Quantum security: 5 myths about tomorrow's security

Quantum security is on everyone's lips – but between the hype and horror stories, there are many misunderstandings lurking. Thomas Lebeth dispels five myths and explains why he believes hybrid approaches and a cool head are the best security strategy.

As we all know, the IT world is changing rapidly. I have been involved in it for a long time—long enough to see trends come and go just as quickly. But when it comes to quantum computing, I have felt for years that this is more than just a passing fad. These new computing giants open up fascinating possibilities—and at the same time challenge us to rethink data security. But we won't overcome this challenge with alarmism, but with a cool head, curiosity, and a clear strategy. It is crucial to closely follow technological developments without being driven by them – and to choose paths that are bold, feasible, and effective at the same time.

Myth 1: Quantum computers will crack all encryption tomorrow

Clarification: Quantum security is not purely a technical issue, but rather a strategic corporate task. It affects management, compliance, data protection, and every department that works with confidential data. https://www.capgemini.com/wp-content/uploads/2025/07/2025_07_10_Capgemini_Post-Quantum-Cryptography-Report_News-Alert.pdf

My assessment: Awareness and strategic planning must take place across the entire company – not just in the server room. Why? Quantum security is not just cryptography – it is risk and reputation protection. “Store now, decrypt later” attacks make today's data vulnerable tomorrow – and that applies to HR data as well as confidential contract documents or research projects. If this information falls into the wrong hands, the consequences are not only technical, but business-critical. That's why quantum security belongs on the agenda of senior management and in every department that works with sensitive data. Quantum security is not an IT problem. It is a business risk – and a management task.

Myth 2: Post-quantum cryptography (PQC) is the panacea

Clarification: PQC is a crucial component, but it is by no means the entire solution. The new quantum-resistant methods replace classic algorithms – but these too must be tested, standardized, and implemented. NIST has published the first PQC standards, including ML-KEM (FIPS 203) and ML-DSA (FIPS 204). This is an important milestone, but it does not yet guarantee seamless practical readiness. https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.203.pdf

My assessment: New cryptography must prove itself in tough everyday use under high loads, in complex architectures, in legacy environments, and in interaction with hardware. This is precisely why experts are currently relying on hybrid methods that combine PQC with proven, classic methods. This dual strategy creates robustness, even if vulnerabilities should still appear in individual new methods.

Exciting: In March 2025, NIST selected HQC as an additional algorithm candidate – with a different mathematical basis than ML-KEM. This is a clear signal: redundancy is desired – security comes from diversity, not monocultures. Even the experts use redundancy if vulnerabilities appear. For companies, this means that flexibility is key. Those who opt for hybrid solutions today can make the transition step by step while remaining on the safe side. In short: PQC is important. But the path to a quantum-secure future is a multi-stage process – not a one-button upgrade. https://www.nist.gov/news-events/news/2025/03/nist-selects-hqc-fifth-algorithm-post-quantum-encryption#:~:text=NIST%20has%20chosen%20a%20new%20algorithm%20for%20post-quantum,important%20if%20a%20weakness%20were%20discovered%20in%20ML-KEM

Myth 3: The top solution, “quantum key distribution,” is out of reach for most people

Clarification: Quantum key distribution (QKD) uses the laws of quantum physics to transmit key material in a physically tap-proof manner—typically via photons in fiber optics. This makes QKD technically sophisticated, but by no means “magical.” In addition to Europe-wide programs such as EuroQCI, which are driving the development of a quantum-secure communications infrastructure, the first pilot projects are now underway with public authorities, critical infrastructures, and large enterprise customers. These tests show that QKD can already be evaluated in a practical setting, technically integrated, and operated in real networks. The technology is thus clearly moving from research to application. https://digital-strategy.ec.europa.eu/de/policies/european-quantum-communication-infrastructure-euroqci

My assessment: QKD is not an exclusive toy of the future – rather, alongside PQC, it is another building block in modern, hybrid security architectures. I currently see the use of QKD explicitly for optical data connections on Layer 1 as a door opener for new security architectures, especially in critical infrastructures and backbone connections. With increasing availability and falling costs, QKD is also becoming feasible for medium-sized scenarios. Managed services are the real game changers: they deliver the benefits of QKD without high investment, complex operation, or maintenance costs—security as a service instead of a hardware project.

Myth 4: Companies must change everything immediately

Clarification: The transformation to quantum-secure processes is complex and affects many levels—from hardware and software to processes. A hasty change carries risks.
The BSI recommends a crypto-agile and hybrid security strategy.https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Quantentechnologien-und-Post-Quanten-Kryptografie/quantentechnologien-und-quantensichere-kryptografie_node.html

My assessment: The key lies in a structured roadmap with clear priorities and transition strategies. A sensible starting point is to secure core networks with high data throughput—here, Layer 1 encryption and PQC can be used to create a robust foundation without immediately affecting the entire IT architecture. Additional layers can then follow step by step. This keeps the transition manageable without risking security gaps. Those who plan crypto-agile can react flexibly and are well prepared when new standards or technologies are introduced.

Myth 5: Quantum security only affects the IT department

Clarification: Quantum security is not purely a technical issue, but rather a strategic corporate task. It affects management, compliance, data protection, and every department that works with confidential data.

My assessment: Awareness and strategic planning must take place across the entire company – not just in the server room. Why? Quantum security is not just cryptography – it is risk and reputation protection. “Store now, decrypt later” attacks make today's data vulnerable tomorrow – and that applies to HR data as well as confidential contract documents or research projects. If this information falls into the wrong hands, the consequences are not only technical, but business-critical. That's why quantum security belongs on the agenda of senior management and in every department that works with sensitive data. Quantum security is not an IT problem. It is a business risk – and a management task.

Conclusion

Quantum security is no reason to panic – but it's also not something to be put off until “sometime in ten years.” Those who wait until the 2030s will be giving attackers a head start of several years. By then, hackers will definitely have made good use of their time.

The good news is that those who act strategically, step by step, and crypto-agilely now will have less stress later – especially if things turn out to be more serious than expected. Hybrid solutions, roadmaps, and strategic partnerships are the way to a secure future.

According to PwC, 29% of German companies are currently piloting initial quantum-resistant security measures – a start that will hopefully gain momentum quickly!https://www.pwc.de/de/cyber-security/digital-trust-insights.html

Want to know how to make your business quantum-secure in the long term?