TL;DR: Post-quantum cryptography has shifted from a future concern to a present resilience problem because harvest now, decrypt later attacks can already expose long-lived data, and most organisations still lack a complete cryptographic inventory, according to Commvault. The real challenge is crypto agility: knowing where cryptography exists, who depends on it, and how to prioritize migration before certainty disappears.
NHIMG editorial — based on content published by Commvault: the STRIVE episode on why post-quantum cryptography preparation should start now
Questions worth separating out
Q: How should organisations start preparing for post-quantum cryptography?
A: Start with discovery, not migration.
Q: Why is harvest now, decrypt later a current risk?
A: Because the attacker does not need quantum capability today to create value from stolen ciphertext.
Q: What gets organisations stuck in PQC planning?
A: The biggest blocker is incomplete visibility into cryptographic dependencies.
Practitioner guidance
- Create a cryptographic inventory across all systems Map certificates, APIs, code signing, cloud services, and third-party platforms to owners, dependencies, and renewal dates so PQC work starts from facts rather than assumptions.
- Prioritise long-lived sensitive data first Classify intellectual property, regulated records, and other information with long retention horizons before deciding which systems need earlier PQC migration.
- Test crypto agility in critical trust paths Validate whether certificates, signing flows, and identity integrations can change algorithms without breaking authentication or service availability.
What's in the full article
Commvault's full episode covers the operational detail this post intentionally leaves for the source:
- The discussion of how to start a PQC programme without waiting for certainty on Q-Day.
- The segment on cryptographic inventory scope across applications, certificates, cloud services, and APIs.
- The explanation of crypto agility and why algorithm change has to be planned as a lifecycle event.
- The episode’s treatment of supplier readiness and how third-party dependencies affect migration timing.
👉 Read Commvault's STRIVE episode on post-quantum cryptography readiness →
Post-quantum cryptography: why discovery is the real blocker?
Explore further
Crypto inventory debt is now the limiting factor in PQC readiness. The article is right to put discovery ahead of replacement because most enterprises do not yet know where cryptography is embedded, much less who owns each dependency. That makes post-quantum planning an inventory and governance exercise before it is an algorithm exercise. Practitioners should treat unknown cryptographic dependencies as an active risk surface, not a documentation gap.
A few things that frame the scale:
- 88% of security professionals are concerned about secrets sprawl, with 49% of those in larger organisations described as "very concerned", according to The 2024 State of Secrets Management Survey.
- Only 44% of organisations are currently using a dedicated secrets management system, which shows how often discovery still precedes disciplined control.
A question worth separating out:
Q: Who should own PQC readiness in an enterprise?
A: PQC readiness is an identity, infrastructure, and risk governance issue, so ownership should be shared across security architecture, platform teams, application owners, and third-party risk. If no one is assigned responsibility for discovery, prioritisation, and migration sequencing, the programme stays theoretical and the organisation carries avoidable exposure.
👉 Read our full editorial: Post-quantum cryptography readiness starts with discovery, not migration