The 128-Bit Reality

Most companies selling post-quantum encryption are peddling snake oil and pump-and-dumps.

Quantum's not here now. So turn your PQE company into a unicorn, get acquired, and let it be someone else's problem when reality hits.

After 20 years as a CISO, CIO, and CTO managing encryption strategies, I'm calling it.

What this means for the CIO, CTO, and CISO

128-bit encryption is about as quantum-proof as encryption can be while remaining manageable. Update to modern encryption standards and stop there. Don't chase the PQE hype.

The real solution is data governance, not exotic algorithms. When you know what needs protection, you can focus resources appropriately instead of encrypting everything with maximum overhead.

Most PQE vendors are selling fear of a future problem to fund their present valuations. Be skeptical. Demand evidence of current value, not theoretical future necessity.

The inside perspective

When I was responsible for encryption decisions, I learned that the best security comes from getting the basics right, not from chasing the bleeding edge.

Every time we over-engineered encryption, we created more problems than we solved. Performance suffered. Key management became a nightmare. Systems that needed to interoperate couldn't. We'd spend months implementing the most sophisticated encryption available, then discover that the actual vulnerability was a misconfigured access control or an unpatched system.

The organizations I led that had the best security outcomes weren't the ones with the most sophisticated encryption. They were the ones that knew what needed protecting and focused resources there. They used appropriate encryption for appropriate data. They didn't encrypt everything to the maximum because "more encryption is always better."

More encryption isn't always better. Appropriate encryption, consistently applied, with proper key management: that's what's better.

The organizations with the best security outcomes weren't the ones with the most sophisticated encryption. They were the ones that knew what needed protecting and focused resources there.

The outside observation

Now I watch the industry push post-quantum encryption as an urgent priority.

Vendors are creating FUD about "harvest now, decrypt later" attacks. Standards bodies are releasing complex new algorithms. Conferences are full of quantum apocalypse presentations. The message is clear: if you're not implementing PQE now, you're already compromised.

It's a masterclass in manufactured urgency.

Here's what I see from the analyst seat. Vendors who can't demonstrate current value are selling future fear. PQE companies that don't have customers who need their product today are selling to customers who might need it someday. The business model depends on the threat being imminent enough to justify investment but distant enough that the product never has to actually work.

That's the perfect setup for snake oil. Sell the fear. Collect the money. Exit before anyone realizes the threat timeline was wrong or the solution didn't work.

Vendors who can't demonstrate current value are selling future fear. The business model depends on the threat being imminent enough to justify investment but distant enough that the product never has to actually work.

The uncomfortable truth

Quantum computing might not work the way we think it does.

Let me explain what I mean. There's a fundamental belief that quantum computers do all math well and will therefore break all encryption. This is very much not true.

Some math that traditional computers find easy is actually hard for quantum computers. Some math that traditional computers find hard is easy for quantum computers. The relationship is complex, not unidirectional.

This is why the solution isn't "replace everything with quantum-resistant algorithms." The solution is understanding which encryption approaches are vulnerable to quantum and which aren't, then making appropriate choices.

The PQE vendors don't want you to understand this nuance. The nuanced story is: "Some encryption needs updating. Some is fine. Evaluate your specific situation." That story doesn't create urgency. It doesn't justify massive investments. It doesn't fund unicorn valuations.

So they tell the simple, scary story instead: "Quantum breaks everything. Buy our solution."

The 128-bit sweet spot

Here's the practical reality that the PQE industry doesn't want you to know.

128-bit encryption is about as quantum-proof as encryption can be while remaining manageable. It's the sweet spot.

Modern 128-bit symmetric encryption (AES-128) provides security that would take quantum computers impractically long to break. The math works out. The overhead is reasonable. The implementations are mature and widely tested.

256-bit encryption is stronger in pure cryptographic terms. But here's the thing: it's really only necessary for truly top-secret data. Government classification systems. Nuclear secrets. The stuff that needs to remain secure for 50 years or more against adversaries with unlimited resources.

For enterprise data? 128-bit is appropriate. The additional overhead of 256-bit, roughly double the computational cost for encrypt and decrypt operations, provides marginal security benefit for most use cases.

Here's the key insight: if it's good enough for TOP SECRET classification, it's probably good enough for post-quantum encryption of your enterprise data.

Don't pay the overhead tax when you're likely to get no benefit from it.

The harvest now, decrypt later myth

The PQE industry's favorite fear story is "harvest now, decrypt later" (HNDL). The narrative goes: adversaries are capturing encrypted traffic today, storing it, and waiting for quantum computers to decrypt it later.

Let's examine this rationally.

Is HNDL possible? Yes. Nation-state adversaries with massive storage capacity could theoretically be capturing encrypted traffic for future decryption.

Is HNDL probable for your data? That depends entirely on what your data is and how long it remains valuable.

Most enterprise data has a limited shelf life. Customer transactions from 2024 aren't valuable intelligence in 2040. Last quarter's sales figures don't justify the cost of storing petabytes of encrypted traffic for decades.

The data that's genuinely vulnerable to HNDL is data that remains valuable for 15 to 20 years or more AND is targeted by nation-state adversaries with massive resources AND is transmitted in ways that can be captured AND would justify the storage and processing costs of harvest-and-wait attacks.

That's a very specific subset of data. It's not "everything your enterprise transmits."

The rational response isn't "encrypt everything with PQE." It's "identify which data has long-term sensitivity, apply additional protection to that specific data, and use appropriate modern encryption for everything else."

The standards body problem

The industry points to NIST standards like CRYSTALS-Kyber as evidence that PQE is mature and necessary.

I have concerns about how standards bodies operate.

Most standards bodies are too democratic in nature. A bunch of people get together and pick the thing they can all agree on, which tends to be the lowest common denominator, not the highest. The most acceptable solution, not necessarily the best solution.

Standards also tend to be convoluted and complicated. Multiple constituencies need to be satisfied. Edge cases need to be addressed. The result is often more complex than necessary for most use cases.

CRYSTALS-Kyber is a consensus choice. That doesn't make it wrong. But it also doesn't mean it's optimal for your specific situation, or that you need to implement it immediately, or that the threat timeline justifies the implementation cost.

Standards body approval means "this approach has committee consensus." It doesn't mean "you need this now" or "this is the only solution to your problem."

The real solution: data governance plus appropriate encryption

Here's what actually works.

The PQE conversation is really a data governance conversation in disguise. The right question isn't "how do we encrypt everything with quantum-resistant algorithms?" It's "what data do we have, how long is it sensitive, and what level of protection is appropriate?"

When you have no data governance, when you don't know what data you have or how sensitive it is, you end up treating everything the same way. Either you under-encrypt (risky) or you over-encrypt (wasteful and operationally burdensome).

When you have good data governance, when you know what's truly sensitive and for how long, you can make rational decisions:

• Short-term sensitivity (under 5 years). Most enterprise data. Standard modern encryption (AES-128) is entirely appropriate.
• Medium-term sensitivity (5 to 15 years). Strategic data, some PII, competitive intelligence. Enhanced encryption (AES-256) provides additional margin.
• Long-term sensitivity (15 years or more). Genuinely critical data targeted by sophisticated adversaries. Evaluate PQE specifically for this narrow subset.

The answer isn't "implement PQE everywhere." The answer is "implement governance so you know where PQE might actually be necessary."

The knock-on effects

When you get data governance and encryption right, based on actual classification rather than vendor fear, everything else improves.

• Reduced overhead. You're not paying the performance tax of maximum encryption on data that doesn't need it.
• Simpler key management. Fewer encryption tiers means simpler key management, which means fewer opportunities for key-related failures.
• Better resource allocation. Security investment goes to actually sensitive data instead of spreading thin across everything.
• Smaller attack surface. When you know what matters, you can reduce the data you retain. Less data means less to protect.
• Focused security posture. Instead of "encrypt everything and hope," you have "protect what matters appropriately," a defensible, rational strategy.
• Future-ready. When quantum does mature, if it works as theorized, you know exactly which subset of data needs updating. You're not scrambling to re-encrypt everything.

Signs your encryption strategy is wrong

Both extremes create problems.

Signs you're over-encrypting (chasing PQE hype):

• Implementing PQE enterprise-wide without data classification
• Significant performance degradation from encryption overhead
• Key management complexity causing operational issues
• Can't articulate which data justifies the additional protection
• Encryption budget growing faster than other security investments
• Vendors can't demonstrate current value, only future necessity

Signs you're under-encrypting (ignoring reality):

• Still using encryption standards from the previous decade
• No encryption at rest for sensitive data stores
• Key management is informal or undocumented
• Can't identify which data is encrypted and which isn't
• Encryption decisions made ad-hoc by individual teams
• No visibility into encryption coverage across the enterprise

Signs you're getting it right:

• Data classification drives encryption decisions
• Modern standards (AES-128 or AES-256) applied appropriately
• Key management is formalized and audited
• PQE evaluated only for specific high-sensitivity subsets
• Encryption overhead is proportional to protection value

What I'd tell my former self

If I had known then what I know now:

I would start with data governance, not encryption technology. You can't make good encryption decisions without knowing what you're protecting and why.

I would resist vendor pressure to over-encrypt. More encryption isn't always better. Appropriate encryption, properly managed, is better.

I would be deeply skeptical of threats that require massive investment against speculative future risks. If the ROI depends on a threat that might materialize in 10 to 15 years, the ROI calculation is mostly fiction.

I would apply zero trust principles to vendor claims. Never trust. Always verify. Especially when the vendor's business model depends on the threat being real.

I would focus on getting the basics right first. Sophisticated encryption means nothing if you have misconfigured access controls, unpatched systems, or compromised credentials.

Zero trust encryption strategy

Apply zero trust principles to your encryption decisions.

Never trust vendor claims. Demand evidence of current value. Be skeptical of threats with speculative timelines. Verify claims against independent sources. Evaluate vendor business models for misaligned incentives.

Assume incomplete information. Quantum timeline is uncertain. Algorithm security may change. Standards will evolve. Build for adaptability, not permanence.

Minimize blast radius. Don't over-encrypt everywhere. Focus maximum protection on highest-sensitivity data. Reduce data retention to reduce encryption scope. Segment encryption tiers based on classification.

Verify continuously. Audit encryption coverage regularly. Reassess classification as data ages. Monitor for algorithm vulnerabilities. Update standards incrementally based on evidence, not vendor pressure.

The 2026 prediction

Enterprises that chase post-quantum encryption standards and make large PQE investments in 2026 will waste resources.

The quantum threat timeline will continue to slip. The PQE implementations will create operational overhead without delivering proportional value. The vendors will keep raising fear while pushing back the date when quantum becomes real.

Meanwhile, the enterprises that focused on fundamentals, modern 128-bit encryption, proper data governance, appropriate classification, will be better protected against the threats that actually exist today. And they'll be positioned to adopt quantum-resistant approaches when and if they're actually needed.

The quantum threat may be real eventually. The current opportunity cost of chasing it is real right now. Invest accordingly.

The playbook for rational encryption

Five steps to implement a rational encryption strategy in 2026.

1. Implement data governance first. You can't make rational encryption decisions without knowing what you're protecting. Classification comes before encryption selection.
2. Classify data by sensitivity duration. How long does this data need to remain confidential? 5 years? 15 years? 50 years? That answer determines the encryption tier, not vendor FUD.
3. Deploy modern encryption appropriately. AES-128 for most enterprise data. AES-256 for high-sensitivity data. Evaluate PQE only for the specific subset of data with 15-plus year sensitivity AND nation-state adversary threat.
4. Formalize key management. The encryption algorithm matters less than proper key management. More encryption failures come from key management mistakes than from algorithm weaknesses. Get this right.
5. Monitor and adapt incrementally. Reassess classification as data ages. Monitor for algorithm vulnerabilities. Update standards based on evidence, not vendor pressure. Don't do wholesale transformation based on speculative threats.

KPIs to measure encryption effectiveness

• Data classification coverage. Target: 100% of sensitive data classified. Foundation for rational decisions.
• Encryption-to-classification alignment. Target: 100% match. Appropriate protection applied.
• Key management audit score. Target: passes quarterly audit with no critical findings. Operational security.
• Encryption overhead ratio. Target: performance impact proportional to data sensitivity. Efficiency of encryption investment.
• PQE scope containment. Target: PQE limited to justified subset only. Rational adoption, not hype-driven.

If you're measuring encryption effectiveness by vendor checkboxes instead of business-aligned metrics, you're measuring the wrong things.

Internal conversations

What to tell your CFO when they ask about quantum encryption:

Most PQE vendors are selling fear of a speculative future threat to fund present valuations. We should be skeptical. Our investment should be proportional to current evidence, not vendor FUD. Modern encryption handles current threats. PQE is for specific future scenarios. A governance-driven approach, know what we have, classify it, protect appropriately, costs less and protects better than enterprise-wide PQE transformation.

What to tell your board when they ask if you're prepared for quantum:

We're not ignoring the quantum threat. We're being rational about it. The timeline is uncertain and the threat is specific to certain data types. Our approach: appropriate encryption based on data sensitivity. Modern encryption for most data. Enhanced protection for the subset that might need it. We'll adopt PQE for specific data subsets when the evidence justifies the investment. We won't do enterprise-wide transformation based on speculation.

What to tell your security team when they want to implement PQE:

Data governance must precede encryption decisions. We can't choose appropriate protection without knowing what we're protecting. Don't over-encrypt. Encryption overhead has real operational cost. Apply maximum protection where it's justified, not everywhere. Focus on key management. More encryption failures come from key management mistakes than from algorithm weaknesses. Get the basics right.

What to tell PQE vendors when they pitch you:

Show me current value, not future fear. What problem does this solve for me today? Which of my data specifically needs this level of protection? Help me understand the use case. What's your business model if the quantum timeline slips another decade? I want to understand your incentives.

To security leaders

Don't let vendors scare you into massive PQE investments.

The quantum threat is real in theory. The timeline is speculative. The current opportunity cost of massive PQE transformation is certain.

Focus on data governance first. Classify what you have. Apply modern encryption appropriately. Evaluate PQE for specific subsets where the threat model actually justifies it.

That's a defensible, rational strategy. "We bought PQE because the vendor scared us" is not.

To boards

When your CISO asks for budget for post-quantum encryption, ask them what they've done for data governance first.

If the answer is "nothing," redirect the funds. You can't make rational encryption decisions without knowing what you're protecting. Governance before encryption. Always.

If they have governance in place, ask which specific data classification justifies PQE investment. The answer should be narrow and specific, not "everything."

To PQE vendors

Demonstrate that your technology solves a problem that exists today.

"Harvest now, decrypt later" isn't the crisis you're selling, not for most enterprise data. Most data doesn't remain sensitive for 15 to 20 years. Most enterprises aren't targeted by nation-states with unlimited storage capacity.

Build products that deliver current value, not future fear. Compete on merit, not manufactured urgency. The enterprises that matter will eventually need quantum-resistant encryption. Earn their business by being trustworthy, not by being scary.

A note on analyst culture

Most analyst coverage of post-quantum encryption treats vendor claims uncritically.

The reports describe the quantum threat in apocalyptic terms. The recommendations push urgent adoption. The market forecasts assume hockey-stick growth as enterprises rush to protect themselves.

Where's the skepticism? Where's the analysis of vendor business models? Where's the acknowledgment that the quantum timeline is highly uncertain and has been slipping for decades?

Analyst coverage that amplifies vendor fear without critical examination isn't analysis. It's marketing.

Rational, evidence-based security decisions are the goal. When the evidence for urgent action is speculative, say so. When vendors have misaligned incentives, point it out. That's what analysis should be.

The bottom line

If 128-bit encryption is good enough for TOP SECRET classification, it's probably good enough for your enterprise. Focus on data governance and key management, not exotic algorithms. The current opportunity cost of chasing quantum is certain. The future threat is speculative.