Rik Ferguson argues that the most consequential decision an organization will make about quantum computing is not a future one, it is the procurement choice sitting in front of it today. At Infosecurity Europe 2026, Sean Martin sits down with him to unpack why harvest-now, decrypt-later attacks turn encrypted data into a liability long before Q Day arrives.
⬥EPISODE NOTES⬥
At Infosecurity Europe 2026, Sean Martin sits down with Rik Ferguson, Vice President of Security Intelligence at Forescout, a day before Rik Ferguson takes the keynote stage with a deliberately provocative title: "Post-Quantum Cryptography Is a Way Off. We Can Wait, Can't We?" The honest answer, he says, is that waiting is a choice, and it is the wrong one.
The threat is neither theoretical nor distant. Rik Ferguson walks through why the infrastructure for harvest-now, decrypt-later attacks already exists, pointing to Salt Typhoon, to BGP rerouting by unfriendly nations, and to intelligence agencies stockpiling encrypted data they cannot read yet but expect to read later. With NIST placing Q Day around 2035, Google pointing at 2029, and IBM's fault-tolerant Starling system slated for 2029, the distance between "someday" and "the hardware you purchase this year" has effectively closed.
Sean Martin keeps steering the conversation back to the business. The parallel both of them keep returning to is Y2K, which became a non-event precisely because people did the work. The quantum question, Rik Ferguson argues, is not only about security or resilience, it is a budget and procurement question: which data has a long enough shelf life to still matter when it is finally decrypted? Pharmaceutical R&D, merger and acquisition strategy, sovereign debt positions, and legal negotiations all live under an assumed umbrella of privacy that encryption may not hold.
The most unsettling point is what a harvest-now attack does to incident response. There is no time-bounding. Adversaries could have been collecting for a decade, and the first sign of trouble arrives only when the data is weaponized or made public, leaving the investigation disabled by chronology alone.
Rik Ferguson closes with a message that reaches past cryptography itself: as attacks move toward autonomy, defense has to as well, which is why he wants the industry to move past Assume Breach and into Assume Autonomy.
⬥HOST⬥
Sean Martin, CISSP -- Co-Founder, ITSPmagazine & Studio C60 | Host, Redefining CyberSecurity Podcast & Music Evolves Podcast | https://www.seanmartin.com/
⬥GUEST⬥
Rik Ferguson, Vice President of Security Intelligence, Forescout | https://www.linkedin.com/in/rikferguson/
⬥RESOURCES⬥
Infosecurity Europe 2026 is taking place June 2-4, 2026 | ExCeL London -- Follow our coverage: https://www.itspmagazine.com/infosecurity-europe-2026-infosec-london-cybersecurity-event-coverage
The Future of Cybersecurity Newsletter | https://www.linkedin.com/newsletters/7108625890296614912/
Redefining CyberSecurity Podcast | https://www.seanmartin.com/redefining-cybersecurity-podcast
On Location | https://www.itspmagazine.com/on-location
⬥KEYWORDS⬥
sean martin, rik ferguson, infosecurity europe, post-quantum cryptography, pqc, harvest now decrypt later, hndl, q day, quantum computing, encryption, salt typhoon, quantum agility, crypto agility, post-quantum migration, procurement, on location, itspmagazine
The Quantum Threat Is Already a Business Decision You're Making Today | An On Location Conversation at Infosecurity Europe 2026 with Rik Ferguson, Vice President of Security Intelligence
[0:09] Sean Martin: All right, so we're rolling. Rik, how are you, man?
[0:20] Rik Ferguson: I'm good. Very good. Day one.
[0:22] Sean Martin: So good to see you.
[0:24] Rik Ferguson: Likewise.
[0:24] Sean Martin: We see you all over the place.
[0:25] Rik Ferguson: Wonderful view.
[0:27] Sean Martin: Not all the time. We get a chance to sit down, and it's rare.
[0:31] Rik Ferguson: Rare.
[0:31] Sean Martin: It's rare, yeah.
[0:32] Rik Ferguson: It is.
[0:32] Sean Martin: Rare. So we're doing a keynote here, a day-two keynote.
[0:35] Rik Ferguson: Yeah. I just got the news that I've been shuffled forward by an hour. Apparently the speaker in front of me is delayed, so it's 10 o'clock tomorrow morning.
[0:42] Sean Martin: And the topic is post-quantum.
[0:46] Rik Ferguson: Yep. So the...
[0:48] Sean Martin: What's the acronym? PQ...
[0:49] Rik Ferguson: PQC. Post-Quantum Cryptography. The title of the presentation is "Post-Quantum Cryptography Is a Way Off. We Can Wait, Can't We?" And of course the message is: we can't wait, can we?
[1:02] Sean Martin: We can...
[1:03] Rik Ferguson: You can wait if you want to. It's a choice.
[1:04] Sean Martin: A choice.
[1:04] Rik Ferguson: The basic premise of the presentation is this: we know the infrastructure for harvest-now, decrypt-later attacks exists. We know the desire to exfiltrate encrypted information exists. We know it's happening, with Salt Typhoon as one example. And when I say we know the infrastructure exists, that dates all the way back to BGP attacks, where we've seen various unfriendly nations using BGP to route traffic through their own networks and infrastructure, China and Russia among them. The technical capability exists. The desire to steal encrypted information exists. Salt Typhoon, but not only Salt Typhoon, our own agencies are doing it too. We know that because of material released by Snowden, because of what GCHQ have been doing. In the Snowden files, the links between Google and Yahoo data centers were being monitored, for example. We know GCHQ were collecting encrypted data as well. They don't care that it's encrypted. We know the NSA has a storage facility dedicated specifically to storing data they cannot currently decrypt, with the expectation that they will be able to in the future. And that's what quantum computing will bring: the ability to break current encryption that today would nominally take 250 years to break, reduced to about four or five hours. That's why this data is being stockpiled, because Q Day, as it's being called, is rapidly approaching. NIST have Q Day in their projected timeline, which is a few years old now, at 2035. Google announced a couple of weeks ago that they expect it by 2029. So it's somewhere in between those dates. And the truth is, whatever you are procuring or installing today for your environment will have an operational lifetime that goes beyond those dates. So the procurement decisions you're making today are important with regard to quantum cryptography, but it's very often not entering into the conversation around that procurement.
[3:23] Sean Martin: Well, there's going to be plenty of conversation about the technicalities of Q Day and how it's going to work. Let's talk more about business. Is that part of what you're looking at, what investments do you make, long term and short term?
[3:39] Rik Ferguson: We've been collecting data for about 12 months on what we actually see. This isn't survey data or reported data, this is what we see in the field in terms of quantum-resistant cryptography being deployed. Are you using the right algorithms? Are you using the right frameworks? We have new research coming mid-month with updated figures. We've seen an increase, but it's relatively small, and we also observe a plateau. It's very differentiated by industry. Those industries under greater pressure, contractual pressure, customer pressure, are being pushed toward adoption. But ironically, the people issuing the warnings, the governments of the world, are right down at the bottom of the stack. We can check by examining network traffic, for example, who is using TLS...
[4:38] Sean Martin: 1.3?
[4:39] Rik Ferguson: Right. But TLS 1.3 is in itself not even a guarantee that you're quantum-resistant, because are you deploying the right algorithms within the TLS 1.3 framework?
[4:48] Sean Martin: Yeah.
[4:48] Rik Ferguson: So you could argue our figures are even somewhat optimistic, and they're not good. The research is out there, and we've got the updated numbers coming soon. Adoption is fastest in these more commercially driven environments. But as you go down, you hit concerns in manufacturing because of operational technology. You can't just roll out a patch, you have to wait, you have to replace equipment, and that equipment has a very long operational lifetime. Medical devices are way down at the bottom for the same kinds of reasons. That's firmware, that's the device itself. We still see medical devices running Windows XP.
[5:21] Sean Martin: They have years and years of FDA approval and...
[5:24] Rik Ferguson: Yeah, and you have to go through all of it. You can't just patch, you need the approval.
[5:28] Sean Martin: Even so, for a lot of military and...
[5:31] Rik Ferguson: Infrastructure in untouchable environments. There's a lot of either untouchable equipment or untouchable environments, or heavily regulated ones. It makes a big...
[5:39] Sean Martin: Difference. How much of this is rooted in hardware? It's obviously prevalent in software as well, but what's the balance?
[5:47] Rik Ferguson: It's about how it's deployed. The greatest uptake in terms of speed, of being quantum-ready, is in those software environments. We're seeing it in internet-facing servers and in IT infrastructure. And then the huge lag is basically everything else: all that medical and operational technology where you can't just say, "We'll upgrade the version of TLS." It's about building in what's called quantum agility, the ability to switch algorithms out as required. If you build in the quantum agility now, you get to switch algorithms later because you have the framework in place. But that's really only possible in a less regulated, more software-driven environment.
[6:28] Sean Martin: Right. Organizations that are able to push the envelope are probably doing a lot of innovation as well. Can you relate it to, when you mentioned going from however many days down to a number of hours...
[6:44] Rik Ferguson: Yep.
[6:45] Sean Martin: The first thing that came to mind was AI, where things that would take weeks or days or months or years to complete...
[6:55] Rik Ferguson: Oh, compressed. Yeah, absolutely.
[6:57] Sean Martin: Down to days and weeks. Are there business processes that stand out, that people really should be concerned about? We sit here and talk about critical infrastructure and medical devices, and hopefully they're thinking about it, but the general IT world might think, "I don't have critical stuff."
[7:25] Rik Ferguson: It's about data. In the presentation I give some examples of why this is relevant, why should I care? If you're a pharmaceutical organization, you've got all your R&D, all your intellectual property, all your clinical trials, all the research you chose to abandon because at the time it wasn't right. That's all hopefully encrypted in your environment, because you need that confidentiality. But are you prepared to just give all of it away? Because that's exactly what an HNDL, harvest-now, decrypt-later, attack will achieve. Same thing in financial environments: mergers and acquisitions, targets you may have considered, all the reasoning and finance around them. Sovereign debt positions. In government, conversations or negotiations about how you respond to sanctions. All of these things, legal conversations, they're all conducted under an assumed umbrella of privacy afforded by encryption. But we are rapidly approaching a date, and we are, when that encryption is broken or breakable. And the crazy thing is that the way we respond to incidents right now has a bounded timeline. You discover an incident has taken place, and you can backtrack from there to work out: how did they get into the organization, where did they go, what data might they have touched, what's at risk? It's all bounded because it's time-bounded.
[9:01] Sean Martin: Right.
[9:01] Rik Ferguson: With the harvest-now, decrypt-later attack, that time-bounding really doesn't exist. They could have been harvesting for a decade or more. You're not going to know anything has taken place until that data is decrypted, so your investigation into what happened is completely disabled, just by chronology. There's no indicator at the time the attack took place. You're unaware the data was exfiltrated, and your first indication is when it's weaponized against you or released publicly.
[9:32] Sean Martin: And it's quite alarming.
[9:36] Rik Ferguson: It needs to be. There are a lot of comparisons to Y2K.
[9:40] Sean Martin: Right.
[9:41] Rik Ferguson: And people say, "Y2K turned out to be a non-event anyway, all that media coverage, planes falling out of the sky." We remember that. The reason it was a non-event is that a lot of people did a lot of work. The problem with...
[9:55] Sean Martin: Spent many hours working.
[9:55] Rik Ferguson: Q Day is that a lot of people are not doing a lot of work. So that's not how you avoid something being an event.
[10:03] Sean Martin: It's funny, because I keep going back to the hardware and your purchasing decisions now. Y2K was the same thing. I remember working on projects where it wasn't just about whether this thing would survive or fall over. It was a business decision about which things we should replace now.
[10:22] Rik Ferguson: Yeah.
[10:23] Sean Martin: Because they may survive or they may not, but they're not great anyway. What's...
[10:26] Rik Ferguson: What's critical? What's the risk?
[10:27] Sean Martin: What's critical, what should we be replacing anyway, because there's other stuff on the plate. So for us back then, we shifted the conversation from not just security and not just resiliency. It went back to the business. Who has the checkbook for these things, and what's the best investment? And, oh by the way, you're going to solve for this problem.
[10:54] Rik Ferguson: Yeah, I think with PQC, with HNDL, whichever way you want to phrase it, the point is you need to focus on the utility and the risk of the data. It's not all data and it's not all implementations, that would be impossible. Short-lived data: honestly, do you really care? Session tokens, logins, by the time that's decrypted, whether it's 2029 or 2035, it makes no difference. It will be unusable. So it's the data that has a longer shelf life and poses the greatest risk to the business. In a regulated environment you'll be informed by the regulation: where should I focus in terms of which data I'll be most held liable for? But alongside that: if this data were exposed, what would do the greatest damage to my business? What would undermine my competitive position? What would impact my ability to do business? Those are the questions you need to ask. Attackers don't care what they harvest, they'll hoover up anything and everything. Salt Typhoon again is a great example: they build a position on the network and suck up everything. They don't know what's in there because it's encrypted, but they're going to find out when the time comes. What's usable will be usable; what's not, isn't. But as someone defending that environment, you need to know that in advance, because you need to apply your budget, your time, and your defenses to the right data.
[12:25] Sean Martin: So interesting. We have a minute left. What's the closing message in your keynote that you want to share here?
[12:35] Rik Ferguson: The closing message in my keynote is a giant picture of a stealth combine harvester, which took AI a very long time to generate, because there's nothing in the training corpus for what a stealth combine harvester looks like. The title is "We Can Wait, Can't We?" My closing message is: we can't wait, can we, realistically. It's past time. If you consider Starling, IBM Starling is slated to be available in 2029, and that will be a fault-tolerant quantum computer, so 2029 becomes a very reasonable date. The decisions you're making today are the decisions that will affect your ability to stand up to those kinds of attacks. So you need to make them today, not in 2029 or 2035.
[13:26] Sean Martin: Craziness. I know you do a lot of research on this. I want to encourage folks to connect with you and follow you.
[13:33] Rik Ferguson: Yeah, absolutely. Connect with me on LinkedIn. I don't even know which camera to look at, both of you.
[13:37] Sean Martin: That's right.
[13:37] Rik Ferguson: LinkedIn, or just drop me a message, whatever.
[13:40] Sean Martin: Yeah.
[13:41] Rik Ferguson: I've got a really interesting white paper coming out this Thursday called Assume Autonomy. What I'm really trying to do is redefine how we approach cybersecurity in general. As attacks move more toward fully autonomous, so must defense, otherwise it won't keep pace. So I've tried to build a real operational guide to how you can implement autonomy in the defensive stack, but also to make you aware of how that defensive stack can be used against you, so you can apply the right protections.
[14:13] Sean Martin: Sure.
[14:13] Rik Ferguson: Non-commercial, non-product. Not my employer, just...
[14:16] Sean Martin: Yep.
[14:17] Rik Ferguson: I want us to move past [VERIFY: phrase unclear in source audio].
[14:18] Sean Martin: On that.
[14:19] Rik Ferguson: I want us to move past Assume Breach, I think it's old.
[14:22] Sean Martin: Right.
[14:22] Rik Ferguson: And I want us to move into Assume Autonomy. It's a different era.
[14:26] Sean Martin: I'd love to have you on again to chat about that. We won't be here at the event...
[14:30] Rik Ferguson: All right.
[14:30] Sean Martin: After it's released, we'll book a time and discuss that one.
[14:35] Rik Ferguson: Sure thing. Look forward to it.
[14:36] Sean Martin: Great. So good to see you, my friend.
[14:37] Rik Ferguson: Pleasure. Cheers.
[14:38] Sean Martin: All right, thanks, everybody. Stay tuned for more coming from Infosecurity Europe, and stay tuned for another chat with Rik. See you all later.