Ask Chuck Herrin how many enterprises are actively preparing for post-quantum cryptography, and he doesn't hesitate. Single-digit percentage. That's his answer. Single digit.
Herrin spent nearly 20 years as a CISO — including leadership roles at AIG and Texas Capital Bank — before joining F5 as Field CISO. He's been standing on desks about post-quantum readiness for two years. Earlier on Thursday at F5 AppWorld 2026 in Las Vegas, F5 CISO Chris Berger suggested two years as a reasonable planning horizon for post-quantum readiness. Herrin doesn't disagree with the number. He disagrees with what most organizations are doing with it.
"It's going to be an emergency we've seen coming for 20 years," he said during an interview after the keynote.
The gap between the urgency of the problem and the pace of enterprise response is well documented. What's less understood is how fast the technical timeline is collapsing — and what the real target should be for organizations that want to get ahead of it.
The Qubit Estimate Has Already Collapsed
For years, the prevailing assumption in the security community was that cracking RSA-2048 encryption would require roughly 20 million noisy qubits. That number felt safely distant. It gave organizations a sense that post-quantum threats were a 2030 problem, maybe a 2035 problem.
That estimate is no longer operative.
A Google paper published in May 2025 reduced the qubit requirement by approximately 95%. Then, Quantinuum demonstrated something even more consequential: logical qubit stability maintained beyond the lifespan of individual physical qubits. The engineering problem that had always constrained quantum computing — how to keep qubits stable long enough to be useful — was solved by creating an assembly line of qubits that continuously refreshes itself.
The result is that the physical qubit count estimates that everyone had been tracking — figures in the range of tens of thousands rather than millions — are now plausible near-term targets rather than distant theoretical milestones.
Herrin's framing cuts through the technical complexity: stop debating qubit counts. The direction is clear, and the rate of progress is accelerating. "Whether it's AI, quantum computing, or a hybrid of both," he said, "the encryption we've been relying on is no longer sufficient."
That's the actual headline. The mechanism matters less than the conclusion.
Harvest Now, Decrypt Later Is Already Happening
The most immediate post-quantum threat doesn't require a working quantum computer. It requires data storage and patience.
Harvest now, decrypt later attacks work exactly the way they sound. Nation-state adversaries are capturing encrypted data today with the intention of decrypting it once the cryptographic capability exists. The data is useless to them right now. It won't be forever.
Herrin points to the NSA's long-documented data collection practices as context. The infrastructure for large-scale data capture already exists at the nation-state level. What's being built alongside it, actively and rapidly, is the decryption capability.
The canary he watches: the original Bitcoin holdings attributed to Satoshi Nakamoto — approximately one million coins that have never moved. Those early Bitcoins used an address format that exposed the public key, making them particularly vulnerable to quantum attacks. If those coins suddenly move, it's a signal that someone has developed the capability to break that cryptography. It won't be announced. It will just happen.
The threat extends beyond data theft. A working quantum computer doesn't just decrypt captured data — it can attack root certificate authorities, generating mathematically valid digital certificates that have no legitimate origin. When that happens, the entire chain of trust that the internet runs on breaks down. Non-repudiation breaks down. Every system that assumes a valid digital signature means something faces a structural problem with no quick fix.
The Real Target Is Crypto Agility
A common organizational response to post-quantum risk is to begin planning for the implementation of NIST ciphers. NIST has published its post-quantum cryptographic standards. Organizations assume implementing them is the goal.
Herrin argues that's too narrow. The real target is crypto agility — the ability to roll cryptographic standards quickly as the landscape evolves.
The reason is that post-quantum cryptography isn't a single global standard. China is not adopting NIST ciphers. The Chinese government has released its own post-quantum cryptographic framework. Europe may take a different path. The New Zealand government, as one example, estimates it will need two years to implement once it selects its ciphers — and that's after the selection decision is made. A multinational enterprise operating across those jurisdictions faces multiple conflicting compliance requirements, on different timelines, with no unified answer.
The organizations that navigate this successfully won't be the ones that implemented the right cipher in 2026. They'll be the ones who built the operational muscle to change ciphers quickly when the standards shift. That's a fundamentally different capability than a one-time migration project.
For most enterprises, building that muscle requires changes to how cryptographic dependencies are tracked, how certificate management is automated, and how quickly security teams can execute a cipher rollout across distributed infrastructure. None of that happens fast if you haven't started.
The Board Conversation
Getting post-quantum risk onto a board agenda has historically been difficult. The threat feels abstract, the timeline feels uncertain, and there's no shortage of more immediate problems competing for budget and attention.
Herrin's advice for CISOs making this case: stop talking about qubits. No CFO thinks post-quantum cryptography is core to their business. The framing that lands is business continuity and supply chain risk. If your encrypted data is being captured today and becomes readable in three years, that's not a future IT problem. That's a present business risk with a delayed detonation.
He heard a banker put it simply at a recent industry gathering: "If you can't keep your secrets, you don't get to be a bank anymore."
That framing works because it connects the threat to something boards already care about: the ability to operate. Post-quantum isn't a compliance checkbox. It's an existential readiness question for any organization whose value depends on keeping certain information private.
His practical recommendation: appoint someone whose specific job is post-quantum readiness. Not as a side project for the security team, but as a defined accountability. The organizations that made progress on GDPR, on SOC 2, on zero trust — all of them had someone whose job it was. Post-quantum needs the same treatment.
Herrin draws a parallel to how the Equifax breach changed the security conversation a decade ago. Before Equifax, CISOs struggled to get meaningful time with executives. After Equifax, boards started asking questions. Security moved up the agenda because the cost of inaction became concrete and visible.
Post-quantum will have its Equifax moment. The difference is timing. By the time it happens, the data that organizations failed to protect will already be gone. There is no incident response playbook for encrypted data captured years ago that is now readable.
What Vendors Keep Getting Wrong
Herrin spent the latter part of the interview on a broader frustration: most security vendors don't understand the operational realities of the organizations they're selling to.
The gap he sees most consistently is geopolitical complexity. A CISO managing operations across 100 countries doesn't have a single legal framework to work within. US law and French law collide. Local data sovereignty requirements conflict with centralized security architecture. A vendor that walks in and says "implement these NIST ciphers" without understanding that the organization operates in jurisdictions that don't recognize NIST standards hasn't done the work.
The root cause, in his view, is that most security vendors have never sat in the defender's chair. They haven't lived the experience of trying to execute a security program across a complex, geographically distributed enterprise under competing legal and regulatory pressures. They understand their product. They don't always understand the buyer's problem.
That gap matters most during moments of genuine complexity — which is exactly when buyers most need vendors to understand what they're actually dealing with.
What Enterprises Should Be Doing Now
Herrin's guidance isn't to implement every NIST post-quantum cipher immediately. That's neither practical nor sufficient on its own.
The starting point is inventory: knowing what cryptographic algorithms are running where, what data they protect, and how long that data needs to stay confidential. Most enterprises don't have complete visibility into their cryptographic dependencies. You can't build crypto agility if you don't know what you're working with.
The second step is prioritization. Not everything needs to be migrated at the same time. Data with a long sensitivity window — intellectual property, regulated records, strategic communications — is the highest priority. Data that's already public or has a short shelf life can wait.
The third step is architecture. Crypto agility is a design principle, not a product you install. Systems built to make cryptographic algorithms easy to swap are in a fundamentally different position than systems where the cipher is hardcoded three layers deep. If the New Zealand government needs two years to implement after selecting ciphers, an enterprise that hasn't started that selection process is further behind than it realizes.
F5 is shipping post-quantum readiness features now — hybrid TLS cipher groups, NIST-compliant ciphers in BIG-IP, quantum-resistant VPN tunneling — as the infrastructure layer organizations can build on. But the infrastructure is only as useful as the organizational readiness around it.
The window to build that readiness is open. Given how quickly the technical timeline is progressing, it may not be open for as long as most organizations assume.