There is an uncomfortable truth that few technology committees in LATAM dare to put on the table: most of the encryption protecting your organization today has an expiration date, and that date is not yours to decide. It is decided by the advance of quantum computing. The most unsettling part is that the clock has already started, even though the machine capable of breaking your encryption does not yet exist. Those who understand this in time act not out of fear, but out of strategy. And the time to start is now.
In short: A sufficiently powerful quantum computer could break much of the asymmetric cryptography that underpins the Internet, digital signatures and secure communications. Although that machine has not yet arrived, the encrypted data you transmit today can be captured now and decrypted tomorrow. The good news: post-quantum cryptography standards are already published, and there is a clear path to migrate in an orderly way.
The security of much of modern systems rests on mathematical problems that classical computers cannot solve in a reasonable time: factoring enormous numbers (the basis of RSA) or computing discrete logarithms over elliptic curves (the basis of ECC). It is not that they are impossible; it is that they would take thousands of years with current technology.
The problem is that a quantum computer does not solve these problems faster: it solves them in a fundamentally different way. Known quantum algorithms would, in theory, allow those keys to be broken down in practical time once stable, sufficiently large-scale hardware exists. It is worth distinguishing two fronts:
Put another way: the lock that seals the envelope (the symmetric key) remains solid; what is fragile is the mechanism by which we exchange and sign the keys to that lock today.
Here is the nuance that changes the entire analysis of timelines. An attacker does not need to wait until they have a quantum computer to start causing harm. They can start today.
The strategy is known as "harvest now, decrypt later": intercepting and storing large volumes of encrypted traffic in the present, waiting for the computing power needed to break it to become available in the future. If your information has value that outlives the passing of years, that future concerns you directly.
Ask yourself how long these data must remain confidential:
If the answer is "ten years or more," then the quantum threat is not a problem for tomorrow: it is a problem for today, because what is encrypted and transmitted now could already be being stored.
Post-quantum cryptography (PQC) is a set of algorithms designed to resist both classical and quantum computers. An important point: it does not require quantum computers to work. It runs on the infrastructure you already have, on conventional processors.
Its security rests on mathematical problems different from factoring and discrete logarithms, for which no efficient quantum algorithms are known. Among the most studied families are those based on lattices, on hash functions, and on codes.
The key fact of this moment is that the standardization work has already borne fruit: post-quantum cryptography standards are published, the result of years of public analysis and scrutiny by the international cryptographic community. This shifts the conversation from "which algorithm will we use?" to "how and when do we migrate?" The technical uncertainty has been reduced; what remains is organizational execution.
If there is a single idea we would want your team to retain, it is this: the goal is not merely to replace one algorithm with another. The goal is to build crypto-agility, that is, the ability to change cryptographic algorithms quickly and at low cost when needed, without rewriting half the system each time.
Many organizations discover, when they try to migrate, that cryptography is rigidly embedded in their code, their devices and their integrations. Changing an algorithm means touching dozens of components that no one documented. Crypto-agility attacks that rigidity at the root:
This is, at its core, an enterprise architecture decision rather than a technical patch. A crypto-agile organization not only survives the post-quantum transition: it stands ready for the next one, whatever it may be.
No one can migrate what they don't know they have. That is why the first tangible deliverable of any serious program is a cryptography inventory: a map of where, how and for what purpose encryption is used across the entire organization.
A useful inventory answers concrete questions:
This exercise almost always reveals surprises: obsolete cryptography in production, unknown dependencies, and critical data protected by fragile mechanisms. Beyond the quantum question, it is one of the most valuable cybersecurity diagnostics an organization can perform for itself.
The objection is understandable: if the quantum computer capable of breaking RSA does not yet exist, why invest today? For three compelling reasons:
Starting now is not alarmism; it is affording yourself the luxury of migrating calmly, in phases and with a planned budget, rather than doing it in a rush under regulatory pressure or after an incident.
No. Post-quantum algorithms run on conventional hardware. They are designed to run on the infrastructure you already have and to resist both classical and quantum attacks.
No, and doing it all at once would be a mistake. The migration is gradual and priority-driven: first you identify the data of highest value and longest confidentiality period, and you advance in phases with approaches that coexist with current cryptography during the transition.
The impact is much smaller. Symmetric cryptography holds up reasonably well and is mitigated by increasing the key size. The urgency is concentrated in public-key cryptography: key exchange and digital signatures.
You run two risks: that sensitive data captured today is decrypted in the future, and that you are forced into a rushed, costly migration when the pressure is at its peak, without the inventory or the agility to execute it in an orderly way.
The post-quantum transition is not a project you resolve in a single quarter, but you can indeed start well in one. The first step is not to buy technology: it is to understand where your cryptography is, which data you must protect for longer, and how agile your architecture is to change when needed.
At SUMāTO we help organizations across LATAM build that diagnosis and chart a realistic migration roadmap, aligned with their architecture and risk appetite. If you want to turn a future threat into a present advantage, let's talk. The best time to prepare for tomorrow's encryption is today.