Most business leaders have heard about artificial intelligence, cyberattacks and data breaches. Far fewer are preparing for a different kind of technology risk: Q-Day.
Q-Day is the name given to the unknown future date when a sufficiently powerful quantum computer could break much of the public-key cryptography currently used to protect digital systems, communications and information.
No one knows exactly when Q-Day will arrive. It may still be years away.
But that does not mean organizations can afford to wait.
The real challenge is not predicting Q-Day. It is ensuring your organization has identified its risks, updated its systems and completed its transition before quantum computing makes existing cryptography vulnerable.
World Quantum Day and Q-Day are not the same thing
World Quantum Day is observed on 14 April each year to promote awareness and understanding of quantum science and technology.
Q-Day is something different.
It refers to the point at which quantum computers become powerful and reliable enough to break widely used forms of public-key encryption.
These cryptographic methods are embedded throughout the digital world. They help organizations:
- Secure websites and online transactions
- Authenticate users and devices
- Protect communications
- Sign software and digital documents
- Exchange encryption keys
- Verify the identity of systems and services
- Protect sensitive business and customer information
Q-Day would not mean that every form of encryption suddenly stops working.
However, it could make commonly used public-key cryptography, including RSA and elliptic-curve cryptography, vulnerable. Organizations would need to replace affected algorithms, certificates, protocols, applications and devices with quantum-resistant alternatives.
That transition will not happen overnight.
The quantum risk has already started
It is tempting to think that quantum security is a future problem.
However, some of the risk exists today.
Cybercriminals and hostile actors may already be collecting encrypted information with the intention of storing it until quantum technology becomes capable of decrypting it.
This approach is often described as:
Harvest now, decrypt later.
The attacker may not be able to read the information today. But if the information remains valuable for many years, they may be able to access it in the future.
This is particularly important for organizations that hold information requiring long-term confidentiality, such as:
- Personal and identity information
- Health records
- Financial information
- Government information
- Legal documents
- Intellectual property
- Research and development data
- Commercial strategies
- Defence or critical infrastructure information
The key question is not simply:
When will Q-Day happen?
A more useful question is:
How long must our information remain confidential?
If information needs to remain protected for ten, twenty or thirty years, the risk may already be relevant.
The deadline is not Q-Day
Governments, cybersecurity agencies and standards bodies are already preparing for the transition to post-quantum cryptography.
Post-quantum cryptography refers to cryptographic algorithms designed to remain secure against both conventional and quantum computers.
New standards are now available, and organizations are being encouraged to begin planning their migration.
In Australia, the Australian Signals Directorate has advised organizations to plan their transition away from vulnerable forms of asymmetric cryptography by the end of 2030.
For many organizations, that may sound like plenty of time.
But cryptographic migration can be a large and complex program. Cryptography is often deeply embedded within software, cloud platforms, devices, identity systems, supplier products and business processes.
The organization may not even know everywhere it is being used.
The most important message for business leaders is:
The deadline is not the day quantum computers break existing cryptography. The deadline is the date by which your organisation’s migration must be complete.
Quantum readiness begins with visibility
You cannot replace cryptography if you do not know where it is being used.
One of the first steps towards quantum readiness is developing a cryptographic inventory.
This inventory should identify where cryptography is used across the organization, what type is being used, who owns the system and how difficult it may be to replace.
The inventory may include:
- Websites and web applications
- Mobile applications
- APIs and integrations
- Digital certificates
- Encryption keys
- Cloud platforms
- Identity and access-management systems
- Email and messaging systems
- File-transfer services
- Payment systems
- Databases and backups
- Archived information
- Software libraries
- Connected devices
- Operational technology
- Third-party applications
- Supplier-managed systems
This is not simply a technical asset list.
The organization should also understand:
- What information the system handles
- How sensitive that information is
- How long the information must remain protected
- Who is accountable for the system
- Which suppliers are involved
- Whether the system can be upgraded
- When the system is scheduled to be replaced
- What business processes depend upon it
Without this visibility, quantum readiness becomes guesswork.
Q-Day is a governance issue, not only an IT issue
Technology teams will play a major role in implementing post-quantum cryptography.
However, Q-Day is not simply an IT project.
It is an organizational governance issue.
Leadership must decide how the risk will be managed, who will be accountable and which systems should be addressed first.
Boards and senior management should be asking:
- Who owns our quantum-readiness program?
- Where is cryptography used across the organization?
- Which information requires long-term confidentiality?
- Which systems are most critical?
- Which systems cannot easily be upgraded?
- Which suppliers are we dependent upon?
- What is our migration roadmap?
- What resources and budget will be required?
- How will changes be tested and approved?
- How will we demonstrate that the transition was completed correctly?
These questions involve risk, procurement, legal obligations, supplier management, information security, business continuity and operational planning.
That makes Q-Day a management responsibility, not just a technical one.
Your suppliers may determine your readiness
Most organizations do not directly control all the cryptography they rely upon.
Encryption may be embedded within:
- Cloud platforms
- Payment gateways
- Accounting systems
- Customer relationship management software
- Communications platforms
- Operating systems
- Hardware devices
- Security products
- Managed services
- Industry-specific software
Your organization may be ready to act, but its ability to migrate could depend upon its technology suppliers.
Businesses should begin asking suppliers:
What quantum-vulnerable cryptography does your product use, and what is your roadmap for replacing it?
Other useful questions include:
- Are you developing support for post-quantum cryptography?
- Which standards are you following?
- When will upgrades become available?
- Will customers need to replace hardware or software?
- Will the change affect integrations?
- How will the upgrade be tested?
- What support will be provided during migration?
- What evidence will be available to demonstrate compliance?
Over time, quantum-readiness requirements should become part of procurement, supplier reviews, contract renewals and technology-selection processes.
Organizations need crypto-agility
Replacing one cryptographic algorithm with another will not be enough.
Technology, threats and standards will continue to evolve.
Organizations need crypto-agility: the ability to identify, update and replace cryptographic technologies without causing unnecessary disruption.
Crypto-agility requires repeatable processes for:
- Monitoring new security guidance
- Identifying cryptographic assets
- Assessing risks
- Approving new algorithms
- Testing changes
- Managing certificates and keys
- Coordinating with suppliers
- Updating applications and devices
- Recording implementation evidence
- Reviewing the environment regularly
Without crypto-agility, every future cryptographic change becomes another expensive and disruptive emergency project.
With crypto-agility, the organization can respond through an established management process.
An Information Security Management System provides the structure
An Information Security Management System, such as one aligned with ISO 27001, does not automatically make an organization quantum-safe.
However, it provides a strong governance structure for managing the transition.
An effective ISMS helps an organization address quantum readiness through:
- Asset management
- Information classification
- Risk assessment and treatment
- Supplier management
- Change management
- Roles and responsibilities
- Policies and procedures
- Employee competence and training
- Incident management
- Internal audits
- Management review
- Continual improvement
Rather than treating quantum readiness as an isolated technical project, the organization can integrate it into its existing security and governance systems.
This helps ensure that actions are assigned, risks are reviewed, suppliers are followed up, changes are approved and evidence is retained.
Turning quantum readiness into operational action
Knowing that Q-Day may occur is not enough.
Organizations need a practical way to turn the risk into assigned and repeatable work.
Way We Do helps businesses and consultants operationalise management systems by turning requirements into policies, procedures, workflows, registers, responsibilities and evidence.
A quantum-readiness program could include:
- A cryptographic asset register
- A quantum-risk assessment process
- A supplier readiness questionnaire
- A post-quantum migration roadmap
- A technology change-management workflow
- A certificate and key-management procedure
- A scheduled review of cryptographic guidance
- Assigned actions and due dates
- Testing and approval records
- Evidence of completed upgrades
- Management review reporting
For example, a Quantum-Readiness Register could record:
- The system or information asset
- The current cryptography being used
- The type of information being protected
- The required confidentiality period
- The business and technical owners
- Relevant technology suppliers
- The potential quantum vulnerability
- The migration priority
- The supplier’s upgrade roadmap
- The planned completion date
- Testing and approval evidence
This turns quantum readiness from a vague future concern into a managed program of work.
Start before Q-Day arrives
Organizations do not need to panic or immediately replace every cryptographic system.
But they do need to begin.
A practical first step is to identify:
- Where cryptography is being used
- What information is being protected
- How long that information must remain confidential
- Who owns each system
- Which suppliers the organization depends upon
- Which systems will be hardest to upgrade
From there, the organization can assess risk, establish priorities and build a realistic migration roadmap.
No one can say with certainty when Q-Day will arrive.
But waiting for certainty is not a strategy.
You do not need to predict Q-Day. You need a management system that ensures your organization is ready before it arrives.