Key insight
A multi-year migration survives only with leadership funding and attention. Govern it (named owner, exec sponsor, steering group, decisions tied to the risk register, progress tracked by the 0–5 maturity score). Frame it in the three things executives act on — risk (lead with harvest-now-decrypt-later), cost (phased budget vs breach), timeline (Mosca: waiting increases risk). Map it to compliance drivers (deprecation ~2030 / disallow 2035; sector regulators). Then put it all on one page.
Translate cryptography into risk, cost, timeline, and compliance — on a single page — and the programme stays funded and on track.
The governance machinery
Give the programme a named owner, an executive sponsor, and a small steering group that meets regularly. Tie every decision back to the risk register so priorities stay defensible. Track progress with the maturity model — a single 0–5 number a board can grasp and watch improve. Keep the inventory living and revisit the plan as standards and quantum timelines shift.
Framing for executives
Executives act on risk, cost, and timeline — not cryptographic detail. Translate:
| Lens | How to frame it |
|---|---|
| Risk | Lead with harvest-now-decrypt-later: long-shelf-life data is being stolen today — exposure is present tense. |
| Cost | A phased, budgeted programme with biggest risk reduction early — vs the cost of a breach or a last-minute scramble. |
| Timeline | Mosca’s inequality: waiting is itself a decision that increases risk. |
Mapping to compliance
Regulatory pressure turns a good idea into a mandate. Map each driver to the parts of your roadmap that satisfy it, so leadership sees migration as a path to staying compliant — not optional hygiene.
| Driver | Signal |
|---|---|
| National guidance (e.g. NIST IR 8547) | Classical public-key deprecated ~2030, disallowed after 2035 |
| NSA CNSA 2.0 | PQC required for national-security systems — e.g. software- & firmware-signing on PQC by 2030, full adoption across systems by 2035 |
| Sector regulators | Finance, healthcare & critical infrastructure moving from inquiry (readiness questionnaires) toward mandates — treat “asking” as an early warning to get ahead of |
The one-page exec summary
Executives read one page. Keep it jargon-free, anchored in business impact, and refresh it each cycle with the maturity score trending up.
Post-Quantum Readiness — Executive Summary
One page. Refreshed each reporting cycle.
- Situation
- Quantum computing will break today’s public-key cryptography; harvesting of encrypted data is happening now.
- Exposure
- Our highest-risk, long-shelf-life data and systems (name the top few).
- Where we stand
- Current maturity level (0–5) and target level.
- The plan
- Phased waves and their timeline (from the roadmap).
- The ask
- Budget and resources needed for the next phase.
- Cost of inaction
- Framed in risk and compliance terms (deadlines, breach exposure) — a rough figure from your breach-exposure model, not a blank “TBD”.
- Executive sponsor
- A senior leader who owns funding and unblocks the programme.
- Steering group
- The small body that governs decisions against the risk register.
- Compliance driver
- A regulation or guidance that mandates or dates the migration.
- Executive summary
- A one-page, jargon-free brief in business terms.
- NIST (National Institute of Standards and Technology) / IR (Internal Report)
- The US standards body and its report series; NIST IR 8547 sets the deprecate-~2030 / disallow-2035 timeline.
- NSA (National Security Agency) / CNSA 2.0
- The US agency and its Commercial National Security Algorithm suite mandating PQC for national-security systems.
- PQC (Post-Quantum Cryptography)
- The quantum-resistant algorithms that regulations increasingly require.
What to carry forward
- Govern with an owner, sponsor, steering group, and a maturity score the board can watch.
- Frame in risk, cost, timeline — lead with harvest-now and Mosca.
- Map work to compliance drivers (deprecation ~2030 / disallow 2035; sector regulators).
- Put it on one page: situation, exposure, maturity, plan, ask, cost of inaction.
That completes the field guide. ← Back to the full series — you now have the full arc from “what is a key?” to “report readiness to the board.”
Understand it in your own words
Paste into any AI assistant to check yourself:
I'm learning to govern and report a post-quantum migration. Quiz me one
question at a time, correcting me gently:
1. What governance roles and artefacts keep the programme on track?
2. What are the three lenses executives actually act on, and how do I frame
each?
3. How does harvest-now-decrypt-later make the risk "present tense"?
4. Name two compliance drivers and why they turn migration into a mandate.
5. What six lines belong on the one-page executive summary?
References & further reading
- NIST, IR 8547: Transition to Post-Quantum Cryptography Standards (deprecation timeline). csrc.nist.gov/pubs/ir/8547
- CISA, NSA & NIST, Quantum-Readiness: Migration to PQC (governance & engagement). cisa.gov/quantum
- NSA, Commercial National Security Algorithm Suite 2.0. CNSA 2.0 (PDF)
- World Economic Forum, Transitioning to a Quantum-Secure Economy (board-level framing). weforum.org