Security

RSAC 2026: IBM Sets Its Sights on Q-Day and Post-Quantum Readiness

IBM’s Suja Viswesan explains why post-quantum cryptography is a continuous journey, not a single deadline. And IBM’s RSAC discussions show why urgency is accelerating.

Joe Kuehne

Joe Kuehne is an Associate Editorial Director at BizTech magazine.

The idea of Q-Day — the theoretical moment when quantum computers will be able to break modern cryptography — has long hovered at the edge of cybersecurity discussions. But according to Suja Viswesan, IBM’s vice president of technology, that moment is no longer theoretical. It’s inevitable, and many organizations are already behind.

“Quantum compute is coming,” Viswesan said in a conversation at RSAC 2026. “We were talking about it for the last two years. What happened last year was more regulators, and everybody like, ‘OK, this is not some far-fetched dream. It’s coming in a few years.’”

That uncertainty is precisely what makes the threat so challenging. While estimates often place Q-Day sometime between 2030 and 2033, Viswesan emphasized that waiting for a precise date is the wrong approach. The shift underway isn’t about a single breaking point; it’s about continuous adaptation.

“This is not a Y2K problem that you fix after Q-day,” she explained. “It’s continuous work. ‘Crypto-agility’ is the word.”

Click the banner below for deeper insight into modern cyber resilience.

From Theory to Urgency

What changed over the past year, Viswesan noted, is not the science, but the response. Regulators, financial institutions and healthcare organizations are now treating quantum risk as immediate: “Customers are coming to us and saying, ‘I don’t know what to do. How do I get ready?’”

Regulatory pressure is accelerating that urgency. For example, certificate rotation cycles — once measured in months — are expected to shrink dramatically. By the end of the decade, organizations may need to rotate cryptographic certificates every 47 days, forcing a shift toward automation and visibility.

RSAC 2026 also reflected this growing momentum. Across sessions and vendor discussions, the focus shifted from awareness to execution, particularly around crypto-agility and quantum-safe architectures.

Industry leaders at the event emphasized practical steps such as gaining visibility into cryptographic assets, implementing agile encryption frameworks and aligning with emerging post-quantum standards from the National Institute of Standards and Technology.

WATCH: Check out the cybersecurity trends to watch in 2026.

The “‘Harvest Now, Decrypt Later'” Problem

One of the most pressing concerns discussed both by IBM and across RSAC sessions is the “harvest now, decrypt later” strategy. Attackers can capture encrypted data today and decrypt it once quantum capabilities mature.

This aligns with academic research showing that widely used cryptosystems such as RSA and elliptic curve cryptography could eventually be broken by Shor’s algorithm, which enables efficient factorization on quantum machines.

While today’s quantum hardware still faces limitations — including instability and scale challenges — researchers agree that the trajectory is clear.

That reality is why organizations must act before Q-Day arrives.

DIVE DEEPER: What your cybersecurity leaders need to know about quantum readiness.

Visibility Before Protection

For Viswesan, the first step isn’t replacing algorithms — it’s understanding where cryptography exists in the first place.

“I cannot fix things that I don’t know,” she said. “Visibility is the most important thing.”

IBM’s approach focuses on mapping cryptographic assets — including certificates, secrets and application programming interface keys — across environments. Once identified, organizations can begin prioritizing risk and introducing controls such as proxy layers to “buy time” before full post-quantum upgrades are available.

This mirrors broader industry guidance. RSAC discussions repeatedly highlighted encryption visibility and governance as foundational capabilities for quantum readiness.

I cannot fix things that I don’t know. Visibility is the most important thing.”

Suja Viswesan Vice President of Technology, IBM

The Role of AI and Nonhuman Identities

Complicating the challenge is the rise of AI-driven systems and agentic identities — nonhuman actors that interact with systems autonomously.

“The nonhuman identity, part of it is not helping this cause, because with everything that we were doing before, you could have biometrics and multifactor authentication. What do you do with agents?” Viswesan asked.

“Now, it's nondeterministic. I don’t know what it’s going to do, because each agent has their own agency to go do something on your behalf.”

These systems expand the attack surface significantly. Secrets, certificates and embedded credentials — once static — are now being accessed and exploited at machine speed. AI-driven attackers can identify vulnerabilities far faster than human adversaries.

Emerging research reinforces this concern, proposing “quantumsecure by construction” architectures that embed post-quantum protections directly into AI systems rather than retrofitting them later.

WATCH: Learn how to secure agentic artificial intelligence.

What Small Businesses Should Do

While much of the conversation focuses on large enterprises, Viswesan stressed that smaller organizations are not exempt.

Her advice was straightforward: Rely on vendors, but ask the right questions.

“Are you quantum safe? If not, what is your roadmap?” she said.

This shift mirrors earlier security transitions, but with higher stakes. Organizations that delay may face not only higher costs but also competitive disadvantage.

“The longer they wait, the bigger the problem is going to be,” she warned.

asbe/Getty Images