Harvest-now-decrypt-later risk is easy to explain and hard to prioritize. An attacker records encrypted data now and waits for future capability to decrypt it. The phrase can make every encrypted archive sound equally urgent. They are not.
The practical work is data-retention triage. Which information would still be valuable if exposed in five, ten, or fifteen years? Which systems carry that information? Which protections can be upgraded soon, and which require a longer migration path?
Rank data before ranking systems
A system is urgent because of the data and trust it protects. Long-lived confidentiality is the key signal. Examples often include trade secrets, product designs, sensitive legal material, regulated personal data, authentication material, government information, and strategic business records.
Short-lived operational data may still matter, but it does not automatically deserve the same migration priority as information that remains damaging for a decade.
A simple triage model
- Confidentiality lifetime: how long would disclosure cause harm?
- Adversary interest: who would benefit from storing this data now?
- Exposure path: where could encrypted traffic or archives be collected?
- Cryptographic dependency: which public-key mechanisms protect access, transport, or key wrapping?
- Migration friction: what blocks change: protocol, vendor, hardware, certification, or customer compatibility?
Do not confuse panic with urgency
Good triage reduces panic because it gives teams a defensible order of work. It may show that some data needs immediate controls, some needs monitoring and roadmap pressure, and some can wait for normal platform updates. That is a better conversation than treating every RSA certificate as the same business risk.
Controls while migration is underway
Migration will take time. During that time, teams can reduce exposure by shortening retention where possible, segmenting sensitive flows, improving key management, limiting capture points, strengthening access controls, and documenting exceptions. These controls do not replace PQC migration, but they reduce the amount of long-lived sensitive material available for collection.
The 2026 deliverable
Create a retention-risk register for the top data classes. Map each class to systems, cryptographic dependencies, owners, and planned migration actions. If the register is short, clear, and maintained, it will do more for quantum readiness than a long generic policy nobody uses.
Further reading: CISA Post-Quantum Cryptography Initiative, NIST PQC project, NIST CSWP 39 on crypto agility.