Entrust’s new report, 2026 Global State of Post-Quantum and Cryptographic Security Trends, brings both good and bad news. The good news is that more organizations are aware of the increasingly emerging threat, but the bad news is that fewer are preparing for it.
The survey polled 4.149 senior IT, security, and risk leaders in the United States, United Kingdom, Ireland, Canada, DACH, Indonesia, and Singapore. One key group of findings illustrates that more companies are aware that this is a serious issue:
- 75% of respondents agree that a quantum computer will be able to break traditional public-key cryptography within 5 years; only 12% say it will never happen.
- 50% say a quantum attack would have a serious impact on their organizations or industries;
- 58% say it could result in the loss of access to encrypted critical infrastructure; and
- 59% say it could expose sensitive long-term data, such as health records and trade secrets.
Conversely, other results question how seriously many companies are taking it:
- 38% of global organizations are preparing for PQC, down from 41% last year;
- 44% are building their cryptographic strategy;
- 32% are compiling their cryptographic inventory and/or ensuring organization crypto-agility, down from 38% last year;
- Only 26% of organizations report having a fully implemented crypto-agility strategy, with another 31% having a partially implemented one;
- 41% say limited cryptographic visibility is the main obstacle to post-quantum cryptographic readiness; and
- 68% say managing cryptographic assets such as keys, certificates and secrets is extremely or very difficult.
Certificate lifecycles are virtually disappearing. By the end of this decade, they’ll shrink from the current 398 days to only 47. Less than half (43%) of respondents report full visibility into certificates across their organization, and only 46% use corporate certificate authorities to deploy KPI.
Entrust VP of product development Greg Wetmore said the numbers acknowledge a greater awareness that the post-quantum age is coming sooner than previously thought. That makes it all the more puzzling that fewer are preparing for it.
“That’s scary,” Wetmore said. “The timeline is shrinking and awareness is growing, organizations are struggling to put into practice the work they need to do to make themselves safe from the quantum threat.”
Post-quantum-related risks are many
If there were only one or two reasons behind the post-quantum cryptography gap, companies could solve the problem, but that’s not the case. Wetmore said there is an expertise shortage.
“It’s always been a challenge to manage cryptographic assets,” Wetmore said. “It’s a specialized skillset and organizations have always struggled a little bit with having enough skills in their organization to manage this.”
Another issue is that while most agree the timeline is shortening, they differ on how much. Wetmore said Y2K preparedness succeeded because there was a focused date. There isn’t one here.
That perhaps is reflected in meager budget allocations. Those in charge of post-quantum cryptography preparedness cannot definitively state how much time they have. The C-suite tells them to return when they do.
Proper post-quantum technology is key
Necessary investments go beyond money. A proper strategy includes acquiring effective technology to help manage the shift. That is exponentially more important given the likely in-house expertise shortage. It takes specialized technology to find all cryptographic assets and to automate lifecycle management.
“This can’t be a task where people are using their keyboards or rows of excel spreadsheets to keep track of all this,” Wetmore said. “You need infrastructure that can find your cryptographic assets, control them with policy, and automate the lifecycle management.”
In the midst of this, security staff are contending with shrinking security certificate times. Wetmore called that a significant operational challenge. Combine that with the growing number of devices with cryptographic features. Many organizations may never realize 100% visibility.
Who’s heeding the message?
If companies aren’t taking this seriously enough, is someone not sounding the alarm? Wetmore said organizations such as NIST and the NSA have been warning the industry for years. NIST recently reduced the timeline from 2035 to 2030. Jurisdictions around the globe like Australia, Canada, the European Union and the United Kingdom, are also issuing alerts.
Some are getting the message better than others.
“We’re seeing verticals in strong compliance regimes like financial services where they’re used to dealing with very valuable information…government and finance are two places where we’re seeing the most progress,” Wetmore said. “They’ve been working hard for the past couple of years. Some of them are going to be moving into production on quantum safe technology as early as this year.”
Where to start on the post-quantum journey
Wetmore shared some tips for companies developing a post-quantum cryptography strategy. First focus on inventory; find the items worth protecting. Likely an arduous task, but don’t risk getting stuck by only focusing on that; work on parallel post-quantum technological improvements.
One final issue are the solutions themselves. Many target one specific tranche of the problem like key management. Stop me if you’ve heard this before, but different solutions don’t always work well together.
“One of the technology problems we’re trying to solve is to bring those things together to deliver tools and that work much better together,” Wetmore concluded.