Ted Shorter, CTO; Tomas Gustavsson, Chief PKI Officer and Ellen Boehm, SVP, IoT Strategy and Operations; Keyfactor, outline a pivotal shift in how organizations approach cryptographic security.
As quantum computing advances and cybersecurity threats become more sophisticated, organizations must rethink their encryption and IoT security strategies.
The transition to post-quantum cryptography (PQC) is accelerating, driven by regulatory mandates and the need to protect sensitive data from quantum-enabled attacks. Meanwhile, the evolving threat landscape is pushing security leaders to reinforce IoT and connected devices to ensure resilience against emerging cyber risks.
These trends mark a pivotal shift in how organizations approach cryptographic security in 2025 and beyond.
Let’s dive into these trends in further detail to understand how organizations are impacted and the actionable steps they can take to ensure they are prepared for the quantum future.
The Shift to Agile Encryption Strategies
The finalization of the first suite of post-quantum cryptographic algorithms from the National Institute of Standards and Technology (NIST) has set the stage for a transformative shift in encryption practices. Most notably, we’re starting to see organizations take significant strides toward post-quantum cryptography (PQC) adoption.
Driving this accelerated transition to PQC standards is NIST’s proposed PQC migration deadline of 2035, in which RSA, ECDSA, EdDSA, DH, and ECDH will be officially disallowed.
This 10-year timeline mirroring past decade-long cryptographic transitions like what we saw with the transition from SHA-1 to SHA-2, leaves little room for delay.
The once-static cryptographic landscape will be disrupted by continuous innovation, creating “gotcha” moments that challenge established security norms.
As organizations navigate evolving security challenges, transitioning to PQC enables them to become much more agile in their encryption strategies – an ability referred to as crypto-agility that enables a system to quickly and easily change parts of its encryption mechanism(s). This can include changing encryption keys, key lengths, and encryption algorithms.
Organizations that embrace agility, iterative improvements, and proactive integration of PQC will be best positioned to meet regulatory expectations and safeguard their ecosystems. The first step towards this is to familiarize yourself with the new NIST algorithms and their implications for your organization. Companies that delay their understanding of the new standards – and thus, their PQC transition – risk falling behind in compliance and resilience, making this year a critical turning point for the adoption of quantum-safe standards.
Regulated Industries Paving the Way for PQC Adoption
In the past 30 years, the cybersecurity industry has effectively only had two asymmetric algorithm standards – RSA and ECC. Now, in the last year alone, NIST has brought three new post-quantum cryptographic standards to the table, with more algorithms slated to be released in 2025. Each of these algorithms uses unique mathematical structures to withstand quantum attacks, which threaten to break traditional cryptographic systems that underpin the security of all digital interactions.
With additional algorithms expected to be released this year, more organizations are acting decisively to assess the maturity of their PQC postures. Industries like government, finance and telecommunications are starting to prioritize their PQC transition. These highly regulated industries hold extremely sensitive data, meaning they will be the first to adopt solutions like public key infrastructure (PKI).
As quantum computing advances, these sectors will face heightened risk to data security, prompting stricter regulatory mandates and early adoption of PQC to protect critical infrastructure and consumer trust. It’s no surprise that they’re acting decisively to assess the maturity of their PQC postures.
For organizations looking to follow suit, there are a few steps to get started:
- Establish visibility: Most organizations do not understand the sheer volume of all systems and applications that rely on cryptography. Task IT and security teams to build an inventory of all certificates and algorithms in use throughout the organization.
- Plan a transition strategy: Develop a detailed plan for transitioning to the new standards, including timelines and milestones. As part of this, be sure to allocate necessary resources (e.g., personnel, budget, tools). This also includes setting up a testing environment for the new algorithms so that teams can identify potential issues.
- Engage stakeholders and educate staff: Perhaps the most important step is to communicate the transition plan and its importance to all relevant stakeholders, including security teams and executives. Work to identify potential risks associated with the transition and develop mitigation strategies.
Strengthening IoT Security Through Layered Trust
Security and security operations leaders face mounting pressure to strengthen their IoT and OT security frameworks and connected device security supply chains. Ensuring compliance and maintaining customer trust are business priorities and, as such, the responsibility for secure deployment, maintenance, and lifecycle management of connected devices is increasingly falling on the operators. This necessitates a move from reactive responses to proactive measures that prioritize layered roots of trust.
Even if the most catastrophic quantum or IoT security breaches are years away, organizations cannot afford to delay preparations. IoT security supply chains must be fortified now to avoid falling victim to increasingly sophisticated threats, as seen in recent attacks by groups like Flax Typhoon. For leadership, the consequences of inadequate preparedness will be steep, particularly with regulations placing accountability directly on CISOs and security teams.
To navigate these challenges, organizations must ground their IoT security strategies in robust guidelines, reliable certificates, and a commitment to continuous improvement. Layered, high-visibility roots of trust across all entities is a preliminary, but requisite, step in the right direction. Organizations must also plan for updatability. Devices that cannot transition away from outdated cryptographic standards, such as SHA-1, have already introduced security risks, leaving both devices and the back-end infrastructure they connect to vulnerable. Quantum advancements will only exacerbate these risks. By adopting these proactive measures, organizations will not only protect themselves from immediate threats but also position their ecosystems to withstand the evolving complexities of the security landscape.
From a product security perspective, developers and OEMs designing IoT devices will need to embed security at every stage of the product lifecycle, ensuring hardware and software integrity before devices even reach the market. This includes implementing secure boot processes, cryptographic modules, and rigorous vulnerability testing during design phases. The Cyber Resilience Act (CRA) is a key driver for these efforts, as it mandates stricter cybersecurity requirements for connected devices, compelling OEMs and IoT designers to prioritize robust security measures to comply with regulations and avoid penalties. Failure to adopt these practices could expose end users and ecosystems to systemic vulnerabilities, amplifying regulatory and reputational risks.
The cybersecurity landscape is entering a new era where adaptability and compliance are paramount. Organizations that act decisively by assessing their cryptographic postures, embracing crypto agility, actively preparing for their PQC transition and fortifying their IoT security supply chains will be best positioned to safeguard their digital ecosystems.
