10 tips for starting your PQC journey today

Industry Trends | December 16, 2025

Quantum computing is on the horizon, and it’s set to upend the cryptographic systems that protect our data, communications, and infrastructure. The time to start preparing is now. In this six-part blog series on post-quantum cryptography (PQC), cryptography thought leaders from across F5 will explain what’s at risk, what opportunities lie ahead, and what steps your organization can take today to stay secure in a post-quantum world. The future is closer than you think. Let’s get ready together.

No matter what Tom Petty sang, the waiting is not the hardest part. At least not when it comes to post-quantum cryptography (PQC) readiness.

Getting started is clearly the hardest part. Why? Because you can’t protect what you can’t see, and you can’t migrate what you haven’t mapped. Asking security pros to mobilize for what could be one of the biggest IT threats of our lifetime can trigger anger, denial, maybe even depression, and most of all, inertia.

“Even with AI investments and issues competing for attention, post-quantum cryptography (PQC) readiness requires immediate planning and action, plus collaboration, energy, resources, and a clear, sustained focus.”

In this final blog post in our six-part PQC readiness series, we explain why it’s important to get started now, and what steps chief information security officers (CISOs), chief technology officers, and other technology leaders should take.

Most organizations have a long way to go

Q-Day—the anticipated moment when quantum computers become powerful enough to break the public-key encryption that secures today’s digital communications—could happen in 2030 or later. It could happen in 2029 or sooner. We just don’t know when. But it will take time, effort, and leadership to become fully prepared.

Surveys and field research show the call to action hasn’t landed, at least not yet. ISACA’s Pulse of Quantum Computing poll, published in April 2025, found that only 5% of the CISOs responding considered PQC “a high business priority” for the near future.

And as F5 Labs reported in June, uptake of PQC so far is particularly low in some of the most security-sensitive sectors. Only 3% of banking websites support PQC, placing banks among the lowest adopters—even within the financial services sector. Healthcare and government websites are also lagging.

Why it’s critical to plan now

At F5, preparing for a post-quantum world is not a side project. Even with AI investments and issues competing for attention, PQC readiness requires immediate planning and action, plus collaboration, energy, resources, and a clear, sustained focus.

All industries will be affected, but government agencies and regulated industries, including healthcare and financial services, may have higher stakes than others because of the level of personally identifiable information (PII) and personal health information (PHI) they maintain, and most critically, the length of time they need to keep this information secure from eavesdropping.

The nature of “harvest now, decrypt later” attacks means you can no longer keep 20-year secrets with encryption we expect to be broken in less than 10 years.

If there’s one basic rule of thumb, it’s this: The longer you need to keep your secrets, the faster you need to move.

In the past few years, governments have started to map this journey. In the U.S., for example, government agencies face a federal mandate to have their high-priority systems protected by 2030 and all other systems by 2035. While not up against established deadlines, financial services and healthcare companies do have pressure to meet similar compliance timelines.

Likewise, the European Commission and EU Member States recently outlined a roadmap to transition Europe’s digital infrastructure to PQC—including initiating “first steps” by the end of 2026 and securing critical infrastructure no later than 2030.

Agencies and companies not only need to be ready themselves, but their supply chains as well. The clock is ticking. By 2028, if Q-Day has not yet arrived, many will likely be scrambling to get our house in order. Will it be too late?

Get started now: Here’s how

I’ve spent the last several months presenting on PQC readiness to groups of CISOs and security leaders around the world. Despite sounding the warning bells, the responses have been all over the map. Some have told me I’m under-selling the severity of the problem ahead, while at the other end of the spectrum, some know little or nothing about PQC and are skeptical about the need to prepare. Many have been too preoccupied with AI and the “here and now” to give PQC readiness the attention it warrants.

In truth, I think many defenders are missing the main points by focusing narrowly on things like Noisy Qubits and how many of today’s quantum computers can be maintained at room temperature, which distracts from the core message: Technolo gy, whether quantum, AI, or classical, is coming that will be able to break today’s encryption. It’s coming soon, and we believe sooner than many think.

Nation states and criminals are ALREADY harvesting as much encrypted data as possible in anticipation. This is called a “harvest now, decrypt later” attack.
The main defense for an individual company or agency is quantum-resistant encryption. The first set of US standards under NIST was ratified late last year.

Now is the time to get started, if you haven’t already, and the “new normal” target must be crypto-agility, or the ability to quickly update ciphers and cryptographic systems repeatedly as new technologies develop and improve over time.

Defenders will need to exhibit this crypto-agile capability as well as demonstrate that they’re running the approved cryptographic standards that their auditors, regulators, and other regional stakeholders expect.

This is going to become the new normal, and the more quickly you get started, the longer you have to manage the work. At some point it will become very urgent.

It will be good for CIOs, CTOs, and CISOs to have started this work and communicated the need to their stakeholders WELL BEFORE it becomes an emergency we’ve seen coming for 15 years.

Again and again, I tell those I meet with that the time to get started is now. We’re closer to 2030 than we are to 2020, and it’s only going to get harder and more disruptive as time passes.

So where should organizations begin? While there’s a lot to consider, here are some tips to help you get started:

1. Establish your senior quantum team leadership
This isn’t likely to succeed as a “side project for security.” Consider appointing a “Quantum Czar” or other empowered leader to drive organizational focus and accountability for quantum preparedness at the highest levels of your organization. Designating a leader like this sends the message to your organization that this is an imperative business continuity and supply chain management issue rather than a ‘security side project’.

2. Set the tone and target state early
Explain the ongoing nature of cryptographic agility to your stakeholders. Crypto agility is an organization's capacity to swap out cryptographic algorithms, keys, and protocols quickly and efficiently without disrupting critical operations or the overall infrastructure. The first time will likely be a long-term project. It’s important to communicate the target state and that crypto agility needs to become a business-as-usual, keep-the-lights-on capability. While it took the industry roughly 20 years to move from SHA-1 to SHA-2, we will not have nearly that much time in the future.

3. Secure what’s most critical, loop in risk and compliance teams, and utilize your business continuity plan
Start by securing what’s most critical to reduce exposure without overwhelming resources or compromising performance across your organization. If you have a mature business continuity plan, that may be a good place to start rallying the troops around key systems and data needed for critical operations. This isn’t an easy endeavor. As you begin this journey, you should expect multi-year replacement projects, skillset and documentation gaps, and conflicts from within your company about the top priorities.

4. Insist on supplier readiness and an ecosystem approach
Ensure suppliers are PQC-ready and expect inbound questions from customers, regulators, and insurance carriers starting in 2026. Consulting with industry organizations and leading groups such as FS-ISAC can help lower business-case risk. (FS-ISAC is a not-for-profit organization that advances cybersecurity and resilience among financial institutions globally. It offers a wealth of PQC resources, and there are many other ISACs that cover other critical sectors both inside and outside the U.S.)

5. Embrace the tech debt opportunity
Drive stakeholders and business leaders through the change curve to finally get rid of the unsupportable technology debt that can’t make the cut. If ransomware hasn’t made tech debt come due with interest, quantum computing just might be that catalyst. Make end-to-end visibility and agility leveraging centralized approaches like crypto as a service the new normal for cryptographic assets.

6. Prioritize addressing “harvest now, decrypt later” risk
Adversaries, both nation-state and criminal, are believed to be getting the jump ahead of Q-Day by stealing and storing data they can decrypt later. The longer you need to keep a secret, the more important it is to start there first. Focus early efforts on protecting long-lived sensitive data (IP, financial records, medical data, etc.).

7. Leverage your edge, but centralize for the future
Utilize existing application delivery controllers and edge platforms to terminate quantum-safe TLS connections and explore a “Crypto as a Service” approach to centralize future updates that includes deploying hybrid PQC key-exchange mechanisms (like ML-KEM) at the perimeter.

8. Fund discovery, not just deployment
Prioritize your budgets for a comprehensive cryptographic inventory across all assets—applications, infrastructure, data, and even those “forgotten” IoT/OT devices (yes, HVAC, too). This initial audit will likely reveal more than you expect and is a critical input for reporting, stakeholder management, and project management and delivery scoping and timelines.

9. Clearly convey crypto agility as the target state
It is critical that your stakeholders understand that crypto agility and the need to regularly update ciphers is the new normal, and not a patch. This should be viewed as an evolution to keep pace with a quickening world, not as a defined project where at the end we’ve “solved quantum.” Getting to a sustainable and crypto-agile end state will help tamp down arguments to maintain legacy systems forever, as well as protect you from endless “when will quantum be done?” questions.

10. Prioritize low-hanging fruit, such as TLS 1.3 adoption, for immediate and downstream benefits
Implement TLS 1.3 for stronger security—it doesn’t just prepare you for quantum-safe encryption; it improves your encryption performance today.

Quantum computing and AI both hold immense promise for the future, and it’s important that defenders make sure they’re ready to operate in this new and faster world. That means getting started today. Your stakeholders are looking to their technology, risk, and security teams to get items like this on their radar.

As you get started, F5 offers PQC-readiness solutions to support you on this journey.

To learn more, please check out the other blog posts in this series:

Quantum ready: A practical guide to enabling PQC with F5
Apps, networks, and legacy systems in the quantum crosshairs: A CISO’s POV
Understanding PQC standards and timelines
Setting the stage: Why does PQC matter?
Weighing in on the post-quantum cryptography hype