Post-Quantum

How CISOs Can Use Quantum Readiness to Secure Bigger Budgets (and Fix Today’s Problems)

Introduction

Talking with the CISOs in my network, I keep hearing the same laments as I’ve been hearing for decades- only now they seem to be louder than ever:

  • My security team is chronically understaffed.” In fact, 59 % of cybersecurity leaders say their teams lack enough personnel, according to ISACA. And that’s a 2023 survey, before the latest rounds of layoffs and belt tightening.
  • The frequency and complexity of attacks have exploded.” Nearly 48 % of organizations report more attacks in 2023 than the year before, the same survey shows. It only got worse since then.
  • We’ve become a Toys ‘R’ Us of security products.” To cope, many firms have stitched together a dizzying patchwork of tools. IBM research puts the average business at using 83 separate security solutions. An Oxford Economics study (via Security Boulevard) found almost half of security leaders spend more time maintaining tools than defending against attacks, and 59 % cite tool maintenance as their biggest efficiency drain.
  • Regulators are on my back like never before.” The World Economic Forum notes that 2024 alone saw major new cyber rules in the EU, United States, and Singapore, fundamentally reshaping the global regulatory landscape.
  • It feels like the board wants daily reports.” Fortinet’s survey shows 93 % of CISOs already present cybersecurity updates to their boards.
  • Responsible AI, in all its flavors, just landed in my lap, but I have zero AI‑skilled staff, and the regulations seem to change daily. Suddenly CISOs are expected to govern AI ethics, AI security, AI data privacy… even though most teams lack AI expertise. You’re not alone: according to NTT Data 67% of business leaders say their employees lack the skills to work effectively with AI. Meanwhile, AI regulations are in flux – more than 80% of leaders say unclear government AI rules are hindering adoption.
  • I’m being pushed to adopt AI‑driven security tools, yet I’m not seeing the payoff. Just another stack to maintain.” There’s huge hype around AI in cybersecurity, but results are mixed so far. In an Evanta survey, only 12% of CISOs can claim measurable results from their AI initiatives. So far.
  • If I hear ‘do more with less’ one more time, I might jump out the window.” Only 29% CISOs report having the proper budget for cybersecurity initiatives and goals, and 62% said postponing an upgrade due to budget cuts led to a successful attack. Seems like fewer boards are fully funding the cyber program.

So when I suggest adding quantum readiness to their to‑do list – something many still perceive as tomorrow’s problem – the reaction is predictable: hair‑pulling for those few CISOs who still have any left. How can they prioritize quantum resistance today when they’re already drowning in urgent issues? I can relate – I was in their shoes recently. In the current cybersecurity chaos, it’s hard to get excited about cryptography that won’t be cracked until some future quantum computer arrives.

I will, as I often do, remind that the quantum threat is no longer a distant theory – it’s gaining on us, “harvest now, decrypt later” is a today problem, and regulators increasingly want to see concrete progress within months, not years. I’ll take one chapter to sound the alarm bells, but then I want to turn it around to positives. Framed correctly and executed well, a quantum‑readiness program can unlock bigger budgets for CISOs and deliver very real benefits today, way before a cryptoanalytically relevant quantum computer (CRQC) ever comes online.

Quantum Threat: Closer Than It Appears

Tomorrow’s problems have a funny way of becoming today’s crisis if you ignore them long enough. Quantum threat is already becoming a crisis situation if you haven’t started your quantum readiness program yet.

Most encryption that protects our data relies on math problems that are practically impossible for classical computers to solve within the age of the universe. Quantum computers change that. A sufficiently advanced quantum machine could crack public-key cryptography in short order, rendering our current security infrastructure obsolete. The consensus used to be that such cryptographically relevant quantum computers (CRQCs) were decades away. But recent breakthroughs have sharpened the timeline, bringing the fall of classical encryption into the plausible timeframe of around 2030. In other words, the quantum threat isn’t some sci-fi scenario for the 2050s; it’s a clear and present danger for this decade.

Top scientists and government agencies now openly warn that we may have less than 5–7 years before quantum attacks become feasible. Countries are taking notice: the EU’s new roadmap urges all member states to begin PQC transitions by 2026 and mandates critical infrastructure be quantum-safe by end of 2030. Similarly, Canada’s federal government requires all high-priority systems to adopt post-quantum encryption by 2031. And these are just two roadmaps published in the last one week, many other countries isssued similar requirements. In short, regulators worldwide are moving up deadlines as new intelligence suggests “Q-Day” (the day quantum computers break our crypto) could hit sooner than expected.

Yet despite these warnings, most organizations are far behind. A recent ISACA poll found 62% of security professionals are worried about quantum threats, but only 5% say it’s a high priority for their organization, and only another 5% have even begun planning a quantum-safe strategy. This complacency is setting the stage for potential chaos. Every month that passes, adversaries are not idly waiting – they’re actively harvesting encrypted data now, to decrypt later when quantum capability arrives. Sensitive customer records, intellectual property, emails – anything stolen today can be stockpiled in the hope of one day unscrambling it when a CRQC comes online. This tactic means the quantum risk is effectively already here: if your data needs to remain confidential for a decade or more, it’s at risk today unless it’s protected by quantum-resistant measures.

The pressing reason to act now is also the sheer scale and complexity of the migration ahead. Implementing post-quantum cryptography, or alternative mitigations, across an enterprise will be the largest, most complex digital overhaul in history – far bigger than Y2K. Think about it: cryptography is woven into every system, application, device, and protocol we use. There is no single “patch” or one-click upgrade to swap out algorithms everywhere. Instead, it will require a painstaking, years-long process of discovering every instance of vulnerable cryptography (after having discovered every asset), updating or replacing systems, and coping with new performance and compatibility challenges. It’s like “changing the engines on an airplane in mid-flight” – you have to keep business operations running, with zero downtime, while gradually retrofitting the security underpinnings. In every single system, app, and a device. It’s little wonder experts say even a 7–10 year head start might be barely enough; as one industry veteran put it, “even though 7–10 years sounds long, the extent of work means you might already be too late” if you haven’t begun. In practical terms, to meet the 2030–2035 mandates, large enterprises need to start their quantum transition now.

Turning a Burden into an Opportunity

But here’s the encouraging part: quantum readiness, if approached smartly, can be a blessing in disguise for CISOs, security teams and the business. The key point is that quantum readiness, to a large extent, relies on the same fundamental cybersecurity hygiene measures you’ve always needed. With regulators and governments increasingly scrutinizing quantum preparedness, CISOs now have a unique opportunity to secure dedicated funding to properly address foundational cyber hygiene tasks and potentially even freeing up funds from their existing budgets in the process.

Emerging Regulations: Quantum Compliance = Board-Level Priority

One big reason quantum readiness won’t stay “tomorrow’s problem” is the regulatory drumbeat getting louder every day. Governments and standards bodies worldwide are laying down mandates and timelines for transitioning to post-quantum cryptography. And if there’s one thing that reliably loosens purse strings in the boardroom, it’s a compliance requirement backed by law or high-level policy.

What does this mean for a CISO? If you do business with the government or in regulated industries like finance or healthcare, get ready for trickle-down compliance. Regulators and auditors will soon start asking, “What’s your PQC migration plan? Where are your quantum-vulnerable cryptographic systems? Show us your CBOM (Cryptographic Bill of Material).”

The upshot is that as quantum risk has leapt from theoretical to practical, CISOs will find receptive ears in the boardroom. When you can say, “By investing in quantum resilience, we’re meeting regulatory requirements head-on,” boards listen. No one wants to be caught flat-footed by a new law or an examiner’s question they can’t answer. Funding for compliance initiatives – especially ones framed as future-proofing critical infrastructure – tends to be approved even in tight budgets.

In short, quantum readiness is quickly becoming synonymous with compliance readiness, and that secures the executive mandate and budget you need.

Asset Discovery: The Cybersecurity Foundation That Finally Gets Funded

Before you even start tackling cryptographic inventory, you need to know what assets you have and where they are. That means doing a thorough discovery of everything connected to your network – not just servers and laptops, but all the “hidden” devices too: IoT sensors in the building, OT systems on the factory floor, cloud VMs, rogue Wi-Fi gadgets, shadow IT, you name it. This isn’t new advice; it’s basic cyber hygiene. In fact, the very first of the CIS Critical Security Controls is to inventory and track all enterprise assets (end-user devices, network gear, mobile, IoT, servers, even cloud) so you “accurately know the totality of assets that need to be monitored and protected”. The reason is obvious: you can’t defend or upgrade what you don’t know exists.

Yet in practice, almost no CISO has a 100% handle on this. Every organization tries – they spin up CMDB projects, buy fancy asset discovery tools, run network scans – but it’s never properly budgeted and staffed, and it’s a moving target. Budgets are approved only for the next shiny discovery tool that promises to discover all your assets – but they never do. Business units add devices without telling IT, legacy systems linger, and new acquisitions bring in unknown assets. One 2023 survey even found that while 94% of IT leaders claimed to have a “live view” of all devices, nearly half were still tracking assets in spreadsheets – a recipe for blind spots and false confidence. Long story short, getting a truly comprehensive asset inventory has been frustratingly elusive for most security teams.

Quantum readiness can finally change that. It gives you the perfect catalyst (and excuse) to do asset inventory right. Why? Because before you can map out all your cryptographic algorithms, you first have to map out the systems and devices using those algorithms. PQC migration prep essentially forces you to shine a flashlight into every corner of your IT and OT estate. And here’s the opportunity: you can now justify budget and resources for this foundational task under the banner of “quantum resilience and compliance.” Unlike past asset inventory efforts that came out of your standard operating budget (and often got shelved when funds ran tight), this time you can say, “We need to discover all assets as a prerequisite for PQC compliance and risk reduction.” That tends to get board-level attention. It means fresh funding, executive backing, and cross-department cooperation that you might not get for routine cyber hygiene work. In many cases, a savvy CISO can piggyback long-needed asset management improvements onto the PQC program. If you already had some budget allotted for asset discovery in your regular roadmap, great – now you might free up those funds for other uses, since the quantum initiative will cover a chunk of it. Essentially, quantum readiness projects let you kill two birds with one stone: achieve your post-quantum goals and finally attain a complete, living inventory of your environment.

The benefits of nailing down your asset inventory go well beyond quantum cryptography. First, you’ll almost certainly uncover surprises – orphaned machines, forgotten IoT devices, shadow IT databases – some of which could be security ticking bombs. (We regularly find all kind of devices with live network connection and default credentials, or even dual-homed, completely unbeknownst to the security team, until an inventory sweep found it.) Identifying and rectifying these blind spots immediately reduces your attack surface. Remember, you can’t secure what you can’t see, and unknown assets are a notorious source of breaches. In fact, nearly 73% of security leaders admit they’ve experienced incidents because some asset in their infrastructure was unmanaged or simply unknown. Once you have a solid inventory, all your other security functions get a boost. Vulnerability management can ensure no device is left unpatched. Incident responders know exactly what systems are in play during an investigation. SOC monitoring can cover every network segment where devices reside. Even IT operations benefit – you can manage upgrades and decommission obsolete gear more systematically. Fundamentally, you’re establishing visibility and control that make your entire security program more effective.

Inventory and Visibility: Immediate Wins from PQC Migration Prep

Now let’s talk about the process of preparing for post-quantum cryptography – because it yields some golden side benefits. The first step in any PQC migration is taking a comprehensive inventory of your cryptographic assets and algorithms. In plainer terms, you need to map out every system, application, and device in your enterprise that uses encryption or digital signatures, and document what cryptography it’s using (algorithms, key lengths, certificates, etc.) This might sound tedious – and it is – but guess what? It’s one of the best things you can do for your security posture right now.

Why? Most organizations have never done a thorough crypto inventory before. Over years, companies layer new applications, inherit legacy systems, outsource here, acquire a company there – and crypto implementations proliferate like wildflowers (or weeds). I’ve seen companies surprised to discover mission-critical applications still using 20-year-old encryption libraries, or rogue VPN appliances using default credentials, simply because no one had a full list of “where our encryption lives.” By forcing you to shine a flashlight into every corner of your IT estate, the PQC inventory exercise provides an invaluable visibility boost. It’s like a full network and software asset inventory, but with a focus on encryption. And you can’t secure what you don’t see.

In fact, even governments recognize this benefit. The U.S. NSM-10 explicitly required federal agencies to submit a complete inventory of their cryptographic systems within 6 months. The logic was that you must “understand which systems are impacted” before you can prioritize and migrate. Many private organizations are taking the hint and doing similar crypto audits. The immediate payoff is that you finally know what you’ve got under the hood – all the SSL/TLS implementations, all the VPN tunnels, all the places where data is encrypted (or should be). This often reveals shadow IT or forgotten systems that pose security risks today.

Think of it as a full-body scan for your IT security: maybe you’ll find that an internal admin tool is still using an outdated TLS 1.0 protocol, or that a database is using a weak hashing algorithm for passwords. These are the kinds of issues that attackers could exploit long before a quantum computer arrives. By doing a PQC-focused inventory now, you’re likely to uncover and fix such weaknesses as a byproduct. One global bank CISO told me their post-quantum readiness project doubled as a crypto hygiene cleanup – they discovered old self-signed certificates and legacy algorithms that were quietly undermining their compliance with current standards.

So, undertaking a cryptographic inventory gives you an immediate boost in security visibility and hygiene. Even before any new quantum-resistant algorithms are deployed, your environment becomes more defensible simply because you now know what you have and can apply consistent policies.

Fixing Today’s Cryptographic Vulnerabilities (Cleaning up the “Crypto Debt”)

Continuing from the inventory comes another near-term benefit: finding and fixing cryptographic vulnerabilities you already have. Almost every mature organization has some amount of crypto debt – outdated or misconfigured encryption lurking in the tech stack. Common examples include: use of deprecated algorithms like SHA-1 or MD5, RSA keys that are too short, expired or self-signed certificates, unsupported cryptographic libraries, or even hard-coded secrets in legacy applications. These are security holes today, not tomorrow.

When you embark on quantum migration planning, you inevitably perform a cryptography audit. And when you do, it’s like shining a blacklight – all the ugly spots glow. It can be alarming, but it’s a huge opportunity to improve your cyber hygiene. For instance, you might discover that a third-party service your HR department uses is still relying on an insecure cipher suite for its HTTPS connections. Or you might realize that an internal tool never got the memo to disable TLS 1.0, putting internal data at risk. During normal operations, these issues often go unnoticed. But in preparing for PQC, they surface – and you can drive immediate remediation.

In essence, quantum readiness initiatives force you to confront your existing crypto weaknesses. The process will raise questions like: “Why do our IoT devices still use RSA-1024 certificates – who’s maintaining that? Should we upgrade them now?” or “We found a partner integration using an old VPN with pre-shared keys – that’s a problem.” By addressing these, you reduce your attack surface against current threats. You’re less likely to fall victim to known exploits (for example, an attacker cracking a weak RSA key or forging a signature due to a broken hash function).

I’ll give a concrete anecdote: One organization I advised discovered during their crypto inventory that a critical file-transfer server was using an out-of-the-box configuration with outdated algorithms. This server had passed routine IT audits for years, because the audits checked general patching and configs but not crypto specifics. It took the PQC project to put it under a microscope. The team promptly updated the configurations – closing a hole that, frankly, could have been exploited by a moderately skilled hacker with no quantum computer needed. These are the kind of immediate fixes that quantum readiness drives.

Regulators like the U.S. NSA have noted this side effect too. The NSA’s guidance for national security systems (NSS) not only pushes post-quantum algorithms by 2035, but also calls for eliminating weak crypto in the near term (e.g. requiring quantum-resistant solutions for things like software signing and web traffic by 2025). The thinking is clear: the journey to PQC naturally involves upgrading and patching your cryptography, which yields a safer environment right now.

Crypto-Agility: Future-Proofing for Any New Threat

One term you’ll hear a lot in these discussions is “crypto-agility.” This isn’t just buzzword bingo – it’s a crucial capability for security longevity. Crypto-agility means having systems and processes that can swiftly swap out cryptographic algorithms and protocols without needing a complete overhaul. Think of it as modular encryption: if one component becomes unsafe or non-compliant, you can drop in a new one.

Why is this important beyond the quantum scenario? Because cryptography doesn’t stand still. We’ve seen algorithms that were once trusted become obsolete in a matter of years (for example, RC4, DES, SHA-1 – all strong in their heyday, all now retired due to weaknesses). New compliance requirements also emerge (like mandates for longer keys or newer protocols). If your organization is crypto-agile, you can handle these changes with far less pain. If not, even a minor crypto change can be like pulling a thread in a sweater – things unravel.

Preparing for PQC inherently pushes you to build crypto-agility. You’ll be refactoring systems to support new quantum-resistant algorithms (like CRYSTALS-Kyber for encryption or CRYSTALS-Dilithium for digital signatures, which NIST has selected). During that process, smart teams will set up their systems to be flexible: perhaps implementing a hybrid crypto approach (using classical and post-quantum algorithms together initially), abstracting cryptographic implementations behind interfaces, and generally avoiding hard-coded crypto choices in software. All of these practices ensure that next time an algorithm needs replacement – whether due to a new quantum breakthrough or a traditional vulnerability – you can do it quickly through configuration or routine updates.

Leading security agencies emphasize this. The Canadian Centre for Cyber Security, for example, explicitly states that “cryptographic agility is a best practice” so that systems remain secure even if algorithms are broken, and it hinges on maintaining an inventory and interchangeable crypto components. In other words, be ready to pivot when cryptography changes. By investing in quantum readiness, you’re essentially training your organization in agility. You establish processes to update crypto libraries, manage keys at scale, test new algorithms in your environment, and coordinate these changes across different products and teams. Those processes won’t just apply to quantum algorithms – they’ll make you nimble for any cryptographic curveball.

This pays compliance dividends too. Consider future privacy regulations or industry standards that might require, say, moving from RSA to elliptic-curve (we’ve already seen PCI and others push for more modern TLS configurations), or from one hash function to another. With crypto-agility, such mandates are less scary – you can comply by tweaking settings rather than rewriting code for months. Your security infrastructure becomes more resilient to change, which is a hallmark of mature cybersecurity programs.

Summing it up: Quantum readiness forces you to bake agility into your cryptographic systems. That’s a gift that keeps on giving. Whether it’s a new NIST recommendation in 2028 or a sudden vulnerability found in an algorithm, you’ll be ready to respond without breaking a sweat (or breaking your apps).

It’s not just your own systems that need quantum-hardening – it’s your vendors’ as well. A post-quantum program forces you to extend your security scrutiny beyond your walls and into your supply chain. Think of all the third-party software, cloud services, and vendors that handle your data or connect to your network. If even one critical supplier lags in upgrading their cryptography, that weak link could undermine everyone. CISOs who start engaging vendors now about their PQC roadmap are effectively inoculating their ecosystem against future threats. In fact, U.S. agencies like CISA explicitly advise organizations to assess their supply chain’s quantum readiness and to proactively engage technology vendors on their plans and responsibilities for PQC. By asking partners “What’s your post-quantum migration plan?” you’re not only protecting your own flank – you’re also sending a message that security is a non-negotiable criteria for doing business.

The immediate payoff here is twofold. First, you’re likely to discover which of your vendors are forward-thinking and which are asleep at the wheel. Some suppliers may not even be aware of looming quantum requirements – your inquiry can spur them to start their own crypto-upgrade (a rising tide lifts all boats). We’ve seen cases where a PQC readiness review prompted a vendor to patch a weak encryption module years before it might otherwise have been caught. Second, by baking PQC criteria into procurement and contracts going forward, you fundamentally raise the security baseline of your supply chain.

There’s a softer, but important, benefit too: running a quantum preparedness program forces greater collaboration between departments. To tackle vendor risk, your security team will need to work closely with procurement, legal, and enterprise risk teams – perhaps even forming a “quantum-ready” task force. This cross-functional teamwork pays dividends immediately. It breaks security out of its silo and embeds it into vendor management and business processes. The security team gains a clearer view of upcoming tech purchases, and the procurement/legal teams become more fluent in cybersecurity matters. That improved communication and security-by-design mindset will help with many other initiatives, not just PQC.

In short, just like the assets inventory discussed above, supply chain cyber risk management is another foundational cyber hygiene function that is rarely addressed fully. A quantum readiness program gives you the opportunity to finally fund this effort correctly, implement all the necessary tools and processes, and change the relationship with your procurement team and your suppliers. Benefiting your overall security posture right away.

Data Governance: Protecting Long-Lived Secrets (and Cleaning House)

Another often overlooked perk of quantum readiness is the chance to radically improve your data hygiene. Post-quantum planning isn’t only about algorithms; it starts with asking “Which data do we truly need to keep secure for decades?” This inevitably leads to a thorough data classification and retention review. You’ll map out which datasets are sensitive and have long-term confidentiality needs – and which do not. Most organizations have never scrutinized their information in this way. As a result, they accumulate years of archives and backups without a strong business case. Quantum risk forces the issue: if you’re holding data that will still be sensitive in 5, 10, or 20 years, you either need to protect it with quantum-resistant crypto or consider disposing of it before Q-day. It’s a fantastic motivator to finally implement that “data lifecycle management” everyone talks about. In fact, experts recommend prioritizing “long-lived data” in your PQC plans – focusing your encryption upgrades on information that truly must remain confidential beyond the 2020. By the same token, you’ll identify data that has passed its useful life. Why spend time and money re-encrypting a trove of outdated customer records or old intellectual property that you no longer need or are past regulatory retention requirements? Far better to securely archive or delete it now.

Clearing out obsolete data isn’t just good prep for the quantum era – it dramatically reduces your current risk and costs. We’ve seen security teams seize this moment to delete aging encryption keys, old databases, and miscellaneous files that had been lurking in backups – drastically shrinking the footprint of sensitive data that could be stolen or ransomed. Even regulated data that must be kept (say, for compliance) can often be minimized; for instance, by securely removing personal identifiers or aggregating records. Every record you sanitize or shred today is one less thing that could be decrypted by an adversary tomorrow.

Attracting and Retaining Top Cyber Talent with Future-Focused Work

Here’s a benefit many overlook: working on forward-looking projects like quantum security can be a huge morale and talent attraction boost for your cybersecurity team. Let’s face it – one reason burnout is high in our field is that too many skilled practitioners spend their days doing unglamorous tasks (chasing phishing emails, responding to compliance checklists, etc.). The chance to tackle cutting-edge challenges can reinvigorate a team’s sense of purpose. I’ve witnessed it firsthand: when a CISO announces an initiative to, say, prototype post-quantum encryption in the corporate network, suddenly the crypto enthusiasts and ambitious engineers in the org light up. It’s an opportunity to learn new skills and work on something “cool.” Since I started Applied Quantum, I am being contacted daily by cyber professionals in my network and my former colleagues interested in joining me even though they are currently happy in their current roles – they just want to jump on a chance of doing something new and cool.

In a competitive job market for cybersecurity , being an organization that invests in innovative projects can set you apart. Talented professionals often choose roles not just for salary, but for growth and interest. If you can say, “Come work with us – we’re implementing next-gen cryptography and tackling tomorrow’s threats today,” that’s a compelling pitch. It signals that your security program isn’t stuck in reactive mode, but rather pushing the envelope. Many top young analysts and engineers want exposure to things like quantum-safe crypto, AI in security, cloud-native security architectures, etc.

Moreover, involving your current team in these efforts helps with retention. It breaks up the monotony of day-to-day operations. Imagine telling your security architects and engineers that they get 20% of their time this quarter to experiment with integrating a post-quantum library into an internal application, or to run a lab test of quantum-resistant VPN software. This isn’t a distraction – it’s training. You’re investing in your people’s skills. Surveys of cybersecurity professionals frequently show that lack of advancement or training is a top reason for job dissatisfaction. On the flip side, organizations that invest in staff development and interesting projects have better retention rates. (In fact, 72% of organizations in a recent (ISC)² survey said they invest in staff training to strengthen their teams, underscoring how important growth opportunities are.)

So, by being proactive about quantum security, you send a message internally and externally: we are a cyber leader, and our people get to work on important, novel challenges. That draws in high-caliber talent who might otherwise gravitate to more “exciting” tech companies or research roles. And it keeps your existing talent engaged. One CISO told me that their post-quantum task force became a hot ticket – folks from different IT and engineering groups volunteered to join because it was seen as an elite, forward-thinking initiative. In an era where skilled cyber personnel are hard to hire and harder to keep, this is a non-trivial benefit.

Boosting Stakeholder Confidence and Reputation

Last but certainly not least, demonstrating quantum readiness bolsters confidence among all your stakeholders – from customers and business partners to regulators and investors. It shows that your organization is not just securing the present, but also anticipating the future. In the world of corporate risk (and especially in industries like finance, healthcare, and critical infrastructure), this kind of foresight and diligence is a reputational asset.

Think about the due diligence questionnaires or security assessments your enterprise goes through. Today, they might not have a section on “quantum-resistant cryptography” – but soon they very well could. Even now, savvy partners might ask how you protect data against long-term threats. If you can answer: “We have a roadmap in place for post-quantum cryptography and are already inventorying and strengthening our cryptographic controls,” that instills confidence. It tells them you’re not just ticking the basic compliance boxes, but truly aiming to safeguard data for its entire lifecycle. This is especially pertinent for data with long confidentiality needs – for example, healthcare records or trade secrets that need to stay secret for 10+ years. As we discussed above.

From a regulator’s viewpoint, being quantum-ready puts you in a proactive light. If an examiner or audit team brings up PQC (and they increasingly will), you’ll be ready to show them plans, policies, and progress. That can only help your compliance profile. Even if no one explicitly asks, including a note about quantum preparedness in your annual security report or ESG (Environmental, Social, Governance) disclosures can be a differentiator. It’s evidence of good governance. Just as companies that adopted cloud security early or embraced zero-trust architectures earned a certain cachet for being ahead of the curve, so too will those who can say they are “quantum-resistant” in their security posture.

And let’s not forget the board and executive stakeholders. Cybersecurity is a regular board agenda item now, and board members fret about systemic risks and the next big threat around the corner. When you brief them that you’ve initiated a quantum readiness program – aligned with NIST guidelines, supporting compliance, improving your security fundamentals – it provides reassurance that the security team is thinking long-term. It flips the narrative from always reacting (breach, patch, repeat) to strategically preparing. I’ve seen board directors visibly relax when we explain how an organization is preparing for quantum risks: “Okay, good, one less black swan to worry about.” In some cases, it even becomes a bragging point to shareholders or customers (“Our company is one of the first in our sector to implement quantum-safe encryption…”).

In short, quantum readiness is a trust signal.

Conclusion

Yes, quantum computing capable of cracking today’s encryption is still on the horizon. We don’t know exactly if it’s 4 years, 7 years, or more before “Q-day” arrives. But preparing for it is not an exercise in science fiction – it’s a very practical program that yields benefits immediately. Regulators are pushing us all in this direction, which means boards are willing to fund it. The journey forces you to finally catalog your cryptographic assets and clean up long-standing weaknesses, improving your security posture right now. It builds agility so you can handle any crypto curveballs the future throws. It energizes your team and attracts talent by giving them something exciting to work on. And it demonstrates to the world that your organization is on top of emerging threats, thereby inspiring confidence. For a CISO or CIO, that’s a legacy worth achieving.


(I explore these points, and much more, in my upcoming book, “Practical Quantum Resistance”. If you’re looking for clear strategies and actionable guidance to get your organization quantum-ready, head over to QuantumResistance.com and sign up to stay in the loop!)

Marin Ivezic

I am the Founder of Applied Quantum (AppliedQuantum.com), a research-driven professional services firm dedicated to helping organizations unlock the transformative power of quantum technologies. Alongside leading its specialized service, Secure Quantum (SecureQuantum.com)—focused on quantum resilience and post-quantum cryptography—I also invest in cutting-edge quantum ventures through Quantum.Partners. Currently, I’m completing a PhD in Quantum Computing and authoring an upcoming book “Practical Quantum Resistance” (QuantumResistance.com) while regularly sharing news and insights on quantum computing and quantum security at PostQuantum.com. I’m primarily a cybersecurity and tech risk expert with more than three decades of experience, particularly in critical infrastructure cyber protection. That focus drew me into quantum computing in the early 2000s, and I’ve been captivated by its opportunities and risks ever since. So my experience in quantum tech stretches back decades, having previously founded Boston Photonics and PQ Defense where I engaged in quantum-related R&D well before the field’s mainstream emergence. Today, with quantum computing finally on the horizon, I’ve returned to a 100% focus on quantum technology and its associated risks—drawing on my quantum and AI background, decades of cybersecurity expertise, and experience overseeing major technology transformations—all to help organizations and nations safeguard themselves against quantum threats and capitalize on quantum-driven opportunities.
Share via
Copy link
Powered by Social Snap