As the CEO of ExeQuantum, I spend my days immersed in the world of post-quantum cryptography (PQC), a space that feels both ahead of its time and painfully urgent. The irony is clear, while the quantum threat is rapidly approaching, most industries still treat security as an afterthought, something to worry about later. The frustrating part? “Later” might be too late, as the closer we get to the day quantum computers break RSA, the more relevant the data that gets harvested for later decryption becomes. For some companies it may already be too late, but there’s still time for most to protect theirs and their clients’ data.

The Blind Spot in Cybersecurity Priorities

One of the greatest challenges I face is convincing industries that they need to take proactive steps toward PQC adoption. Disappointingly, I see this especially in sectors like healthcare, which holds some of the most sensitive data imaginable, yet its security measures remain alarmingly outdated. Electronic health records, patient histories, and genetic data are goldmines for cybercriminals, and when quantum computing breaks traditional encryption, this data could be irreversibly compromised. Still, the urgency isn’t there. The response is often, “We’ll look into it when regulations require it.” But cybersecurity should not be a compliance checklist, it should be a survival strategy.

Surprisingly, the most receptive industry (at least from my experience) to PQC is not fintech, it’s AI, which is not what you’d expect. My theory is that they tend to be the more forward thinking industry and are therefore open to hearing about emerging technologies. However, while it’s encouraging that AI is adopting post-quantum cryptography, it’s borderline alarming that the people handling our health records, finances and other identifying information are lagging behind.

Security as a ‘Luxury’ Mindset

Another issue is that many businesses view security as a discretionary spend, rather than a foundational necessity. A somewhat recent conversation sticks with me: a founder who holds children’s data (for the purpose of controlling their device usage and education) had just raised funding. When I asked if he planned to invest in security, his response was, “When you get some money, you don’t go and buy caviar.” I still remember it to this day. Protecting sensitive data isn’t a luxury; it’s the ethical and professional obligation of anyone entrusted with it. This mindset, that security is something you indulge in when you have ‘extra’ money, shows how deeply misaligned priorities can be.

The False Sense of Security

Many organisations assume they’re already protected because they have SSL certificates or rely on their vendors’ security assurances. They believe that because they’re using big-name cloud providers, they’re covered. But encryption today is not the encryption of tomorrow. The algorithms securing most data today are vulnerable to quantum computing. Without post-quantum protections in place, businesses are building on sand, assuming their vendors will handle everything. The reality? The responsibility lies with them.

The truth is, at the time of this article, the vast majority of TLS providers aren’t quantum secure, and some aren’t even mentioning any plans to change that. Not all TLSs are the same level of proactiveness, and their priorities might differ to their users. Even the TLS services that did adopt post quantum, such as CloudFlare, rely on browser compatibility, and not all browsers are compatible with PQC, meaning the TLS provider has to fall back to classical encryption.

The transition is not uniform, and it’s going to take the participation of all players to make it happen. Therefore, it is misguided to assume that relying on providers will suffice in this new era of cybersecurity.

The “Everyone Else Needs It, But Not Me” Paradox

This is perhaps the most exasperating conversation I have on a regular basis. I meet executives who tell me how important my work is. They nod in agreement when I explain the risks. They acknowledge that every business needs to prepare for quantum threats before it’s too late. And then, when I ask about their own company, the response shifts: “Oh, not now. Maybe later.”

This paradox is one of the most challenging barriers to overcome. Many people intellectually accept that quantum-safe encryption is inevitable, but few feel compelled to act. It’s like watching a tsunami forming in the distance while people build houses on the shore, confident that they can reinforce their walls later.

When a storm is coming, nobody thinks it’s wise to wait until the storm is actually happening to build the shelter. Similarly, people shouldn’t wait for Q-Day to adopt quantum-resistant encryption. This analogy, made by one of ExeQuantum’s partners, quite resonated with me, as I feel like it clearly states the importance of proactiveness, something that the cybersecurity industry is struggling with as a whole.

Why I Keep Going

Despite these frustrations, I remain optimistic. Change is slow, but it is happening. We’ve seen regulatory bodies and governments begin to push for PQC adoption. Forward-thinking companies are starting to take real action. The challenge is turning awareness into action, and that requires persistence.

Building ExeQuantum isn’t just about providing a product, it’s about reshaping the way businesses think about security. It’s about making them realise that this isn’t an abstract, future problem; it’s a problem that is already here, knocking at the door. Not just from quantum computers; all kinds of emerging threats are looming, and gone are the times when cybersecurity was an afterthought.

Security shouldn’t be something companies add after everything else is in place. It should be woven into the foundation of their business. Because if they wait until the threat is on top of them, it’ll already be too late.

My mission is to ensure that doesn’t happen.