The cybersecurity industry has long grappled with how to prepare for threats on the horizon, and few have seized attention as firmly as quantum computing. The potential for quantum tech to unpick today’s toughest encryption has inspired a raft of reports and advisory notes.
Official guidance from bodies like the NCSC has pushed quantum even higher up the agenda and, as a result, CISOs are increasingly being asked the same question: are we ready for a quantum future?
CEO and Co-founder at ThreatAware.
It is a fair question, because quantum computing will, eventually, force a fundamental shift in how we protect sensitive data. But eventually is the key word. Most credible estimates place that moment in the early to mid-2030s.
Article continues below
While quantum is an attention-grabbing threat, it’s also the latest in an on-going trend in which we’re in danger of overlooking today’s security fundamentals in favor of focusing on tomorrow’s threats.
It’s true that we can’t afford to ignore futuristic threats entirely, however this can’t come at the expense of distractions from the very real, very preventable breaches happening right now.
After all, almost any major cyber attack over the past decade shared one thing in common, somewhere along the attack chain, there was a gap in basic cyber hygiene.
Separating genuine threat from shiny distraction
Quantum computing is a serious long-term consideration. And on the surface, a meeting about theoretical quantum threats could certainly feel more engaging that one that covers more routine issues like improving EDR deployments and MFA usage.
The cybersecurity industry, and the wider tech industry in general, always has to have an eye on the next big thing. Big data dominated the agenda a few years ago for example, AI has now taken center stage and quantum is on the horizon.
Anticipating what’s next is important, but it can’t come at the expense of overshadowing the challenges organizations are dealing with right now.
Strategic maturity is not about reacting to the headlines; it is about sequencing risk proportionately.
Before debating how to defend against a machine that does not yet exist at scale, organizations should ask a simpler question: are we confident that we have closed the doors attackers are walking through every day?
Today’s criminals are exploiting basic security failures
While impending threats shouldn’t be ignored entirely, most companies shouldn’t be focusing on it over the rest of their security priorities. For example, more than 97% of identity attacks in 2025 were password-based, and identity-driven attacks surged in the first half of the year.
The average threat actor is carrying out successful attacks by exploiting weak credentials, missing patches and routine configuration failures. They will simply look for the open doors that provide the route in, be it weak MFA enforcements, a lack of EDR or slow patching processes.
Likewise, social engineering remains highly effective because it works, and it will be a long time before smashing encryption with a supercomputer is more cost-effective than manipulating a helpdesk into resetting a password.
Poor cyber hygiene is immediate, measurable and actively being exploited, so closing these gaps today must take precedence.
The illusion of security and why fundamentals still fail
So, if these threats are so familiar, why do they continue to succeed?
The biggest issue is that many organizations still don’t have clarity over how secure their environments actually are. Security dashboards may report high coverage for endpoint detection or multi-factor authentication, yet few teams can state with confidence how many devices or identities should be protected in the first place.
“You can’t secure what you can’t see” is a well-worn phrase in the security industry, but it’s still painfully relevant.
For example, when we assess IT environments for the first time, it’s common to see endpoint agents marked as active even though they have silently failed. Patches are delayed due to another operational priority, and access exceptions are granted to senior staff for convenience.
These small compromises accumulate into systemic exposure.
The result is a dangerous illusion of security: an estate that appears well-controlled on paper but contains unmanaged devices, dormant accounts, and misconfigurations beneath the surface.
Where CISOs should focus instead
If security leaders want to reduce real-world risk, the starting point is not speculative post-quantum cryptography, but the disciplined execution of the controls we already know prevent breaches.
The first priority is to make breach prevention measurable. Every organization should be able to state, with evidence, whether MFA is enforced across all user accounts, whether endpoint detection is deployed on every in-scope device, and whether critical patches are applied within defined timeframes.
If you cannot measure it accurately, you cannot manage it effectively.
Second, eliminate blind spots. Asset inventories should reflect what devices are connected and accessing corporate systems on an on-going basis, not what was recorded during the last audit, while controls must be validated as functioning, not merely installed.
A single unmanaged device or stale account can undermine millions of pounds spent on advanced tooling.
Finally, prevention needs to be elevated to board level. Boards should not only ask how quickly incidents are detected, but how consistently exposure is being reduced. Prevention performance should be reported with the same rigor as financial metrics.
Only once these foundations are demonstrably in place does it make sense to devote significant attention to the next wave of cryptographic change.
Plan for the future but do not lose focus
None of this is an argument for ignoring future risks. Sensible preparation is essential, and there are multiple steps to take today.
Organizations should identify where cryptography is embedded across their systems, understand data retention timelines and monitor for guidance from standards bodies and government agencies.
Discovery and roadmap planning now will make the eventual migration far smoother, and these steps also boost security against current threats.
Security leadership is ultimately about proportionality. While there is concern about ‘harvest now, decrypt later’ tactics from advanced actors preparing for quantum capabilities, they are still collecting data using the same familiar tactics.
It stands to reason; they are exploiting overlooked accounts, unprotected endpoints and basic process failures. The next wave of breaches in the months and years ahead are far more likely to stem from risks that were visible, measurable and preventable all along.
We’ve featured the best antivirus software.
This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
https://cdn.mos.cms.futurecdn.net/5rDPr5xYvLwnkP7ZvpR2w3-2122-80.jpg
Source link
