Cybersecurity and Quantum Computing:
A Readiness Guide
Join the Quantum-Safe Summit 2026Palo Alto Networks experts and industry leaders will help you make sense of what the quantum shift means for your organization and where to focus first.
Watch on YouTube
22:15 
Anand Oswal, EVP at Palo Alto Networks, explains the urgent threat that quantum computing poses to global encryption and outlines a practical roadmap to achieve cybersecurity readiness before it's too late, on CXOTalk episode 904.
Related Episodes
Join the Quantum-Safe Summit 2026
Palo Alto Networks experts and industry leaders will help you make sense of what the quantum shift means for your organization and where to focus first.
====
Quantum computing promises breakthroughs across industries, but it also threatens the cryptographic systems that protect business data today. Adversaries know this, and nation-states are already harvesting encrypted corporate data, waiting for quantum computers powerful enough to crack it.
The timeline is unforgiving:
- Cryptographically relevant quantum computers are expected by the end of this decade
- NIST will deprecate current encryption standards by 2030 and disallow them by 2035
- Enterprise cryptographic migrations typically take 5 to 10 years
For organizations starting to prepare today, the margin for delay is thin.
Key Takeaways
The "Harvest Now, Decrypt Later" Risk Is Immediate
Adversaries actively collect encrypted data today, intending to decrypt it once quantum capabilities mature. This strategy places long-term sensitive information, such as financial records and intellectual property, at immediate risk, regardless of current encryption standards.
Organizations face a 5- to 10-year timeline for cryptographic migration, meaning enterprises starting today barely meet upcoming deadlines. Waiting until quantum computers arrive ensures exposure to data breaches and compliance failures. Leaders must treat this as a clear and present danger rather than a theoretical future risk.
Regulatory Mandates Will Force Operational Stoppages
Global standards bodies are expected to officially deprecate widely used algorithms such as RSA and ECC by 2030. Use of these vulnerable methods will be strictly prohibited by 2035, rendering reliance on such systems non-compliant with major security standards.
Failure to transition will result in inoperable business functions, as critical supply chain and finance systems grind to a halt. Governments intend to enforce these standards through severe penalties and legal action for non-compliance. Companies must view cryptographic updates as essential for business continuity rather than simple IT maintenance.
Deploy a Phased Platform Strategy for Readiness
Successful migration requires a comprehensive strategy built on inventory, protection, and acceleration, not isolated point solutions. Security teams must first establish a real-time cryptographic inventory to identify vulnerabilities across cloud workloads and networks.
Integrating quantum-ready hardware will address increased processing demands without sacrificing network throughput or adding latency. As a safeguard for legacy systems, cutting-edge cipher translation technology acts as an intermediary, preventing costly re-architecture. This gradual approach enables organizations to secure communications immediately while updating applications gradually.
Episode Participants
Anand Oswal is the Executive Vice President of Network Security at cybersecurity leader Palo Alto Networks. His team of product managers, engineers and researchers deliver best-in-class enterprise security products and services to help to protect users, applications and infrastructure from cybersecurity threats.
Michael Krigsman is a globally recognized analyst, strategic advisor, and industry commentator known for his deep business transformation, innovation, and leadership expertise. He has presented at industry events worldwide and written extensively on the reasons for IT failures. His work has been referenced in the media over 1,000 times and in more than 50 books and journal articles; his commentary on technology trends and business strategy reaches a global audience.
Related Episodes
In This Episode
Understanding Quantum Computing and Its Threat to Cybersecurity
Michael Krigsman: Quantum computing threatens cybersecurity, including the foundations of encryption itself. With government mandates on the way, the question for business leaders is not whether quantum will happen, but how to prepare.
I'm Michael Krigsman, and I've asked Anand Oswal, Executive Vice President of Network Security at Palo Alto Networks, to walk us through the practical steps organizations can take now to become quantum-ready.
Anand Oswal: A quantum computer uses the principles of quantum mechanics to perform calculations faster than today's computers. Instead of using traditional ones and zeros, these new computers use quantum bits, sometimes called qubits.
Because of a property known as superposition, qubits can be both one and zero at the same time. This allows quantum systems to efficiently solve complex, time-consuming problems that are currently impossible for classic computers.
What business leaders really need to understand is what quantum computing means for cybersecurity.
Michael Krigsman: What's the core security threat that arises from quantum computing?
Anand Oswal: For the last 50 years, our digital world has relied on a foundation of trust built on public key cryptography. This invisible shield protects everything from financial transactions to national secrets and critical infrastructure.
Digital security today relies on complex math, specifically calculations like factoring the product of 2 large prime numbers. These calculations form the basis of widely used public key cryptographic algorithms, and it's incredibly resource-intensive for classical computers.
In the future, a quantum computer will be able to solve this calculation instantly, meaning that traditional encryption and digital signature methods we all have relied on for decades to protect our data will be obsolete.
For many years, the quantum threat had been considered a distant theoretical risk. However, the convergence of AI and quantum research is dramatically accelerating this timeline.
Preparing for the Quantum Threat: Timelines and Risks
Michael Krigsman: Anand, as you talk with customers, what is the general level of awareness of this quantum threat right now?
Anand Oswal: It's a mixed bag, Michael. You have some customers who understand these threats really well, some customers who heard about it, and some customers who have not much awareness. So, it's across the whole spectrum.
We want to make sure that everybody's aware of what's coming with quantum security, and what steps they need to take to get them to quantum safety in their journey.
Michael Krigsman: When will quantum computing arrive in a meaningful way? Are we talking months, years, decades? How real is this?
Anand Oswal: We're no longer talking about decades. We're just a few years away.
With major advancements just in the last year, experts like Gartner, McKinsey, and others estimate that by end of this decade, a cryptographically relevant quantum computer will be capable of breaking the encryption that underpins our global economy.
Governments around the world have already started taking decisive action. The EU Commission has announced plans to launch a quantum-safe communication network by 2030. Some, like CNSA 2.0 mandates, started to take effect in 2025.
These milestones mark the beginning of a global shift towards quantum-resistant security.
Michael Krigsman: What are the implications for security leaders?
Anand Oswal: Let me give you a few examples of what these actions mean.
By 2030, algorithms like RSA and ECC will be officially deprecated. Their use will be discouraged and potentially flagged by many compliance tools.
By 2035, these vulnerable cryptographic algorithms will be officially disallowed for most applications. That's a hard stop. After this date, any system relying on them will be considered non-compliant and fundamentally insecure by the world's largest security standards.
The biggest misconception is that this is only a problem in the future. In reality, companies might already be behind schedule when we consider the reality of migration timelines.
As you know, large-scale cryptographic migrations are notoriously difficult and very time-consuming. Historical data from past transitions show that these can take between 5 to 10 years for a large, complex enterprise to complete. And for legacy applications, and think about IoT and OT devices which have embedded firmware, an upgrade might not be feasible at all.
Additionally, adversaries are not waiting for quantum computers to arrive. Many are already stealing encrypted data today. This means that sensitive information could already be at risk.
In the United States, NIST has finalized new post-quantum cryptographic algorithms to defend against the quantum-enabled threats.
Michael Krigsman: What is the timeline for organizations to comply?
Anand Oswal: Organizations need to start now. I cannot emphasize this enough. They need to start now.
A full cryptographic inventory alone can take them over a year. The window is closing. And as I just mentioned, RSA will be officially deprecated by 2030. It'll be out of compliance by 2035, according to NIST.
It takes years to test, to pilot, to deploy new algorithms across a complex IT estate. As you can see, the timelines are on a collision course. A company starting today would barely have enough time to meet these deadlines. Any delay would put business continuity and a brand's reputation at risk.
Michael Krigsman: Explain the business risk.
Anand Oswal: A failure to meet these deadlines leads to 2 critical impacts.
First, there's an erosion of trust and damage to a company's brand. If a customer or partner discovers that they are not quantum safe, or worse, if a breach occurs and it's revealed that it was enabled by a known deprecated vulnerability, the damage would be irreparable.
The brand would be seen as negligent, their security as outdated, and promises to protect data as empty. This would lead to a loss of customer confidence, a loss of market share, and a significant decrease in shareholder value.
But this isn't just about data breaches. A cryptographic failure can halt business operations entirely. There's also the risk of inoperable systems. Critical business functions, supply chain management, financial transactions, and remote access all rely on cryptography. Without secure algorithms, these systems would grind to a halt.
There are also regulatory penalties to consider. Governments and industry bodies will likely enforce severe penalties for non-compliance with the NIST standards, including fines and legal action.
Finally, there's a risk of compromised intellectual property.
Strategies for Quantum Readiness and Cybersecurity Innovation
Michael Krigsman: Anand, to help us understand the implications of quantum, which are so profound, can you explain the systems that keep information safe today?
Anand Oswal: Today, our most sensitive information, such as personal messages, banking information, and trade secrets, are generally encrypted. Encrypted text messages are a good example.
For the past 50 years, public key cryptography has been the foundational bedrock underpinning protocols, VPN, TLS, and SSH, as well as e-commerce and confidential corporate communication.
This relies on a system that uses one key to encrypt the data and a second key to decrypt it. Without this encryption, all internet traffic would effectively be an open book for bad actors.
Michael Krigsman: What are the consequences if this foundational system of encryption is broken?
Anand Oswal: The consequences are profound.
If a quantum computer can easily decrypt these messages, the cryptographic lockboxes protecting sensitive data are broken wide open. This could lead to data loss at a scale that we have never seen before.
It could compromise financial systems, leak intellectual properties, or expose national security secrets.
Additionally, there's a threat of harvest now and decrypt later that companies must also protect against.
Michael Krigsman: Explain harvest now, decrypt later.
Anand Oswal: The harvest now, decrypt later threat is a profoundly dangerous attack that is already in motion.
Nation-states and other adversaries are quietly and systematically harvesting large amounts of encrypted data. Unfortunately, it doesn't take much skill to harvest encrypted data.
This is an immediate risk for any organization that handles long-term sensitive information, financial records, health data, or intellectual property.
Michael Krigsman: Anand, how is the cybersecurity industry preparing for this massive quantum threat? And what is Palo Alto Networks doing about it?
Anand Oswal: In my conversations with customers and other leaders, quantum is increasingly becoming a top priority. The companies that are best positioned to get ahead of quantum risks are those that have embraced a platform mindset.
It's helpful to take a step to understand how cybersecurity has evolved over the years. In the past, every change in the attack landscape resulted in a massive new project that required more funding, more products, and more expertise to manage it all.
This led to a world where we had more point products. You have customers with 10, 20, 50, hundred, 200 different tools that they're trying to deploy, to configure, to optimize, to operate, and to utilize. It's just not possible. It's too complicated, and you're not going to have enough people who can be experts across all of these tools.
For the past few years, we've been saying that this complexity has brought network security to a breaking point. Too many point products created a tactical challenge, gaps in security, increased expenses, and stressed out teams that made more errors.
But more importantly, the complexity created a strategic challenge. It became too hard to react to new opportunities and threats such as quantum computing.
At Palo Alto Networks, we've designed the network security platform with flexibility that enables companies to remain in lockstep with the pace of business and to stay ahead of the attackers, to reduce their operational costs, and give a better security outcome to their customers.
This gets to the heart of why the network security teams that we have at Palo Alto Networks, what we do. We're working to turn a complex future threat into a concrete, manageable plan for our customers.
Our approach is not yet another single-point solution for quantum. It's a comprehensive platform-based strategy built upon 3 key pillars: discover, protect, accelerate. These innovations are strategically phased to guide customers through their quantum readiness journey, from initial discovery to full-scale and automated defense.
Michael Krigsman: Explain that first pillar, discovery. And I've heard you use the phrase visibility as well in the past.
Anand Oswal: You can only protect something if you know what it is, if you have visibility into it.
So we start with a quantum readiness dashboard to give leaders real-time visibility into the organization's cryptographic risk posture, automatically identifying where legacy encryption is used on cloud workloads, APIs, and network connections, helping to highlight vulnerabilities in cloud-native and AI-driven applications.
The dashboard solves the where do I start problem, and directly tackles the most daunting challenge for security teams, the lack of a comprehensive and complete cryptographic inventory.
Instead of relying on manual audits or expensive professional services for an initial inventory, customers get this capability built right into their existing platforms, allowing for a continuous real-time assessment of their cryptographic posture.
Additionally, visibility lays the groundwork for remediation. Agentic discovery and automation is key to ensure that your inventory remains up-to-date always.
Michael Krigsman: So discovery, visibility are deeply important.
Anand Oswal: Absolutely, Michael. They're very important. You must have a clear understanding of your cryptographic inventory before you can prioritize your risks.
Visibility allows security teams to move from a point where cryptography is a total blind spot to being able to make a clear and actionable plan. They can see which assets are most vulnerable, and more importantly, prioritize those that protect the most sensitive long-lived data.
This data-driven approach helps teams thoughtfully allocate the limited resources they have.
Michael Krigsman: Anand, we've just discussed visibility. What about protect, your second pillar?
Anand Oswal: Post-quantum computing algorithms will have larger keys and more complex computations that can be more resource-intensive.
We recently introduced 14 new models of our next-generation firewall that are specifically engineered to handle the high-performance processing demands of post-quantum cryptography. This new hardware is built to handle the increased load without compromising network throughput or adding significant latency.
It directly addresses a major operational concern for network teams.
Such quantum-ready hardware will help future-proof security investments and promote broader adoption. By investing in hardware that is already optimized for post-quantum cryptography, customers are ensuring that their security infrastructure will be ready to adopt new government standards.
And this avoids the need for a costly hardware refresh down the line when post-quantum cryptography transition reaches its peak.
The assurance of high performance and native post-quantum cryptography support makes a stronger business case for the investment, knowing the change will not negatively impact end-user experience or application performance.
We're working with NIST, with CISA, and other global standard bodies to make sure the solutions that companies deploy today are built for tomorrow.
These product innovations are designed to work in concert with our PAN-OS platform to provide a clear, a practical, and a comprehensive path forward. They demystify a complex problem and offer concrete solutions that help teams take control of their quantum readiness journey.
Quantum-Ready Solutions for Legacy Applications
Michael Krigsman: You said that the third pillar consists of accelerate. Can you explain that?
Anand Oswal: Legacy or custom-built applications, especially those running in a multi-cloud environment, are a major pain point for organizations. Previously, securing these applications would require a costly and time-consuming rearchitecture.
We have developed cipher translation, an industry-first technology that allows an organization to secure the communication to and from legacy applications without a full upgrade, instantly making them quantum-ready.
By acting as an intermediary, it allows for a phased, controlled transition. A company can secure all of its applications with post-quantum cryptography at the network layer first, and then over time, work on updating these individual applications themselves.
This prevents the entire quantum journey from being a single, massive, and disruptive big bang project.
Additionally, it protects and extends the life of existing hardware and software investments, making the quantum transition more financially viable and less disruptive to business operations.
AI and Talent in Quantum Security
Michael Krigsman: Can you overlay AI on top of all of this?
Anand Oswal: AI is an accelerant to everything we do.
If you think of discovery and visibility, we'll use AI internally to ensure that we are able to discover and figure out everything faster and more accurately.
If you want to apply policies for decryption, for quantum, et cetera, you can have AI be an assistant to you to get it done.
And if you want to accelerate, then what should you accelerate, which applications? You're definitely having pieces of AI going to be used across every facet of this journey.
Michael Krigsman: What about talent? How can security teams attract the talent needed to maintain leadership in the face of emerging technology such as quantum computing and, of course, AI?
Anand Oswal: Talent is the ultimate differentiator. Of course, that starts with recruiting. We're actively recruiting for top quantum computing and cryptography programs at universities and research institutions globally. When we can show our commitment to solving the biggest problems in cybersecurity, problems like quantum, it's a powerful draw for top talent.
Next is training and development. Continuous learning is a priority for our existing engineers and product managers. We offer specialized training and certification in post-quantum cryptography to upskill our internal teams. This ensures that the expertise isn't siloed, but is distributed across the wider organization.
And finally, we foster a culture of innovation that encourages curiosity and deep research. We provide our teams with resources and autonomy to work on cutting-edge problems.
Our open collaborations with organizations like Continuum and others on QRNG APIs also provide our engineers with unique opportunities to work with leaders in the quantum space.
Preparing for Quantum Security Challenges
Michael Krigsman: How can companies protect themselves and meet these new government mandates?
Anand Oswal: The first step is discovery. Business and security leaders need cryptographic visibility and inventory across their environment to understand which of the applications, endpoints, infrastructure, and even their partner ecosystem are post-quantum compliant and which are not. We take it one step further and help our customers through guided remediations.
Next, protect. Companies need to adopt quantum-ready hardware that can deliver post-quantum decryption at scale. With crypto agility built right into next-generation firewalls, this enables security as standards evolve.
And finally, accelerate. Most companies have legacy systems that can't just rip and replace. We offer a cipher translation technology that accelerates the path to post-quantum readiness by instantly upgrading any device or application to quantum-safe by simply steering traffic through a Palo Alto Networks firewall.
Michael Krigsman: Anand, what should business and technology leaders do now to prepare for quantum security?
Anand Oswal: The quantum threat to our cryptography has a name, a date, and a measurable business impact. It is no longer a theoretical risk. It's a clear and present danger to brands, business continuity, and customer trust.
Quantum computing will fundamentally transform the way we secure information. The organizations that start preparing now will be the ones that remain trusted and resilient in the years ahead.
This is not about fear. It's about recognizing the challenge, understanding the timeline, and taking the right decisive action.
The bottom line is, you don't have to wait. Quantum-ready hardware and software are available now. Preparing today keeps you compliant, protects your most valuable data, and puts you on a path to staying secure in the post-quantum world.
Michael Krigsman: Anand, thank you for educating us on this extremely important set of issues.
Anand Oswal: Thank you, Michael. Thank you for having me.