Four questions leaders need to ask about applied cryptography

Every digital interaction (whether a payment, email or cloud API call) relies on encryption functioning silently in the background. Cryptography preserves confidentiality by controlling access, maintains data integrity by preventing tampering and verifies authenticity by confirming sources. Encryption enables secure transactions, maintains customer confidence and ensures compliance. Organisations that embed cryptographic security within their architecture from the outset achieve greater agility and confidence in adopting new technologies. For leadership teams, cryptography represents more than an operational safeguard; it is a deliberate investment in resilience, regulatory assurance and reputation management.

As you read on, we’ll consider the key questions leaders need to ask and why they are critically important to ensuring your organisation’s data — and reputation — are kept safe.

One: how are encryption keys managed across environments?

The foundation of every cryptographic system rests on effective key management. A single lost or compromised key can expose vast amounts of confidential information, which is why organisations implement dedicated key management systems, hardware security modules (HSMs), and clearly defined operational procedures that govern key generation, storage, rotation and retirement.

Leaders should ask practical questions: who creates the encryption keys? Who has permission to use them? How frequently are they rotated? Are backups stored securely and are they auditable? The answers reveal whether encryption is genuinely embedded in the organisation's security culture or merely treated as a compliance checkbox.

When key management is executed properly, it operates almost invisibly, maintaining seamless protection across systems. When neglected, it can lead to severe data exposure, service outages and loss of trust that no technical patch can repair. The most effective approach establishes a single, auditable process for creating, rotating, and retiring encryption keys, preventing oversight and ensuring consistent control across all environments.

Two: which algorithms protect our most valuable data?

Encryption transforms readable information into ciphertext, making it unintelligible to anyone without the appropriate key. Symmetric encryption uses a single shared key to both encrypt and decrypt data, making it fast and efficient for protecting large volumes such as database files or backup archives. Asymmetric encryption relies on two separate keys: a public key for encryption and a private key for decryption. Though slower, it provides greater flexibility and scalability, forming the basis of secure online communication, digital signatures and encrypted connections used in online banking and e-commerce.
For business and technology leaders, understanding where each method fits is essential. The right balance between speed and assurance determines both efficiency and overall security posture.

The next major turning point in digital security will be the rise of quantum computing. Once large scale quantum systems become practical, they will solve the complex mathematical problems that secure today's public key algorithms such as RSA and elliptic curve cryptography. This creates a risk often described as ‘harvest now, decrypt later’, where attackers capture encrypted data today and decrypt it later when quantum computers mature.

The United States National Institute of Standards and Technology (NIST) is leading the standardisation of post-quantum cryptography (https://tinyurl.com/yuy8k53t), a new class of algorithms designed to resist quantum attacks. Among the selected standards are CRYSTALS-Kyber for encryption and CRYSTALS-Dilithium for digital signatures.
Forward-thinking organisations are already experimenting with hybrid cryptography that combines current classical algorithms with post-quantum ones. This approach allows a smooth transition while maintaining compatibility with existing systems.

Migration to post-quantum methods will take several years, but early planning is essential. Enterprises that catalogue their cryptographic assets, modernise key management and engage with vendors on quantum readiness will be in a much stronger position once the quantum era arrives. Leadership teams should know which algorithms are in use, how long they will remain secure and what their organisation's plan is for the post-quantum transition.

Three: is encryption applied consistently to data at rest, in transit and in use?

Data rarely remains in one place. It moves constantly between cloud platforms, mobile applications and interconnected services. Encryption must protect information in every state, both when stored and when transmitted. Protecting data at rest involves securing backups, databases, file systems and storage devices. Protecting data in transit includes securing web traffic, emails, and service-to-service communication through protocols such as transport layer security (TLS).

For you

Be part of something bigger, join BCS, The Chartered Institute for IT.

A lapse in either stage can compromise the entire security chain. For instance, encrypting a production database provides little value if backups are left unencrypted on removable drives or poorly configured cloud storage. Encryption must be applied consistently and verified regularly across all systems.

Inconsistency creates security gaps and compliance challenges. Data protection policies should ensure that encryption is enforced uniformly across every storage location and transmission channel. Leaders should encourage an end-to-end approach to encryption, ensuring that policies extend across all environments and data states. Consistency, rather than complexity, ultimately builds confidence in the organisation's ability to safeguard its information assets.

Four: what happens if cryptography fails?

Digital signatures provide a reliable way to verify authenticity and integrity in the digital world. They ensure that software updates, financial transactions, or legal documents originate from a legitimate source and remain unchanged during transmission. The foundation making this possible is the public key infrastructure (PKI), a framework of trusted authorities, digital certificates, and cryptographic keys that bind verified identities to their credentials.

When PKI is poorly managed, consequences can be immediate and far reaching. Expired certificates, incorrect configurations, or unmonitored trust chains can disrupt critical systems and customer-facing operations. In one widely cited case, an overlooked certificate expiry caused global airline check-in systems to fail, grounding flights and damaging brand reputation.

For business leaders, the lesson is clear. PKI is not merely a background IT process; it is a cornerstone of business continuity. Maintaining certificate visibility, enforcing renewal policies and integrating automated lifecycle management should be treated with the same seriousness as maintaining network uptime or data availability. Executives should expect a clearly defined response plan for certificate expiry, compromised keys or outdated algorithms. Proactive planning avoids disruption and minimises operational risk.

Effective cryptography begins with clear governance at the leadership level. Organisations must define the business purpose behind encryption, whether to protect customer information, comply with regulations, or strengthen competitive position through trust. Encryption should never be treated as a final checklist item but rather integrated at the design stage of every system and application. Planning cryptographic controls early prevents costly redesigns and reinforces a sustainable long term security posture.

Conclusion

The role of cryptography is shifting from invisible background protection to an essential at the core of every digital strategy. As quantum computing evolves, organisations that act early by cataloguing their cryptographic assets, adopting hybrid encryption models, and strengthening governance will be best positioned to adapt smoothly. Preparing for the post-quantum era is not simply a technical challenge; it is a test of leadership vision and financial planning. Ultimately, cryptography is built on trust. Leadership must take ownership of trust as a strategic asset and ensure it remains strong in the quantum future.

Rakesh Keshava FBCS is a Software Architect in security engineering at a leading identity and security company. He specialises in cybersecurity and applied cryptography.