they feel that is what they are supposed to do. This migration affects virtually all asymmetric encryption, and organizations already intuitively know where their highest priority systems are. 

For example, a multinational bank does not need an exhaustive inventory to realize it will eventually have to adopt post-quantum cryptography to secure the transactions that users carry out on its website or mobile app.

A good accounting of where asymmetric cryptography is used is important, but it should not become a prerequisite to action. What ultimately matters is adopting quantum-safe protections.

Vishwa: Trust is foundational when building with emerging tech. How do you foster enterprise confidence in solutions labeled “quantum-safe,” where benefits are often abstract or future-oriented?

Rebecca: Trust comes from transparency and proof. Organizations do not want abstract promises. They want clarity on where their cryptography stands today and real demonstrations that upgrades can be rolled out without disruption. 

There are very simple ways to see whether quantum-safe algorithms are actively protecting a system. A tool should give indisputable proof that that is the case. We have also prioritized our product compliance journey, especially given our depth of work alongside the government. 

Going through those intensive compliance cycles builds trust with our customers that we are approved to handle even the most sensitive systems.

Vishwa: With quantum threats advancing, what cybersecurity tools would you recommend for both newcomers and expert practitioners to start addressing encryption risks effectively?

Rebecca: For newcomers, the best first step is not endless analysis but taking concrete action on critical systems that you already know depend on asymmetric cryptography. 

The fastest way to do this is through a proxy-based approach, which allows you to secure your first web applications or other network communications quickly without surgery on the application or network infrastructure.

For the most advanced teams, the pattern is similar, but with more scope. They start by migrating their highest impact systems to post-quantum protections and, in parallel, initiate cryptographic discovery. 

Choose a tool that integrates discovery, migration, and ongoing visibility. 

That discovery validates what has already been protected, informs priorities for the next rollouts, and supports scaling policies across the enterprise. In other words, inventory and visibility are important, but they should accelerate migration, not hold it back.