Full Report
DigiCert survey finds only 5% of global businesses are using post-quantum cryptography
Analysis Summary
# Industry News: PQC Adoption Lagging Significantly Despite Looming Quantum Risk
## Summary
A recent survey by DigiCert reveals a severe gap in quantum readiness, with only 5% of enterprises having deployed post-quantum cryptography (PQC), despite nearly 70% of cybersecurity managers anticipating cryptographically relevant quantum computers (CRQCs) within five years. This low adoption rate, coupled with high perceived preparedness, highlights a significant disconnect between risk awareness and active mitigation across the US, UK, and Australian markets.
## Key Details
- Date: May 8, 2025 (Approximate based on publication context)
- Companies Involved: DigiCert (Source of the survey)
- Category: Market Analysis / Risk Assessment
## The Story
DigiCert polled approximately 1000 senior and C-level cybersecurity managers across the US, UK, and Australia concerning their preparedness for the quantum threat. The findings starkly contrast optimism with reality: while 58% feel either "very" or "extremely prepared" for quantum computing breaking current encryption, only 5% have actually implemented quantum-safe encryption solutions. Furthermore, 69% of respondents forecast that CRQCs—able to break current asymmetric encryption—will emerge within the next five years. The report also raises awareness of "store now decrypt later" (SNDL) attacks, where adversaries are already harvesting encrypted data for decryption once viable quantum computers are operational.
## Business Impact
### For the Companies Involved
- **DigiCert:** This data strengthens DigiCert's market position as a key player driving PQC migration strategies for their existing TLS/SSL customer base, justifying urgent conversations about certificate lifecycle management and quantum-safe transition.
### For Competitors
- Competitors offering PQC transition services, certificate management, or quantum-resistant algorithms (e.g., other CAs, specialized security vendors) have a significant, uncontested market opportunity to capitalize on this widespread lack of deployment.
### For Customers
- Enterprises face severe, unmanaged risk. The data suggests that long-term sensitive data (financial records, proprietary IP) is vulnerable to future decryption, necessitating immediate budget allocation for PQC roadmapping and implementation, even if tactical deployment is slow.
### For the Market
- The data confirms that the encryption migration (crypto-agility) market is nascent but poised for explosive growth. Current budget allocations and internal project timelines for security teams are lagging significantly behind recognized external timelines.
## Technical Implications
The core technical implication is the urgent need for "crypto-agility"—the ability to rapidly swap out vulnerable cryptographic primitives (like RSA and ECC) for NIST-standardized PQC algorithms (such as CRYSTALS-Kyber and CRYSTALS-Dilithium). The low deployment rate suggests widespread challenges in inventorying cryptographic dependencies across IT estates and integrating new standards into existing infrastructure (PKI, VPNs, code signing).
## Strategic Analysis
- **Market Positioning:** The market for quantum security solutions is shifting from a theoretical concern to an actionable implementation phase, though adoption remains decentralized (only 5% deployed).
- **Competitive Advantage:** Organizations that manage to achieve early, seamless PQC implementation will gain a significant long-term security advantage by rendering their historical data impervious to future quantum attacks, while lagging peers accrue technical debt and heightened liability.
- **Challenges:** The primary challenge is scale and resource allocation. Moving from awareness (high) to actual deployment (low) requires substantial budgetary approval, cross-departmental coordination, and specialized technical expertise that many organizations may lack.
## Industry Reactions
- **Analyst Opinions:** Analysts likely view the 58% preparedness perception against the 5% deployment reality as peak "security theater" or "optimism bias." The focus needs to shift immediately from *if* to *how* and *when* implementation will occur.
- **Expert Commentary:** Experts will emphasize the immediacy of the SNDL threat, stressing that data stolen today is already compromised tomorrow.
- **Market Response:** The publishing of this data is expected to trigger increased inquiries and potentially accelerate pilot programs for PQC readiness tools among the security vendors who rely on fear, uncertainty, and doubt (FUD) balanced against clear migratory paths provided by entities like DigiCert.
## Future Outlook
- **Predictions and Expectations:** Over the next 12-18 months, significant enterprise IT budgets are expected to pivot toward cryptographic inventory and PQC pilot implementations as regulatory pressure or high-profile alerts (like warnings from government bodies) increase.
- **What to watch for:** Key indicators will be vendor announcements regarding standardized PQC certificate issuance capabilities and early success stories from large enterprises detailing their migration architectures.
## For Security Professionals
Cybersecurity professionals must move beyond basic awareness. They need immediate action items: **inventory all crypto assets**, determine the expected lifespan of the data they protect, and begin drafting a compliance roadmap based on NIST PQC migration timelines. Focus should be placed on achieving **crypto-agility** rather than immediate, universal PQC rolling deployments, as the latter is currently impractical for most.