Post-quantum security: Why your data is already at risk today

Eric Prosser wants to reframe how cybersecurity leaders think about quantum computing. The threat isn’t some distant hypothetical, he argues — it’s already here, hiding in plain sight.

“If you’re a CISO and you’re focused on timing, you’re focused on the wrong problem,” Prosser tells me. The real issue is what the industry calls “hack now, decrypt later”: adversaries collecting encrypted data today, stockpiling it until quantum computers can crack it open.

Prosser is a former Air Force pilot turned information security professional and MBA. His startup is building what he calls a “phase zero” product — tools to help enterprises map their cryptographic infrastructure before they can even begin transitioning to quantum-resistant algorithms.

Chicago seemed like the natural place to pursue this work. The city has become a significant hub for US quantum research and development, home to two national laboratories, major research universities and the recently launched Illinois Quantum and Microelectronics Park — a multi-billion-dollar investment on the South Side that broke ground in 2025.

Prosser came to Chicago to attend the University of Chicago Booth School of Business, where he and I met as fellow students. Naturally, as an editor, I was fascinated by someone who spoke in algorithms.

In this interview, which is edited for length and clarity, we discussed where the industry actually stands on post-quantum cryptography, why the transition will be harder than most security teams expect and what CISOs should be doing right now.

Brittany Williams: When it comes to quantum computing, what is the problem we face?

Eric Prosser: Most people have heard of quantum advantage, which is this idea that quantum computers can do specific types of computations faster than regular computers built on bits. No one really knows when today’s encryption standards will be broken for good by quantum cryptography. You’re going to hear everything from five years to 50 years.

Shor’s algorithm specifically threatens RSA cryptography and ECC cryptography — two standards that have been around for nearly 40 years. They’ve been the backbone of a lot of our cryptographic structure, and they’re approaching a point of vulnerability that most people in the security space aren’t used to talking about.

The issue facing us today is “hack now, decrypt later,” which means I’m going to start collecting your data and storing it in my own data lakes today, knowing I can’t decrypt it. And when I do get the ability to decrypt it in several years, I’m going to go back through it all and find what’s still time-sensitive.

At an industry level, NIST [the National Institute of Standards and Technology] has been running working groups for more than a decade trying to solve this problem, and they’ve made quite a bit of progress. The good news is we have algorithms to replace the ECC and RSA algorithms today.

They’re published by NIST now — that just happened in the last year or so. Now it’s a question of getting infrastructure, vendor products, code libraries. If you look at those algorithms, it’s literally just a mathematical research paper dropped on the internet. How do we get that into our technology so it’s functioning and doing work for us?

Williams: Where does the cybersecurity industry stand in practical terms? Where are we going to get caught off-guard if we don’t accelerate response?

Prosser: It’s kind of a muddled mess right now. Some enterprises are starting to recognize that this is not going to be an easy transition. Most security experts remember the transition from TLS 1.1 to 1.2, and almost all of them have a nightmare story. Now we’re in the midst of transitioning from TLS 1.2 to 1.3, which is an even bigger nightmare.

Most firms have very poor insight into their cryptographic infrastructure within their network enterprise. They don’t know what cryptographic algorithms they’re using, what internal systems they’re running, how they’re signing certificates, things of that nature. At a company level, phase zero of any cryptographic transition is getting an inventory of your assets.

The product we’re working on is a phase zero product, to help firms map their cryptographic infrastructure and find where they’re sensitive. We help prioritize what that road map is going to look like and where they need to allocate their resources by building a topographical map of the terrain, so to speak, of their cryptographic space. It tells you the blast zones to be really concerned about: if you lose this node, it’s going to be a problem for you.

Williams: Are certain industries going to get there sooner? Where are these vulnerabilities going to be felt first?

Prosser: One of the earliest adopters of post-quantum cryptography is going to be aerospace and defense. They’re handling a lot of government-classified technical data. Probably soon after, you’re going to see finance and energy for similar reasons. They have very strong security connections to our national infrastructure and how our country operates as an apparatus. And I would expect to see healthcare up there too because of the amount of information they’re handling, how sensitive it is, the biometric data — and healthcare information never ages. It’s forever.

Williams: What is this change going to feel like to the people that work in cybersecurity?

Prosser: The basics of public key infrastructure are going to largely remain in place. And people understand that language pretty well.

It’s the architecture within that infrastructure that has to change significantly. And that’s where people entering the space will initially feel overwhelmed, because if you take any large enterprise system in any of the industries we just talked about — healthcare, finance, aerospace, defense — you’re talking thousands and thousands of endpoints, hundreds of internal applications and processes. Some of those things haven’t even been managed in the last five years because people move around in the firm, changes happen and things get put on autopilot. And there’s just a lack of awareness of what’s in their ecosystem; what do they actually need to change?

NIST advocates for crypto agility. We need to start building platforms where people can easily change out parts of their cryptographic infrastructure, whether it be algorithms, keys, certificates, whatever. It’s plug and play. I can take something out and put something else in its place rather quickly.

We need to change the way we approach cryptography. Because, to be honest, the algorithms we’re transitioning to are not battle-tested like RSA and ECC, which have been around for 40 years. Now we’re moving to these new lattice-based algorithms that have been around for about a decade. We’re strongly confident that this is going to work, but there’s awareness in the space too that at some point we’re probably going to need to make this transition again. And when we do, it’s going to behoove us to have the infrastructure in place to help us make that transition again. That’s why while we’re doing it this time, we should think about cryptographic agility.

Williams: If crypto agility is the future, what’s the industry look like today?

Prosser: Your firm’s current cryptographic infrastructure is likely siloed into various vendor products. You probably have a lot of unknown cryptographic infrastructure. You can think of it almost like shadow infrastructure operating within your network. Stuff that’s older, hasn’t been updated in a while. You’re also talking about stuff that’s out of your control, like what kind of cryptographic architecture can your browser interact with? What about your network infrastructure, your ISPs? What’s your cloud service provider doing in their cryptographic infrastructure?

I would be skeptical of any enterprise organization that claims to have a comprehensive road map of everything in their enterprise. But the good news is a lot of enterprises are starting to realize that and they’re beginning to build those road maps today.

Williams: Do large companies have this figured out?

Prosser: Nobody has this figured out right now. This is all very novel. The NIST working group has been around for a while. There are several tech players in that working group. But as far as wider industry adoption, this is all new.

Smaller firms in particular demonstrate a lack of awareness. We have seen signs larger firms are beginning this transition, this process of mapping. They’re better resourced for it, they recognize they’re a stronger target and they’re probably going to be the initial firms facing waves of regulatory compliance.

Williams: So where is regulation on this? Is it the Wild West at this point?

Prosser: It is the Wild West. NIST has recommendations out there, but outside of the aerospace and defense sector it’s just a recommendation. There is no enforcement. But we are starting to see movements in Washington that would indicate more rigid compliance is coming down the pipe. The United States government is solidified in its position that they really want this transition to be completed between 2030 and 2035. So they are starting to try and build the momentum to get firms to start to adopt this now. In June 2025, there was an executive order to start enforcing PQC compliance within federal infrastructure.

The industries we talked about earlier, finance, energy, aerospace, defense, and healthcare, are probably going to be the most vulnerable because they already have a ton of regulatory compliance. This is not new to their sectors. Their CISOs are used to working in a highly regulated space. What this is probably going to look like is just an additional flow of requirements that are going to come down to them.

There’s bureaucracy, there’s red tape, there’s legislation that needs done, there’s committees that need appointed. This is not a fast or easy process with compliance. And so when we talk about indication and warnings of what’s going on and when companies should plan their adoption, they really need to be thinking that there’s a strong likelihood that the regulatory compliance is going to be a lagging indicator. Regulatory compliance is going to come and probably enforce the things that the firms are already starting to adopt and do.

Williams: What quantum developments should CISOs focus on in 2026?

Prosser: In the near future, there are three advances to be watching: First would be magnitude-level improvements in qubit stability and coherence. The second is demonstration to construct large low error arrays of qubits. And the third is breakthroughs in efficiency for fault tolerance and quantum error correction. That’s when you know this threat’s going to come much sooner than people expect.

If you’re a CISO and you’re focused on timing, you’re focused on the wrong problem. The problem is hack now, decrypt later. Your data is already vulnerable today. It’s how quickly you’re going to be able to cover down for it so that you can reduce your exposure in the future.

I would advise CISOs to start your planning now. Start trying to build that map of your organization, getting the tooling together. That is going to be a massive discovery project. Also start looking at your data space. Where is your long-lived data? Where is the stuff that it’s going to be sensitive in 10, 15, maybe even 20 years still? That’s the stuff to secure quicker because it has the longest window of vulnerability.