PQC readiness gaps: what identity and security teams should do now

TL;DR: Nearly half of 450 cybersecurity leaders surveyed said their organisations are not prepared for post-quantum cryptography, and mid-sized firms were even less ready at 56%, according to Keyfactor and Wakefield Research. The real issue is not awareness but governance maturity: organisations are still treating cryptography transition as optional rather than as an identity and trust programme.

NHIMG editorial — based on content published by Keyfactor: Keyfactor finds nearly half of enterprises unprepared for quantum cybersecurity threats

By the numbers:

• Nearly half of organisations (48%) are not prepared to confront the urgent challenges posed by quantum computing.
• Mid-sized organizations are particularly vulnerable, with 56% saying they are not ready.
• Companies that view PQC as a significant undertaking are more than twice as likely to be taking steps now (49%) compared to those that consider the risks to be minor or overstated (24%).

Questions worth separating out

Q: How should security teams prepare for post-quantum cryptography in identity systems?

A: Start by mapping every place public-key cryptography supports authentication, signing, federation, and workload trust.

Q: Why do certificate and trust dependencies make PQC hard to deliver?

A: Because cryptographic algorithms are embedded in many different control points, and those dependencies are often hidden inside applications, appliances, and identity workflows.

Q: What should organisations measure to know if PQC planning is working?

A: Measure discovery completeness, asset ownership, algorithm flexibility, and the number of long-lived trust paths still tied to current public-key schemes.

Practitioner guidance

• Inventory cryptographic dependencies across identity systems Map where certificates, signatures, federation, and workload trust depend on current public-key algorithms.
• Assign ownership for PQC migration by control domain Name accountable owners for PKI, IAM, application teams, platform teams, and risk management.
• Test algorithm replacement in long-lived trust flows Pilot replacement in the systems that cannot fail closed, such as certificate validation, signing pipelines, and federation dependencies.

What's in the full report

Keyfactor's full press release covers the survey detail this post intentionally leaves for the source:

• The full respondent breakdown across North America and Europe, including how seniority shaped PQC readiness perceptions.
• The complete list of reported business drivers, such as customer trust, insurance costs, and competitive positioning.
• The article's additional commentary from Keyfactor executives on digital trust and cryptographic transition.
• The direct link to Keyfactor's Digital Trust Digest for readers who need the original survey framing.

👉 Read Keyfactor's findings on PQC readiness and digital trust →

PQC readiness gaps: what identity and security teams should do now?

Explore further

View Full Forum →  |  NHI Foundation Course →