Notifications
Clear all
Topic starter
25/06/2026 10:47 pm
TL;DR: Forty-eight percent of organisations say they are not prepared for post-quantum cryptography, while only 28% have both budget and personnel committed to readiness, according to a Keyfactor survey of 450 security professionals across North America and Europe. The issue is less about algorithms than about governance, inventory, and ownership across identity-linked cryptographic assets.
NHIMG editorial — based on content published by Keyfactor: Inside the First Issue of Digital Trust Digest on post-quantum cryptography
By the numbers:
- 48% of organizations say they are not prepared for PQC.
- 92% claim visibility into their cryptographic assets, but only 47% actively monitor them.
Questions worth separating out
Q: How should security teams start a post-quantum cryptography programme?
A: They should start with a cryptographic inventory that maps certificates, keys, trust chains, signing flows, and external dependencies.
Q: Why do post-quantum projects stall even when the risk is understood?
A: They stall because ownership, budget, and coordination are often unclear.
Q: What is the biggest false confidence signal in PQC readiness?
A: A static inventory without active monitoring creates false confidence.
Practitioner guidance
- Build a cryptographic inventory first Map certificates, keys, signing services, trust chains, and system dependencies before deciding where PQC migration starts.
- Assign clear programme ownership Name a single accountable owner for PQC coordination across security, infrastructure, IAM, application teams, and procurement so assessments do not stall between functions.
- Link migration to asset monitoring Move from static discovery to continuous monitoring of cryptographic assets, especially for certificates and signing workflows that can fail silently during long migration cycles.
What's in the full article
Keyfactor's full blog covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns by readiness, budget, staffing, and monitoring status across North America and Europe.
- The full set of nine article excerpts from the magazine, including ownership, inventory, budgeting, and executive framing.
- The survey methodology and respondent context behind the 450 security professional sample.
- The magazine framing that connects PQC to digital trust, PKI, and identity operations.
👉 Read Keyfactor's first Digital Trust Digest issue on post-quantum readiness →
PQC readiness gaps: what IAM and security teams need to do?
Explore further
25/06/2026 11:28 pm
PQC readiness is a governance transition, not an algorithm swap. The article shows that most organisations are not blocked by a lack of awareness of quantum risk, but by fragmented ownership, limited budget, and incomplete operational visibility. That combination is a programme design problem, not a cryptography-only problem. The implication is that identity, PKI, infrastructure, and risk teams have to treat PQC as shared governance work, not as a specialist lab exercise.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who should own PQC governance in an enterprise programme?
A: PQC governance should be owned by a cross-functional programme with executive accountability, not left to a single technical team. Identity, PKI, security architecture, application owners, and procurement all influence the migration, so the accountable structure has to reflect the full dependency chain.
👉 Read our full editorial: Post-quantum cryptography readiness is lagging enterprise governance
