The decryption risks from quantum computing are moving beyond the threshold from theoretical to reality, at least when it comes to enterprise security budgets. The research firm Forrester estimates that in 2026, quantum security spending will exceed 5% of overall IT security budgets, representing a fundamental reallocation of resources that goes well beyond traditional cryptography investments.
This isn't marginal spending on a future-state concern—it's an immediate, substantial commitment that many CISOs now see as a priority.
The clock is unforgiving. When available, commercial quantum computers will break today's asymmetric cryptography. Forrester predicts that this will happen within a decade. At the same time, the National Institute of Standards and Technology has set the stage for urgent action: RSA and ECC support will be deprecated by 2030 and entirely disallowed by 2035.
That means the end of 2029 is the effective operational deadline. That leaves roughly four years to execute one of the most complex cryptographic migrations in modern history. For enterprises running global infrastructure, that window may feel relatively narrow — because it is narrow.
What separates this moment from many, but not all, previous cryptographic transitions is the recognition that the quantum threat isn't confined to financial institutions or critical infrastructure operators. It's across industries, and every CISO must now integrate quantum security planning into the core budget strategy. "The SHA-1 to SHA-2 transition took over twelve years across sectors. With NIST setting 2030 deprecation deadlines, we don't have the luxury of that leisurely pace for post-quantum computing,” said Tim D. Williams, CTO of ProteQC, a boutique consultancy specializing in cryptographic resilience and the transition to post-quantum cryptography.
To get that work done, Forrester laid out four areas where they believe enterprises will allocate that transition budget next year.
The Four Dimensions of Quantum Security Investment
Each of the four distinct spending categories requires different expertise and timelines. First, organizations are rapidly engaging consulting services to plan quantum security migrations. These engagements aren't one-time assessments—they're programs aimed at mapping cryptographic inventory across systems. And they should prioritize migration efforts based on business risk, and the establishment of governance structures that span security, development, procurement, and IT operations. That horizontal business engagement means a CISO trying to execute these efforts alone will face organizational gridlock. Expert advisors will hopefully help to accelerate alignment and reduce the risk of missed dependencies.
Second, security and product teams are now partnering with development counterparts to systematically replace outdated cryptographic libraries and components embedded in applications, protocols, and infrastructure. This demands hands-on technical work: evaluating NIST-endorsed post-quantum algorithms, testing hybrid approaches that combine classical and quantum-resistant cryptography, and piloting implementations before production deployment. The complexity multiplies across legacy systems, cloud platforms, and vendor integrations—each with different technical constraints and timelines.
Third, security teams are coordinating with risk and procurement to track vendor and partner quantum migration plans as part of formal risk management. This is not an optional vendor evaluation. Regulatory bodies, including the NSA and NIST, are explicitly directing organizations to assess their supply chain's quantum readiness and engage technology vendors on their post-quantum computing (PQC) roadmaps. A single vendor unprepared for quantum migration can become a compliance liability and a data security vulnerability. Forward-thinking CISOs are incorporating quantum-safe requirements into RFPs, procurement contracts, and vendor scorecards—and some are preparing to replace vendors who cannot commit credible transition timelines.
"This is perhaps the most under-appreciated aspect of PQC transition. Many organizations, particularly the financial institutions we work with, don't control their own migration timeline. Their technology ecosystem usually constrains them," Williams said.
Williams detailed key questions for third-party providers central to the effort:
For cloud providers, ask: 'What is your published roadmap for PQC support in TLS connections, key management services, and HSM offerings? Will hybrid classical/PQC modes be available during transition, and when?'
For HSM (hardware Security Module) manufacturers: 'When will your hardware support FIPS 203, 204, and 205 algorithms? Will existing devices require firmware upgrades or hardware replacement?'
For PKI providers: 'Can your certificate authorities issue hybrid certificates? What's your timeline for full PQC CA hierarchies?'
The critical follow-up is: 'How does your roadmap align with NIST's 2030 deprecation and 2035 disallowance deadlines?'
Any vendor without a clear answer is a risk to your migration timeline.
Visibility is Forrester's final area. Teams are investing heavily in cryptographic discovery and inventory tools to gain visibility into all systems using encryption and digital signatures. These tools scan applications, infrastructure, cloud services, and development pipelines to identify which cryptographic algorithms are in use, where they're embedded, and how long the protected data needs to remain secure. The output is a cryptographic bill of materials (CBOM)—an inventory that serves as the foundation for risk-based migration prioritization.
Williams warned that this is an area where organizations commonly mistakenly start their PQC efforts and place too much emphasis on asset lists. "We see organizations starting with cryptographic discovery tools, scanning their infrastructure, and producing inventories of keys, certificates, and algorithms. That approach is increasingly backwards," he said.
"In a world of sprawling SaaS, containerized workloads, and complex partner ecosystems, starting with tools gives the illusion of completeness without answering the only question that matters to executives: 'Which business services are at risk, and what is the impact if they fail or are compromised?'" Williams added.
Williams advises that organizations would be more effective if they started with the organizational context. "Understand how the enterprise creates value and where trust and confidentiality actually matter. That means mapping business-critical applications, settlement systems, payment networks, customer data platforms, and tracing which applications handle long-lived, high-value data where 'harvest now, decrypt later' risk is real," he said.
The Urgency Behind the Budget
Why is this happening now, despite quantum computers not yet existing in a cryptographically relevant form? The answer lies in "harvest now, decrypt later" risks. Sophisticated threat actors are believed to be already collecting encrypted data at scale, storing it with the knowledge that quantum computers will eventually decrypt it. This transforms the quantum threat from a future concern into a present-day business continuity risk. Data stolen today—trade secrets, intellectual property, customer records, R&D details—will retain value long enough to justify the computational expense of retroactive decryption. The $425 billion in currently protected data at risk, according to Forrester, represents the actual economic driver behind this spending acceleration.
It also takes time to make the transition to PQC algorithms, and that’s why regulators have also intensified their pressure. Agencies like CISA, the SEC, and sector-specific compliance bodies are beginning to ask organizations about their PQC migration plans. Auditors and insurers are raising similar questions. The compliance-first narrative is becoming a legitimate funding mechanism—CISOs framing quantum readiness as a regulatory mandate often find receptive CFOs and boards, even in organizations with tight security budgets.
Executing the Migration
The migration won't be linear. NIST and industry guidance recommend enterprises complete their work in phases: pilot deployments through 2026, migration of high-risk internet-facing systems through 2026–2029, and full organizational transition by 2035. Risk-based prioritization is essential. Systems that protect long-lived data, handle high-value transactions, or manage critical infrastructure should migrate first. Hybrid cryptographic approaches—combining classical and post-quantum algorithms—are recommended during the transition to reduce algorithmic uncertainty while standards continue evolving.
Quantum readiness efforts transcend security teams. It demands coordinated effort from developers replacing libraries, procurement teams vetting vendors, infrastructure teams managing certificate updates, and finance teams allocating resources across a multi-year program. For many organizations, this marks the first time quantum security and cryptographic agility have been part of the same strategic conversation alongside business continuity and compliance readiness.
Many organizations remain ill-prepared. "Before you can be post-quantum ready, you need to be pre-quantum competent," Williams said. "We still encounter SSL 2.0, SSL 3.0, TLS 1.0, 1.1, and on production banking systems—protocols deprecated years ago. We find RSA keys under 2048 bits, MD5, and SHA-1 still protecting data that algorithms with known vulnerabilities shouldn't protect. We have even encountered unencrypted connections to mainframes over internal IP networks," he recalled.
"Fixing pre-quantum cryptography isn't exotic; it's basic housekeeping that authoritative guidance has recommended for years. For immediate 2025-2026 impact, focus on what I call 'Pre Quantum Computing' readiness: Complete the basics first. Eliminate deprecated protocols, migrate to current key sizes, and update hash algorithms. This work has value today—it reduces current attack surface—and positions you for PQC migration tomorrow,” Williams said.
