From Our CEO: What Happens When Encryption Expires?

Even the strongest locks can be picked. The same is true for encryption.

For decades, we’ve treated encryption as eternal. Once implemented, it quietly sat in the background, unquestioned and sometimes unmonitored. Few companies could tell you all of the algorithms that protect their systems, or whether those algorithms are fit for purpose. Yet in boardrooms everywhere, leaders are beginning to grasp a hard truth: cryptography is not forever.

The next great inflection point is already on the horizon. Quantum computing, still in its infancy, will one day render much of today’s encryption obsolete. The same algorithms that underpin HTTPS, virtual private networks, and software signatures will eventually fall to the power of quantum decryption. The clock is ticking, even if most of us can’t yet hear it. 

When the transition to quantum-safe encryption begins in earnest, it will be less a gentle upgrade and more a systemic overhaul. Entire software stacks, authentication systems, and digital certificates will need to be re-engineered. The problem is that most organisations don’t even know where to start, because they’ve lost track much of the encryption they currently use.

This is the paradox at the heart of our digital infrastructure: we rely on cryptography to maintain trust, and because it ‘just works’ we rarely inventory it. Encryption has become the forgotten foundation, invisible until it fails. Visibility, therefore, is the first act of resilience.

Before any organisation can plan a migration, it must first detect and map its existing cryptographic footprint, across applications, libraries, dependencies, and embedded systems. That knowledge cannot live in silos; it must be shared across teams and integrated into governance processes. Only then can businesses make informed decisions about where to modernise, what to replace, and how to maintain operational continuity during the shift to quantum-resistant algorithms.

But there’s another layer to this challenge that reaches beyond code. As encryption decays, so too does trust. Customers, regulators, and partners expect continuity of protection. They assume that digital confidentiality is permanent. When encryption fails, it’s not only data that becomes exposed. Governance, in this context, becomes as much about foresight as compliance.

At SCANOSS, we’ve long believed that you can’t manage what you can’t see. Detecting outdated or undeclared algorithms is not just an exercise in technical hygiene; it’s a statement of accountability. It’s how organisations prepare for a world where the locks we trusted are at risk of being picked.

The companies that thrive through the quantum transition will be those that treat encryption as a living system that requires transparency, maintenance, and renewal. Their leaders will understand that trust in software, like trust in society, depends on vigilance. 

Cryptography’s decay is inevitable. Our response to it is not.

Visibility is the beginning of resilience and the preservation of trust.

– Alan Facey, CEO of SCANOSS