And when it comes to a future that is not too far away (we are talking about 10 years or less!), a real threat that besets our road ahead is none other than quantum computing. While quantum is still considered an ‘infant’ at this point - sensing that the technology is not expected to be ready anytime soon - however, the danger that it poses looms large. As cybersecurity threat actors are actively harvesting digitally encrypted content now, the idea for them is to decrypt the data later when quantum computing becomes much more advanced.
PQC, key obstacles and navigational solutions
While there are many solutions put forward, the only real potential of disabling that possibility is through Post-Quantum Cryptography (PQC) – a quantum-safe solution that can ably protect our critical assets and data against quantum decryption in future. But the power lies in our hands to do something about this. Having PQC integrated into an organization’s SD-WAN architecture, for example, makes the infrastructure and its control and data planes quantum-safe, ensuring the way sites connect, authenticate, and exchange keys to remain secure. In fact, the benefit of having PQC integrated into SD-WAN is that it future-proofs the entire WAN, not just individual tunnels.
What customers get is a single, centrally managed, quantum-resilient WAN that can evolve as standards change and thereby earn their trust that sensitive data moving cross-organizations, the cloud, and data centers remain secure, even against the threat of quantum computing. Despite the public availability of resources and conversations circulating around quantum computing – which makes the topic not exactly a new kid on the block - organizations have been found holding back from taking the next steps with PQC implementation.
The Orange Cyberdefense Security Navigator 2026 report has identified key obstacles hindering an organization’s proactive PQC migration, which can be classified under 3 main categories below. Beyond identifying the challenges, we outline step-by-step solutions under each category as potential answers to helping organizations:
- Challenge 1 - Organizational hurdle:
a) Lacking urgency and business case
Organizations do not see quantum computing as an immediate threat that makes it low on their priority list, compared to other urgent costs that they prefer budgeting for. There is also a lack of use cases or proof points in the market about the quantum threat or PQC being a tangible success that further defeats any sense of urgency.
b) Lacking internal expertise + skills deficit
Beyond just a knowledge gap in quantum-based threats, organizations also lack skilled experts internally to implement PQC solutions.
c) Unclear internal governance, limited collaboration with ineffective planning implementation
Without a clear PQC framework and clear transition roadmap, what organizations face is ineffective task prioritization and migration journey.
d) Regulatory void
The pending new PQC specifics meant that organizations are forced to mandate state-of-the-art cryptography due to existing regulations.
Proposed solutions:
Some of the organizational hurdles above can be negated provided there’s willingness – if there’s a will, then there’s a way, such as:
- Engaging external PQC consultants to design the strategy and build knowledge transfer, while managing vendor relationships
- Appointing a PQC migration manager or forming a steering committee to mandate a cryptographic inventory for risk-based migration priority
- Launching training initiatives for IT and management
- Adopting recent PQC standards to meet the state-of-the-art requirement or leverage the EUCC certification for implementation guidelines - Challenge 2 - PQC immaturity:
a) Uncertain selection criteria
Given the immaturity of new PQC technology, organizations are devoid of standard implementation clarity on whether they should choose between an all-phased-out replacement or deploying a hybrid-approach when testing for reliable PQC solutions.
b) Security + reliability concerns
Uncertainty persists on the issue of maturity and security of PQC algorithms.
Proposed solutions:
Defaulting to a hybrid PQC model with a staged rollout would buy time for organizations to gain operational insights, minimize complications before committing to a full replacement strategy, and enable the transition from non-critical areas to first ensure solution stability and reliability. - Challenge 3 - Rigid code and documentation:
a) Legacy systems (non-flexible)
Legacy breeds inflexibility – and this becomes an inept constraint for systems that lack the resource to cope with larger PQC keys and intense computations.
b) Ecosystem interdependence
Due to the interconnected nature of Public Key Infrastructure (PKI), the transition to PQC thus affects other parties including standards bodies, vendors, and certifying authorities.
c) Lack of certified and approved components
Certified components remain limited from vendors especially in the more regulated sectors like government and finance.
d) Lack of agility
The current systems are not flexible or agile enough to respond to new threats or that standards are slow to evolve given the intricate code changes that render complexity.
Proposed solutions:
While technical challenges can’t be helped as existing IT infrastructure presents inherent rigidity, there are still ways for organizations to take things one step at a time, if extensive code modification or implementing secure cryptographic changes can seem overwhelming. Start small by:
- Implementing lightweight PQC libraries if hardware replacement is not possible or mandating PQC-capable hardware for new procurement
- Collaborating with suppliers and other regulatory / industry groups
- Prioritizing cryptographic agility that allows for algorithm swapping via simple configuration
Looking Ahead
The journey toward PQC readiness is complex but essential. As quantum computing inches closer to practical reality, organizations must act proactively to safeguard their data and infrastructure. By understanding the challenges, adopting strategic phased approaches, modernizing infrastructure, and leveraging advanced network architectures and expert partnerships, organizations can navigate this transition confidently.
The future of cybersecurity depends on our ability to adapt and innovate:
- Stakeholder alignment: Important to get everyone on the same page and prepared – start by appointing a program lead, setting broad goals, and having conversations with vendors on your migration needs.
- Cybersecurity posture evaluation: To establish a comprehensive security baseline, you will need to document all assets, conduct a formal risk assessment for your priority asset list, categorize available data, and evaluate your suppliers’ PQC readiness.
- Business plan underway: This entails appointing a dedicated migration manager to oversee the transformation, conducting a cost estimate along with the timeline and scope.
- Plan execution: This is beginning of establishing a quantum-safe environment –from implementing PQC primitives for key exchange and signatures, adjusting key sizes, integrating cryptographic agility to rapid adaptation.
- Continuous monitoring: Finally, carrying out routine review following the migration, updating your cryptographic inventory, performing security audits, and staying ahead with timely system updates as a form of vigilance against constantly emerging threats.
For more information on PQC and other trending cybersecurity topics, download a complimentary copy of the Security Navigator 2026 report here.
Author
Philip Lee
"Philip leads Orange Cyberdefense in APAC where he drives regional strategy, growth, and client engagement. A seasoned cybersecurity and digital transformation leader, he advises enterprises on strengthening cyber resilience, managing risk, and navigating an increasingly complex threat landscape. As a trusted advisor and industry thought leader, Philip is known for translating complex technical concepts into clear, business-focused insights for senior stakeholders and global audiences."
