TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Сloud Security Microsoft, Salesforce Patch AI Agent Data Leak Flaws Microsoft, Salesforce Patch AI Agent Data Leak Flaws by Alexander Culafi Apr 15, 2026 5 Min Read Сloud Security Microsoft Bets $10B to Boost Japan's AI, Cybersecurity Microsoft Bets $10B to Boost Japan's AI, Cybersecurity by Robert Lemos Apr 15, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America See All The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyber Risk Cybersecurity Operations Vulnerabilities & Threats Сloud Security News Prepping for 'Q-Day': Why Quantum Risk Management Should Start Now Quantum computers are coming and may impact systems in unexpected ways, and it will "take years to be fully quantum-safe, if ever," cryptography expert warns. Rob Wright , Senior News Director , Dark Reading April 15, 2026 5 Min Read Source: Tiratus Phaesuwan via Alamy Stock Photo Preparing for the post-quantum cryptography (PQC) era is going to take more than a simple migration plan. That's the advice of cryptography expert Jean-Philippe Aumasson, who co-authored the FIPS 205 stateless hash-based digital signature algorithm (SLH-DSA), a quantum-resistant encryption scheme . Aumasson, who is also co-founder and chief security officer of Taurus SA, will be speaking next week at Black Hat Asia 2026 in Singapore in a session titled " Post-Quantum Cryptography: A Realistic Guide to Manage the Transition ." The session provides an expert's view of quantum computing, which Aumasson emphasizes is not faster computers but ones ideally suited to crack modern encryption standards, and details the problems they will cause for systems using the RSA and Elliptic Curve Digital Signature Algorithm (ECDSA) encryption schemes. As a result, everything from VPNs and public key infrastructure (PKI) to distributed ledgers could be at risk. The good news is that new PQC standards like SLH-DSA have been developed, and major technology providers like Google and Apple have already begun moving to quantum-safe schemes. Related: Audit: Big Tech Often Ignores CA Privacy Law Opt-Out Requests The bad news, however, is that most organizations aren't doing enough to prepare for "Q-Day," Aumasson tells Dark Reading. Based his consulting experiences with Taurus, he says most organizations aren't doing much for PQC and, at best, have some documentation on the impact of quantum computing attacks and an inventory of vulnerable systems. "The point I'm making in this presentation is that migration of a moderately large organization is much harder than migrating a small open source product," Aumasson says. "You have to accept that it'll take years to be fully quantum-safe, if ever, so you need a continuous process of systems discovery and inventory, business impact assessment, remediation plans, supply chain management, and so on." The Case for Continuous Quantum Risk Management Aumasson in his talk will offer a brief primer on how quantum computers put older encryption schemes at risk, and he'll detail the systems and technologies that are currently vulnerable to attacks. He'll also share options for quantum-safe technologies that organizations can migrate to today, while also giving his own prediction for the earliest possible arrival of Q-Day (Hint: it'll be a while). But while organizations may have many years to plan for PQC and migrate to newer encryption schemes, the risk management process needs to begin now and, more importantly, be continuous, Aumasson says. Related: War Game Exercise Demonstrates How Social Media Manipulation Works "Many organizations will become more ready without knowing it, just by updating their software versions," he says. "For example, the TLS stack of the Go language now defaults to post-quantum connections, and the Cloudflare Tunnel VPN technology defaults to post-quantum." But close to PQC-ready isn't fully ready, of course. Aumasson says some of the overlooked areas that could be affected by quantum computers include blockchain technology . There are also cases where a system appears to be quantum-safe but, in fact, is not, he says. "The typical case is when data is encrypted using symmetric cryptography only like the AES-GCM cipher," Aumasson says. "Such cryptography is, by definition, quantum-safe. However, the encryption key may depend on vulnerable public-key cryptography, either because it's been generated through a vulnerable key agreement protocol, or because it's protected using a vulnerable key wrapping scheme." These are the kinds of nitty-gritty details that enterprise security teams will have to account for, he says, and why a continuous risk management plan is crucial. New technologies and services will be rolled out that may be quantum-resistant, and cracks may appear in foundations that were thought to be secure. Related: Threat Actors Get Crafty With Emojis to Escape Detection Trust But Verify Quantum Readiness In the absence of actual quantum computers to test PQC implementations, how will enterprises know if they are truly ready? "When a vendor or software component writes in its documentation that it's post-quantum, you should verify what that actually means and how effective it is," Aumasson says. "It could be that only part of the system is post-quantum — for example, in a TLS connection it could be just the key exchange protocol but not the certificate chain — or could be that post-quantum crypto is supported but disabled by default." Aumasson recommends the following steps that he took in his own company: read the vendor's documentation, ask the engineers if it's enabled, go check the actual configuration files, and then establish a test connection to the system and inspect the logs: "Trust, but verify, as we say." Additionally, Aumasson says it's important that security teams closely examine their internal systems. While these systems may have lower exposure to external threats and seem less urgent for migration, he says, they'll likely take much longer to update. "It's, alas, not uncommon that companies run obsolete, vulnerable software or protocols," Aumasson says. "For example, you'll find countless unpatched servers in most organizations, as well as products or services using deprecated cryptography like TLS 1.1 or the hash function SHA-1 ." Overall, security teams shouldn't panic. There are many PQC offerings already available that organizations can explore and begin to migrate to, but organizations — especially large enterprises — should start building a plan for continuous quantum risk management now. "Will every company be ready when Q-Day happens? Probably not," he says. "Does it mean that it'll be a major cybersecurity risk? Probably not. It could be more of a reputation or compliance risk." But, Aumasson says, it's best not to take that risk. Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! Black Hat Asia Apr 21, 2026 TO Apr 24, 2026 | Singapore Black Hat Asia returns to Marina Bay Sands in Singapore with a four-day program featuring specialized cybersecurity trainings with courses for all skill levels, a Summit Day, and the two-day main conference. Black Hat Asia 2026 will feature Briefings by experts from around the world presenting the latest research in cybersecurity risks, developments and trends, dozens of open-source tool demos in Arsenal, a robust Business Hall, networking opportunities, social events, and much more. Use code: DARKREADING to get a Free Business pass or save $200 on a Briefings pass. GET YOUR PASS GET YOUR PASS Read more about: Black Hat News About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob Wright Want more Dark Reading stories in your Google search results? Add Us Now More Insights Industry Reports AI SOC for MDR: The Structural Evol