Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now

CYBER RISK CYBERSECURITY OPERATIONS VULNERABILITIES & THREATS СLOUD SECURITY NEWS Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now Quantum computers are coming and may impact systems in unexpected ways, and it will "take years to be fully quantum-safe, if ever," cryptography expert warns. Rob Wright,Senior News Director,Dark Reading April 15, 2026 5 Min Read SOURCE: TIRATUS PHAESUWAN VIA ALAMY STOCK PHOTO Preparing for the post-quantum cryptography (PQC) era is going to take more than a simple migration plan. That's the advice of cryptography expert Jean-Philippe Aumasson, who co-authored the FIPS 205 stateless hash-based digital signature algorithm (SLH-DSA), a quantum-resistant encryption scheme. Aumasson, who is also co-founder and chief security officer of Taurus SA, will be speaking next week at Black Hat Asia 2026 in Singapore in a session titled "Post-Quantum Cryptography: A Realistic Guide to Manage the Transition." The session provides an expert's view of quantum computing, which Aumasson emphasizes is not faster computers but ones ideally suited to crack modern encryption standards, and details the problems they will cause for systems using the RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) encryption schemes.  As a result, everything from VPNs and public key infrastructure (PKI) to distributed ledgers could be at risk. The good news is that new PQC standards like SLH-DSA have been developed, and major technology providers like Google and Apple have already begun moving to quantum-safe schemes.  Related:Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests The bad news, however, is that most organizations aren't doing enough to prepare for "Q-Day," Aumasson tells Dark Reading. Based his consulting experiences with Taurus, he says most organizations aren't doing much for PQC and, at best, have some documentation on the impact of quantum computing attacks and an inventory of vulnerable systems. "The point I'm making in this presentation is that migration of a moderately large organization is much harder than migrating a small open source product," Aumasson says. "You have to accept that it'll take years to be fully quantum-safe, if ever, so you need a continuous process of systems discovery and inventory, business impact assessment, remediation plans, supply chain management, and so on." The Case for Continuous Quantum Risk Management Aumasson in his talk will offer a brief primer on how quantum computers put older encryption schemes at risk, and he'll detail the systems and technologies that are currently vulnerable to attacks. He'll also share options for quantum-safe technologies that organizations can migrate to today, while also giving his own prediction for the earliest possible arrival of Q-Day (Hint: it'll be a while). But while organizations may have many years to plan for PQC and migrate to newer encryption schemes, the risk management process needs to begin now and, more importantly, be continuous, Aumasson says.  Related:War Game Exercise Demonstrates How Social Media Manipulation Works "Many organizations will become more ready without knowing it, just by updating their software versions," he says. "For example, the TLS stack of the Go language now defaults to post-quantum connections, and the Cloudflare Tunnel VPN technology defaults to post-quantum." But close to PQC-ready isn't fully ready, of course. Aumasson says some of the overlooked areas that could be affected by quantum computers include blockchain technology. There are also cases where a system appears to be quantum-safe but, in fact, is not, he says. "The typical case is when data is encrypted using symmetric cryptography only like the AES-GCM cipher," Aumasson says. "Such cryptography is, by definition, quantum-safe. However, the encryption key may depend on vulnerable public-key cryptography, either because it's been generated through a vulnerable key agreement protocol, or because it's protected using a vulnerable key wrapping scheme." These are the kinds of nitty-gritty details that enterprise security teams will have to account for, he says, and why a continuous risk management plan is crucial. New technologies and services will be rolled out that may be quantum-resistant, and cracks may appear in foundations that were thought to be secure. Related:Threat Actors Get Crafty With Emojis to Escape Detection Trust But Verify Quantum Readiness In the absence of actual quantum computers to test PQC implementations, how will enterprises know if they are truly ready?  "When a vendor or software component writes in its documentation that it's post-quantum, you should verify what that actually means and how effective it is," Aumasson says. "It could be that only part of the system is post-quantum — for example, in a TLS connection it could be just the key exchange protocol but not the certificate chain — or could be that post-quantum crypto is supported but disabled by default." Aumasson recommends the following steps that he took in his own company: read the vendor's documentation, ask the engineers if it's enabled, go check the actual configuration files, and then establish a test connection to the system and inspect the logs: "Trust, but verify, as we say." Additionally, Aumasson says it's important that security teams closely examine their internal systems. While these systems may have lower exposure to external threats and seem less urgent for migration, he says, they'll likely take much longer to update. "It's, alas, not uncommon that companies run obsolete, vulnerable software or protocols," Aumasson says. "For example, you'll find countless unpatched servers in most organizations, as well as products or services using deprecated cryptography like TLS 1.1 or the hash function SHA-1."  Overall, security teams shouldn't panic. There are many PQC offerings already available that organizations can explore and begin to migrate to, but organizations — especially large enterprises — should start building a plan for continuous quantum risk management now. "Will every company be ready when Q-Day happens? Probably not," he says. "Does it mean that it'll be a major cybersecurity risk? Probably not. It could be more of a reputation or compliance risk." But, Aumasson says, it's best not to take that risk. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! Black Hat Asia APR 21, 2026 TO APR 24, 2026 | SINGAPORE Black Hat Asia returns to Marina Bay Sands in Singapore with a four-day program featuring specialized cybersecurity trainings with courses for all skill levels, a Summit Day, and the two-day main conference. Black Hat Asia 2026 will feature Briefings by experts from around the world presenting the latest research in cybersecurity risks, developments and trends, dozens of open-source tool demos in Arsenal, a robust Business Hall, networking opportunities, social events, and much more. Use code: DARKREADING to get a Free Business pass or save $200 on a Briefings pass. GET YOUR PASS Read more about: Black Hat News About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report QKS AI Maturity Matrix Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Zero Trust Architecture for Cloud environments: Implementation Roadmap Tips for Managing Cloud Security in a Hybrid Environment? Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like CYBER RISK How Can CISOs Respond to Ransomware Getting More Violent? by James Doggett JAN 28, 2026 CYBER RISK Switching to Offense: US Makes Cyber Strategy Changes by Robert Lemos, Contributing Writer NOV 21, 2025 CYBER RISK Zambia's Updated Cyber Laws Prompt Surveillance Warnings by Robert Lemos, Contributing Writer APR 23, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 THREAT INTELLIGENCE Axios Attack Shows How Complex Social Engineering Is Industrialized byAlexander Culafi APR 6, 2026 5 MIN READ ICS/OT SECURITY Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs byElizabeth Montalbano APR 8, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection LOADING... Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE