Will your organisation take the quantum leap in 2026? asks David McNeely, CTO at the identity security product company, Delinea.
Organisations are on the verge of a monumental leap in computational capability as quantum technology gains momentum faster than ever. So much so that the United Nations dubbed 2025 “The Year of Quantum Technology.” For cybersecurity leaders though, this may have felt more like the year of big quantum questions. Facing board pressure on how to embrace this technology, many businesses struggled with cutting through the noise of what’s real and what’s hype when it comes to quantum computing.
On one hand, the potential of quantum computing promises amazing opportunity for innovation. On the other, it’s tormenting security leaders as they try to decide where to invest their attention and address critical security and reputation risks. Not helping the scenario are vendors bombarding security teams with seemingly endless quantum-safe solutions, peddling urgency and doomsday storylines. Many organisations are also resource-constrained and shifting priorities, budget, and attention to other pressing technology issues like AI adoption and cloud resilience.
So, what’s a security leader to do? Where is the balance between acting too late or investing too early? To determine the best path forward, there are three actions that teams can take to build quantum readiness. By looking at where quantum technology currently stands and building a more thoughtful approach, organisations will ensure they are leveraging the best of what it has to offer while safeguarding against real risks.
The state of quantum technology
The global market for quantum technology is expected to reach up to £72 billion by 2035, with revenue from quantum computing alone reaching £51 billion. Many analysts agree that the technology is reaching an inflection point, shifting from theoretical research to tangible, real-world outcomes. Estimates suggest there are between 45 and 130 complete quantum systems deployed for practical applications.
Quantum systems are now commercially available through on-premise installations and cloud platforms through Google, IBM, Honeywell, IonQ, and D-Wave. These systems range from hundreds to thousands of qubits (the quantum computing basic unit), and perform well with specialised tasks like optimisation, artificial intelligence development, and cryptography research. Yet, most experts note that quantum computers capable of cracking heavily used encryption remain several years out.
The action gap in organisations
Even with an uncertain timeline, ubiquitous encryption methods like RSA and ECC are expected to become vulnerable once quantum computers reach meaningful commercial scale. Organisations need to prepare for this day, but the process is far from simple. The market is filled with conflicting guidance on when to act, how far to go, and what investment is really required. Some vendors recommend costly full-scale infrastructure overhauls, while others advocate for immediate migration to post-quantum algorithms that are still being standardised.
Recent research highlights a troubling disconnect in organisational preparedness: 62 per cent of global technology professionals believe that quantum computing could undermine today’s internet encryption standards, however, only 5pc view it as a near-term priority. The same small share says their organisations have a defined plan to address the threat.
This action gap is particularly concerning, given that bad actors are actively capturing encrypted data today with the intention of decrypting it once quantum capabilities mature. Those organisations at increased risk due to managing sensitive long-term data, such as financial institutions, healthcare providers, and government agencies, need to pay close attention, or risk allowing hackers to get the upper hand.
To build a plan for quantum maturity, security leaders should proceed with measured preparedness to avoid costly overreaction. These few focused actions can help organisations strengthen their readiness without disrupting operations.
- Develop organisation-wide quantum security intelligence
No new technology can be successfully managed without employee buy-in and expertise. Organisations should invest early in training initiatives to set the right foundation. In more heavily regulated industries, teams should be encouraged to earn quantum security certifications.
With the speed at which the technology is advancing, teams should also become familiar with the latest post-quantum cryptography research. The National Cyber Security Centre (NCSC) has published guidance on preparing for the transition to post-quantum cryptography, including indicative migration timelines and practical next steps for organisations to prepare. Tracking this work will enable security leaders to understand both the threat horizon and which protections are most viable.
- Establish a quantum governance plan
Security leaders should advocate for crypto agility throughout their organisation to ensure quantum considerations become part of everyday decision-making. When designing or updating systems, leaders should determine how adaptable they will be when quantum-scale threats emerge and what additional investments may be needed to reach that threshold.
Adopting architectures that separate cryptographic components from business logic can help create long-term flexibility. This structure makes it easier to replace or upgrade encryption algorithms without major re-engineering. Automated monitoring, discovery, renewal, and revocation of digital certificates further reduces risk by eliminating manual tracking and enabling faster responses when standards shift. Leaders should also confirm that their new systems will be able to support updates to post-quantum standards and remain compatible with multiple cryptographic approaches in order to avoid being locked into unadaptable vendor systems.
- Assess prioritisation
Perhaps most important is deciding where to act first. Organisations should map their risks and identify which systems need to be prioritised. Mapping takes time but is exponentially beneficial to determine where to act and where to wait.
Some financial institutions are already testing their quantum readiness and determining which targeted updates to their critical systems can be implemented while pausing less urgent migrations. Several European banks successfully moved their payment systems to post-quantum cryptography. This type of targeted approach delivers security improvement within budget constraints and strategically allocates resources.
Quantum safe and quantum ready
Quantum disruption is coming. Readiness built through knowledge, crypto-agility, and thoughtful prioritisation will create organisational resilience now without forcing exorbitant investments later. Implementing these measured actions will allow security leaders to temper the hype and build practical preparedness early at a reasonable cost. Even if quantum computing reaches commercial viability later than expected, strengthened security practices are never something an organisation will regret.
