Sergey Nivens - Fotolia

News

Why crypto agility is key to quantum readiness

With quantum computing threatening current encryption standards, experts call for organisations to achieve crypto agility by managing the lifecycle of certificates and cryptographic keys through automation

Aaron Tan
By
Published: 23 Feb 2026 6:06

Quantum computers are expected to become capable of breaking the cryptographic algorithms that secure the world’s digital infrastructure within the next decade. Yet, while awareness of the so-called “Q-Day” is high, many enterprises remain unprepared to mitigate that risk.

According to the newly released 2026 Global state of post-quantum and cryptographic security trends study by Entrust and the Ponemon Institute, nearly half (49%) of Singapore cyber security leaders believe a quantum computer capable of breaking Rivest-Shamir-Adleman (RSA) and elliptic-curve cryptography (ECC) encryption will emerge within just five years.

Despite this, just a third of organisations in Singapore are actively preparing to transition to post-quantum cryptography (PQC) – down from 36% in 2023. Globally, only 38% of organisations report actively preparing for the shift.

“The quantum risk is no longer just a theory,” said Lawrence Tan, head of technical sales consulting for digital security for Asia-Pacific and Japan at Entrust. “These statistics are concerning because they point to the fact that awareness is high, but action is stalling. Most organisations underestimate the scale of the cryptographic transformation that’s required.”

While mainstream commercial quantum computing remains on the horizon, the threat is already here, with state actors starting to harvest encrypted data, Tan warned. “You don’t need to wait for the quantum computer to be able to break encryption to think about migrating,” he said.

Ssu Han Koh, solutions engineering director at CyberArk, which was acquired by Palo Alto Networks in a $25bn deal, echoed this urgency, particularly regarding personally identifiable information (PII).

“Depending on the type of data you have and how long the data is relevant, there’s a big risk because the data is still sensitive years down the road,” Koh said. “If we don’t start looking at it now, it will be a challenge to comply with PII regulations, because the data can be easily recovered or used by bad actors.”

Why certificate management matters

For IT and security teams wondering where to begin their post-quantum journey, there’s already an immediate push to get moving: the shortening lifespan of digital certificates, which contain public keys and verify identities of websites, individuals, devices, servers, applications and services.

Under the new CA/Browser Forum mandates rolling out from March 2026, maximum certificate validity will be progressively reduced from 398 days to just 47 days by 2029. This creates a logistical hurdle for enterprises, but it’s also the first step to achieving quantum readiness.

But how does managing digital certificates prepare organisations for Q-Day? The link lies in the underlying cryptography. Digital certificates rely on mathematical algorithms to authenticate identities and secure communication channels. These algorithms will become obsolete when Q-Day arrives.

And if an organisation is manually tracking its certificates, finding and replacing thousands of vulnerable keys across the entire enterprise with quantum-resistant algorithms will be an impossible task. However, by adopting certificate lifecycle management practices to handle renewal cycles, organisations can achieve what has been dubbed “crypto agility.”

“When certificate lifespans start to get shorter, the workload is going to be many times greater,” Koh said, adding that organisations will have to embrace automation and start thinking about how they manage their certificates, including knowing what certificates they have and where they are.

According to the Entrust study, only 43% of Singapore respondents have full visibility over their certificates, and 62% say managing cryptographic assets is extremely or very difficult.

Tan likened the current state of certificate visibility to an unlabelled cryptography graveyard. “Without knowing when the cryptography was created, who the owners are and other attributes, you won’t know if a key was used to protect critical data or a test environment,” Tan said. “Organisations need to start labelling them to prepare for quantum migration.”

The challenge is further compounded by the increasing number of non-human identities and the growing use of microservices and agentic AI, all of which require cryptographic protection.

According to Koh, many enterprises still use manual tools like spreadsheets to manage digital certificates. While some enterprises may loosely track public certificates, they often leave private certificates, secure shell keys, and application programming interface (API) keys entirely unmanaged.

In particular, API keys, often generated by developers to connect to cloud services and applications, must be secured in the same way as passwords with 90-day rotation policies to prevent them from becoming backdoors, Koh added.

Indeed, achieving quantum readiness should not be decoupled from broader security practices, Tan warned. “It’s part of zero trust, and if you don’t have post-quantum readiness, your zero trust framework will not stand. You need to make sure your devices and your entire infrastructure are protected.”

With the US National Institute of Standards and Technology having released post-quantum cryptographic standards, Koh noted that the time to build a responsive, automated cryptographic foundation is now.

“Organisations need to be ready to be crypto agile first. That runway is shortening, and if you are not ready for it, then it can hit you quite fast,” he said.

Read more about cyber security in APAC

Read more on IT risk management