Deep Dive Series

PQC Governance: The Complete Program Leadership Guide

Most PQC migration programs don’t stall because of a technical problem. They stall because nobody owns them. Two financial services organizations I worked with in 2026 had the budget, the technical readiness, and the executive awareness, yet still pushed their start dates by nine months because they couldn’t answer a single question: who leads this? This Deep Dive series provides the answer, starting with the governance model that works in practice: one accountable executive, a cross-functional steering committee, a dedicated program office, and specialist execution teams.

The series then examines each governance layer in depth. It covers how boards discharge their PQC risk oversight duties through risk appetite statements and cascading KRIs. It maps six real-world CISO organizational models to determine who should lead in your specific structure. It tackles the cost estimation problem that kills programs in the CFO’s office, addresses vendor and supply chain governance at enterprise scale, and lays out the two-layer execution model that separates infrastructure migration from application-layer work. The final article answers the major objections that CISOs and boards encounter when standing up PQC programs, with evidence and historical precedent.

 

Related Resources

PQC Migration Framework

The governance model tells you who leads and how decisions are made. The migration methodology tells you what to do. The open-source PQC Migration Framework at pqcframework.com provides the structured 8-phase lifecycle (cryptographic inventory, risk assessment, strategy, migration, validation, and ongoing operations) that sits beneath any governance structure this series describes.

For the full organizational readiness guide, including how to brief a board, build the business case, staff the program, and execute the migration, see Quantum Ready, the forthcoming practitioner’s handbook for quantum readiness.