Adversaries are stealing encrypted data today that they cannot read yet, and storing it until a quantum computer can. Sean Martin sat down with Forescout’s Rik Ferguson to talk about “harvest now, decrypt later,” why Q-Day is closer than the comfortable timelines suggest, and what the decisions you make this year have to do with secrets you thought were safe forever.
PODCAST EPISODE | Redefining CyberSecurity With Sean Martin — On Location at InfoSecurity Europe 2026
On Location With Sean Martin And Marco Ciappelli
Adversaries are stealing encrypted data today that they cannot read yet, and storing it until a quantum computer can. Sean Martin sat down with Forescout’s Rik Ferguson to talk about “harvest now, decrypt later,” why Q-Day is closer than the comfortable timelines suggest, and what the decisions you make this year have to do with secrets you thought were safe forever.
📺 Watch | 🎙️ Listen | ITSPmagazine.com
Somewhere there is a building full of secrets nobody can read yet.
That is not a metaphor. The NSA reportedly keeps a facility for storing encrypted data it cannot currently crack, on the assumption that one day it will. It is patient. It is betting on the future. And it is not the only one placing that bet.
When Sean Martin sat down with Rik Ferguson at InfoSecurity Europe, the subject was post-quantum cryptography, which sounds like a problem for physicists and a decade away. Ferguson, VP of Security Intelligence at Forescout and a quarter-century veteran of watching threats arrive ahead of schedule, was there to take that comfort away. His keynote title put it politely: post-quantum is a way off, we can wait, can’t we. The honest version is that we can’t.
The attack has a name: harvest now, decrypt later. Adversaries steal encrypted data today, knowing it is useless to them, and store it. They are not waiting because they gave up. They are waiting for the key. When a quantum computer can break the encryption we currently trust, every stockpiled file opens at once. NIST pencils that day in around 2035. Google has suggested 2029. IBM’s first fault-tolerant quantum machine is slated for 2029. Pick any date in that window, then look at the equipment your organization is buying this year and ask how long it will still be running.
What Ferguson is really describing is a crime against time.
Every breach we know how to investigate has a shape. It happened on a date, the intruder moved through the network, and we trace the damage backward from there. Harvest now, decrypt later erases the date. There is no alarm when the data leaves, because nothing visibly breaks. Your first notice that you were robbed a decade ago is the day the contents are used against you. Sean, who likes to pull these conversations back to the business, named the right precedent: Y2K. We remember it as a joke, the planes that never fell out of the sky. It was a non-event precisely because a great many people did an enormous amount of unglamorous work. Ferguson’s warning is that the opposite is happening now. Few people are doing the work, and that is how a non-event turns into an event.
There is an unglamorous question underneath all of this: which of your secrets will still matter in ten years? Encrypting everything harder is not the answer, because not everything is worth defending against a decade-late attack. Session tokens decrypted in 2035 are worthless. Clinical trial data, merger plans, sovereign debt strategy, the legal conversations everyone assumed were private forever, those keep their value, and they are worth a stranger’s patience. Ferguson calls the discipline quantum agility: build the systems now so you can swap the locks later. Easy enough in software. Nearly impossible in a medical device still running Windows XP while a regulator finishes signing off the last version.
So what do we carry forward, and what do we leave behind? We carry our secrets, whether we want to or not, into a future where the lock on them may not hold. What we have to leave behind is the comfortable belief that encrypted means safe, full stop, forever.
Ferguson ends his keynote on an image of a stealth combine harvester, which the AI struggled to draw because nothing like it exists in the training data yet. That is the joke, and also the point. The thing coming for the data is quiet, built to gather, and we have barely pictured it. His next argument, a paper called Assume Autonomy, says it is time to stop assuming breach and start assuming the machines on both sides will run themselves. Sean has already booked the follow-up.
Sean’s full conversation with Rik Ferguson is linked below, with the rest of our InfoSecurity Europe coverage.
Let’s keep thinking.
— Marco
Co-Founder ITSPmagazine & Studio C60 | Creative Director | Branding & Marketing Advisor | Journalist | Writer | On Location With Sean Martin And Marco Ciappelli | 🌎 LAX🛸FLR 🌍
Sean Martin, CISSP, is the co-founder and Director of Operations and Programming at ITSPmagazine, and the host of the Redefining CyberSecurity podcast. An information security and technology veteran of more than thirty years and a multiple-time CISSP, he led engineering and delivery for hundreds of cybersecurity products before turning to journalism and broadcasting. Through Redefining CyberSecurity he keeps pressing one question: if we are selling security insincerely, buying it indiscriminately, and deploying it ineffectively, how do we make it usable, honest, and a real source of business value? He teaches at Pepperdine’s Graziadio Business School and broadcasts from New York City.
🌎 seanmartin.com | LinkedIn: linkedin.com/in/imsmartin
Rik Ferguson is the Vice President of Security Intelligence at Forescout, where he leads the company’s threat research and intelligence work. A cybersecurity veteran of more than twenty-five years, he spent fifteen years as Vice President of Security Research at Trend Micro before joining Forescout in 2022. He is a founding Special Advisor to Europol’s European Cybercrime Centre (EC3), a Fellow of the Royal Society of Arts, a co-founder of Respect in Security, and a member of the Infosecurity Europe Hall of Fame. A Certified Ethical Hacker, CISSP, and ISSAP, he is also a writer, broadcaster, and futurist known for translating the cutting edge of cybercrime for governments, businesses, and the public.
🔗 LinkedIn: linkedin.com/in/rikferguson
More from this event:
Full InfoSecurity Europe 2026 coverage: ITSPmagazine InfoSecurity Europe 2026
All ITSPmagazine event coverage: Technology & Cybersecurity Conference Coverage
TRANSCRIPT SUMMARY & QUOTES — Rik Ferguson | InfoSecurity Europe 2026
(Host: Sean Martin — Redefining CyberSecurity / On Location)
----- EPISODE SUMMARY -----
Recorded On Location at InfoSecurity Europe 2026, Sean Martin sits down with Rik Ferguson, VP of Security Intelligence at Forescout, ahead of Ferguson's keynote on post-quantum cryptography. Ferguson lays out "harvest now, decrypt later," the attack in which adversaries steal encrypted data today and stockpile it until a quantum computer can break it open, pointing to Volt Typhoon, BGP manipulation, and known state-level data hoarding as evidence the infrastructure and intent already exist. With Q-Day timelines ranging from Google's 2029 to NIST's 2035, and IBM's fault-tolerant Starling slated for 2029, he argues that procurement and deployment decisions made now already carry a quantum problem. Sean steers the conversation toward the business: which data actually warrants protection based on shelf life and risk, who owns the budget, and how a harvest-now attack disables incident response by erasing the timeline entirely. Ferguson makes the case for "quantum agility" — designing systems that can swap algorithms later — while warning that operational technology and medical devices lag dangerously behind faster-moving software. The two close on the Y2K parallel: it became a non-event because people did the work, and that work is largely not happening this time. Ferguson previews his forthcoming paper, "Assume Autonomy," and a follow-up conversation is already booked.
----- 3 QUOTES — RIK FERGUSON -----
On the attack already in motion:
"The technical capability exists, and the desire to steal encrypted information exists. There's a facility dedicated to storing data they can't decrypt yet, with the expectation that one day they will."
On why it breaks investigation:
"With harvest now, decrypt later, the time bounding doesn't exist. They could have been harvesting for a decade or more, and your first indicator is when it's weaponized against you."
On the false comfort:
"People say Y2K turned out to be a non-event. It was a non-event because a lot of people did a lot of work. The problem with Q-Day is that a lot of people are not."
----- 3 QUOTES — SEAN MARTIN -----
On framing it for the business:
"Let's talk less about the technicalities of Q-Day and more about the business: what investments do you make, long-term and short-term?"
On the procurement parallel:
"Y2K wasn't just 'will this thing survive or fall over.' It was a business decision about what we should replace now anyway, and oh, by the way, you're going to solve for this problem too."
On the stakes:
"You could have been robbed a decade ago and not know it. That's quite alarming."