Cutting Through the Quantum Hype: Practical Insights from Anna Beata Kalisz Hedegaard

1. The Big Picture

How do you see the quantum security landscape evolving over the next 5–10 years, and what milestones will define when the world truly becomes “quantum-ready”?

When I look at the next decade of cybersecurity, I see something far less glamorous than the headlines suggest and far more transformative. The world won’t become “quantum-ready” the moment someone announces a big qubit number. It will happen once organizations finally get the unexciting but essential engineering foundations in place: cryptographic inventories, lifecycle automation, hybrid protocols, and governance. Quantum will be one of many facets of future cybersecurity.

Most organizations are still at the “reactive” stage, with hard-coded crypto everywhere. It means this next decade is about maturing cybersecurity and post-quantum cryptography, QRNGs, QKD and beyond are just some tools out of future solution sets. For me, the milestone isn’t Q-Day but the moment when updating cryptography is a routine. That’s when we’ll know the world is truly ready: not because we fear quantum, but because we’ve built systems flexible enough to survive most cryptographic disruptions.

2. PQC vs. QKD

There’s often debate about whether PQC or QKD will become the dominant approach to securing the future. Do you see them as competing, complementary, or serving fundamentally different needs?

The way people frame PQC versus QKD as an either-or choice has always struck me as a category error. It’s like preparing for a windy winter bike ride and acting as if you must choose between wearing your left glove or your right glove. That situation simply doesn’t exist. You wear both because they protect you in different, complementary ways, and together they let you function normally in harsh conditions.

That’s exactly how PQC and QKD fit into a quantum-safe architecture.

PQC gives you scalable, software-based protection for identities, signatures, certificates, and everyday digital operations the kind of coverage you need universally, across all systems. QKD and symmetric-first approaches strengthen the key-distribution layer where confidentiality must last for decades and where the assurance level must be as high as possible.

To summarize, PQC is part of crypto-agility layer, and QKD part of crypto-resiliency plane layer.

3. Readiness & Adoption

Most organizations still struggle to even inventory their cryptographic assets. What do you see as the biggest hurdle preventing enterprises and governments from beginning their quantum-security transition?

What slows everyone down is the complete lack of visibility into their existing cryptographic organizational archaeology. You can’t secure what you can’t see, and most organizations genuinely have no idea what algorithms are used by what systems, what firmware hides old RSA keys, or where certificates are auto-generated by forgotten services that nobody has touched in six years. And nowadays we might be also running into some fancy AI suggested solutions. Currently, the biggest hurdle is to create a map before anything quantum-safe can even begin. Once that done, PQC solutions are available and there are competent advisors waiting for a call (hint hint 😉).

4. The “Harvest Now, Decrypt Later” Threat

How seriously should organizations take the ‘HNDL’ threat, and do you believe most leaders truly understand the timelines and consequences?

“Harvest Now, Decrypt Later” (HNDL) is about accepting that migration takes years, and encrypted data with long confidentiality requirements is already inside its exposure window to decrypting attacks of the future. But there’s a second problem: “Trust Now, Forge Later” (TNFL). It’s about breaking signatures and identities. If today’s signing keys become breakable, tomorrow’s attackers could forge software updates, certificates, transactions, and even the things we rely on to decide what is authentic.

Unfortunately, many leaders still underestimate how much of their infrastructure depends on secrets and trust anchors that must remain valid for the next 10–20 years or much much longer.

5. Industry Vertical Impacts

Which industries face the most urgent quantum-security risks today, and which ones will be the last to feel the impact?

Different industries will feel quantum impact in different ways, and some of those differences are very human. Banks worry about integrity and settlement. Healthcare worries about decades-long confidentiality. Telcos worry about scale and latency. Governments worry about, well…depends on the government, but at least they should worry about everything. Some industry players have more time than others but time runs out faster than people think, and interoperability might force some to get on the migration train sooner that they would like.

6. The Business Case Security transitions are expensive.

How should executives quantify the ROI or strategic value of becoming quantum-safe before breaches occur?

Some leaders might be tempted to wait for quantum-safe technologies to get cheaper. But for large organizations, the real cost isn’t the technology, it’s the process change. And process change is always far less painful when done early and calmly than during a forced, rushed emergency. Emergency cryptographic transitions are where outages and mistakes happen and for most businesses, loss of operational capability is the biggest financial hit of all.

7. Looking Ahead

What is the one misconception about quantum security—either about PQC or QKD—that most frustrates you, and what’s the truth that people really need to understand?

There is a misconception, or rather an overfocus, on perfecting the technical aspects of PQC and QKD implementation. To be honest, it doesn’t frustrate me. We’re emotional, busy, imperfect creatures trying to make good decisions within limited time and plenty of uncertainty, and I have a lot of empathy for that. In business, cryptography is just one layer among many competing priorities. The truth is technologically we ready. So, what really matters is recognizing that quantum-safe migration is a systems change. And to prevent decisions from being shaped by a single perspective or personality, organizations need diverse leadership teams diverse in years of experience, in technical background, and in how they interpret risk. That’s where blind spots surface. That’s where you uncover the subtle, systemic issues that will make complex PQC migration plausible and even successful.