Post-Quantum Migration Demands Broader Scope Than Anticipated, Experts Warn
Experts emphasize that transitioning to post-quantum cryptography is a vast organizational undertaking, extending far beyond technical implementation to encompass infrastructure, vendor management, and employee education.

The migration to post-quantum cryptography (PQC) represents one of the most significant transformations an enterprise will face, extending far beyond mere technical updates. A panel of cybersecurity experts has cautioned that organizations are consistently underestimating the true scope, complexity, and timeline of this crucial transition, highlighting that it is as much an organizational and governance challenge as it is a technical one.
Marin Ivezic, CEO of Applied Quantum, shared insights from leading PQC migration programs involving over 120,000 individual tasks. Strikingly, only about 30,000 of these tasks directly involved cryptographic elements. The vast majority were dedicated to essential but non-cryptographic activities such as comprehensive asset inventory, rigorous vendor management, detailed regulatory reporting, and extensive team upskilling. This breakdown underscores that the core challenge lies not just in replacing algorithms, but in the foundational work required to understand and manage the entire IT ecosystem.
Gregory Skulmoski, a professor at Bond University, noted that many enterprises are currently lagging in their PQC migration efforts due to competing priorities. The intense focus on implementing and governing artificial intelligence projects, alongside other critical cybersecurity initiatives like zero-trust architecture hardening, has diverted attention and resources. This near-term operational focus makes it difficult for organizations to allocate the necessary strategic bandwidth to prepare for the long-term quantum threat.
Muria Roberts, director at QTM-X Quantum Advisory Indonesia, pointed to a pervasive lack of "organizational hygiene" as a major impediment. She advocates for treating PQC readiness not as an isolated IT project, but as a fundamental issue of cyber hygiene, business resilience, and the integrity of trust infrastructure. This perspective frames PQC migration as a strategic imperative for overall organizational security and continuity.
The experts also delved into critical aspects of PQC readiness, including the continuous nature of cryptographic discovery, establishing a defensible starting point for inventory, and integrating PQC requirements into vendor and procurement processes without turning it into a mere compliance checkbox. They stressed the importance of defining clear ownership for PQC migration programs, identifying governance as the most significant hurdle to overcome.
Ivezic, with decades of experience in cyber and deep tech leadership, has guided numerous quantum risk and readiness initiatives for governments and enterprises. Roberts, a quantum cybersecurity specialist, focuses on translating quantum risks into actionable strategies for executive leadership. Skulmoski brings a project management perspective, drawing on extensive experience in leading complex technical and non-technical projects across diverse global settings.
This collective expertise highlights a critical gap between the perceived effort required for PQC migration and the reality. The transition demands a holistic, strategic approach that integrates technical solutions with robust organizational processes, comprehensive risk management, and a sustained commitment to upskilling and awareness across all levels of an organization. Failure to recognize this broader scope risks leaving critical systems vulnerable to future quantum attacks.