Why organisations are delaying post-quantum cryptography migration (and how to fix it)
Banks are not delaying post-quantum cryptography migration because they don’t understand the threat.
They are delaying it because they don’t understand their cryptography.
Let that sink in.
Tom Millar, CEO, Venari
Everyone in cybersecurity is talking about Post-quantum cryptography migration
NIST has published the first standards. Regulators are asking questions. Security teams understand the Harvest Now, Decrypt Later risk — where adversaries collect encrypted data today to decrypt it when quantum capabilities mature.
But inside most organisations, something remarkable happens when post-quantum cryptography reaches the boardroom.
The CISO says:
“We need to start preparing for quantum-safe encryption.”
The CFO asks one simple question:
“What will that cost us?”
And the honest answer is usually:
“We don’t know yet.”
This challenge is not unique. As Tim D Williams highlights in his analysis of systemic underinvestment in emerging technologies, organisations consistently underestimate the cost and complexity of transformation when they lack visibility into what already exists. In the context of post-quantum cryptography migration, this leads to delayed decisions, stalled programmes, and a growing gap between awareness and action.
Why organisations are struggling with post-quantum cryptography migration
This isn’t because security teams lack expertise.
It’s because cryptography has never been managed as an enterprise capability.
Instead, it sits buried across:
- Applications
- APIs
- Certificates
- Identity systems
- HSMs
- Cloud services
- Third-party platforms
In large organisations, there may be millions of cryptographic dependencies.
But almost nobody has a complete inventory.
Which means organisations cannot answer three critical questions for PQC readiness:
- Where is cryptography used?
- Which systems depend on vulnerable algorithms?
- How large is the migration effort?
And if you cannot answer those questions, you cannot build a credible investment case for post-quantum cryptography.
So the transition stalls.
The real blocker: lack of cryptographic visibility
The industry often frames PQC as a cryptographic upgrade.
It isn’t.
It’s a visibility problem first — and a migration problem second.
Before organisations can move to quantum-safe encryption, they must first understand:
- Their cryptographic assets
- Their dependencies
- Their exposure to risk
Without this visibility, every PQC discussion remains theoretical.
With it, migration becomes measurable, prioritised, and executable.
This is why cryptographic discovery and inventory are emerging as the foundation of PQC readiness.
Why post-quantum cryptography is not just an algorithm upgrade
Here is the uncomfortable truth.
Post-quantum cryptography is not an algorithm swap.
It is one of the largest cryptographic infrastructure migrations organisations will ever undertake.
Every system, integration, and dependency that relies on encryption must be evaluated, updated, and validated.
This includes:
- Legacy systems with hardcoded cryptography
- Third-party platforms with opaque dependencies
- Long-lived data that remains vulnerable to future decryption
This is also why the Harvest Now, Decrypt Later threat is so significant – attackers don’t need to break encryption today to create risk tomorrow.
Organisations that make progress in PQC are not starting with algorithms
How to prepare for post-quantum cryptography migration
A practical approach to post-quantum cryptography migration includes:
1. Discover cryptographic assets
Identify where encryption is used across the organisation
2. Map dependencies
Understand how systems, applications, and services rely on cryptography
3. Assess exposure
Identify vulnerable algorithms and high-risk data
4. Prioritise migration paths
Focus on critical systems and long-lived data first
5. Adopt crypto-agility
Enable the ability to update cryptography without disruption
Without these steps:
PQC remains a strategy discussion. With them, it becomes an executable programme.
The organisations that will win in the quantum era
The organisations that succeed in the quantum era will not be the ones who adopt new algorithms first.
They will be the ones who finally understand their cryptography.
Because in cybersecurity, one rule never changes:
You cannot secure what you cannot see.
This is exactly the challenge Venari was built to solve – helping organisations discover, understand, and manage cryptographic risk at scale.
Related Content
Implementing Post-Quantum Cryptography in Financial Services: A Practical Roadmap for UK/EU Institutions
Key Takeaways Timeline: Begin now for 3-5 year migration, complete before 2030-2035 quantum threat Implementation Steps: Crypto inventory…
NCSC Guidance on Post-Quantum Cryptography (PQC) What UK and EU Organisations Need to Know Now
Key Takeaways Timeline: NCSC three-phase roadmap (2028, 2031, 2035 deadlines) for UK/EU PQC standards migration For: CISOs, IT…