Part 7: What CIOs, CISOs, and Boards Must Do Today

Post-quantum cryptography (PQC) has graduated from academic debate to enterprise imperative. With standards finalised, pilots underway, and national mandates emerging, the quantum threat is now a boardroom issue. This article outlines the most urgent actions that CIOs, CISOs, and board directors must take to assess exposure, mitigate long-term risk, and lead a coordinated transition to quantum-safe infrastructure.

1. The Governance Challenge: Quantum Risk Isn’t Just Technical

Quantum decryption risk is often misunderstood as a niche technical threat. But its consequences are strategic:

• Long-term sensitive data may be compromised retroactively.

• National regulations will mandate PQC adoption on tight timelines.

• Customers and partners will expect assurance of quantum resilience.

The board’s responsibility is not to choose algorithms, but to ensure that quantum readiness is funded, governed, and executed within an accountable framework—just like climate risk, cybersecurity, or financial compliance.

2. Key Questions for CIOs and CISOs

CIOs and CISOs should drive internal readiness by answering the following:

• Where is vulnerable cryptography used across our systems, products, and data flows?

• What is the confidentiality timeline for our sensitive data (e.g., medical, financial, IP)?

• Do we have a current inventory of cryptographic dependencies?

• Are our software and hardware systems crypto-agile (i.e., able to switch to PQC without major rework)?

• Are our vendors and cloud providers aligned with PQC transition timelines?

Answers to these questions must be escalated and understood at the board level.

3. First-Mover Playbook: What Leading Organisations Are Doing Now

Organisations ahead of the curve are:

• Appointing quantum-readiness leads or working groups within their cybersecurity and architecture teams.

• Issuing procurement guidelines that mandate crypto-agility in all new hardware and software acquisitions.

• Starting dual-track pilots, testing both hybrid and pure PQC implementations in isolated systems.

• Embedding PQC language into RFPs and third-party contracts.

• Engaging legal and compliance teams to prepare for upcoming regulations (e.g., CNSA 2.0, EU DORA, eIDAS2).

These steps mirror past best practices for GDPR or ESG compliance—and will be expected in PQC governance reviews.

4. Structuring Board Oversight

Boards should integrate quantum risk into existing cybersecurity and enterprise risk frameworks:

• Add quantum to the risk register under “cryptographic obsolescence.”

• Request quarterly reporting on PQC readiness and crypto-inventory progress.

• Engage the audit committee to assess regulatory exposure.

• Tie executive incentives to roadmap completion or vendor alignment KPIs.

Quantum readiness should not be treated as a one-time project, but as an evolving capability.

5. Timeline: What to Do Now, Next, and by 2030

Some regulators (e.g., NSA, NCSC) will expect visible compliance by 2027. Long-lived data must be protected now.

Footnotes and References

1. NSA CNSA 2.0 Migration Guidance: https://media.defense.gov/2022/Sep/07/2003065093/-1/-1/0/CSI_CNSA_2.0_FACT_SHEET.PDF

2. ENISA Strategic Recommendations: https://www.enisa.europa.eu/publications/post-quantum-cryptography-strategic-recommendations

3. World Economic Forum Quantum Security Roadmap: https://www.weforum.org/agenda/2023/01/quantum-security-roadmap/

4. NCSC Quantum Readiness Advice: https://www.ncsc.gov.uk/collection/quantum-security-guidance

5. EU DORA and eIDAS2 Crypto Resilience Mandates: https://digital-strategy.ec.europa.eu/en/policies/dora

Next in the Series: Part 8 — Beyond PQC: Quantum Key Distribution, Blockchain Risk, and What Comes Next