Key insight

A multi-year migration survives only with leadership funding and attention. Govern it (named owner, exec sponsor, steering group, decisions tied to the risk register, progress tracked by the 0–5 maturity score). Frame it in the three things executives act on — risk (lead with harvest-now-decrypt-later), cost (phased budget vs breach), timeline (Mosca: waiting increases risk). Map it to compliance drivers (deprecation ~2030 / disallow 2035; sector regulators). Then put it all on one page.

In one sentence

Translate cryptography into risk, cost, timeline, and compliance — on a single page — and the programme stays funded and on track.

The governance machinery

Give the programme a named owner, an executive sponsor, and a small steering group that meets regularly. Tie every decision back to the risk register so priorities stay defensible. Track progress with the maturity model — a single 0–5 number a board can grasp and watch improve. Keep the inventory living and revisit the plan as standards and quantum timelines shift.

Framing for executives

Executives act on risk, cost, and timeline — not cryptographic detail. Translate:

LensHow to frame it
RiskLead with harvest-now-decrypt-later: long-shelf-life data is being stolen today — exposure is present tense.
CostA phased, budgeted programme with biggest risk reduction early — vs the cost of a breach or a last-minute scramble.
TimelineMosca’s inequality: waiting is itself a decision that increases risk.
Mosca in one line for the board: if the years your data must stay secret (X) plus the years your migration will take (Y) is greater than the years until a capable quantum computer arrives (Z) — X + Y > Z — then you are already too late to start later. That single inequality is usually the most persuasive slide: it turns “quantum is years away” into “our migration time means the deadline is now.”
Putting a number on it: executives will ask “what am I budgeting, and against what?” Build the cost side bottom-up from the roadmap — a rough per-wave figure (people + tooling + vendor work) summed across the programme. Build the cost of inaction side from your own breach-exposure model: take the value/regulatory penalty of the highest-risk long-shelf-life data and weight it by the likelihood that harvested ciphertext is decrypted within its shelf life. You’re not aiming for accounting precision — you’re showing that a phased, budgeted programme is far cheaper than a forced last-minute scramble or a disclosed breach.

Mapping to compliance

Regulatory pressure turns a good idea into a mandate. Map each driver to the parts of your roadmap that satisfy it, so leadership sees migration as a path to staying compliant — not optional hygiene.

DriverSignal
National guidance (e.g. NIST IR 8547)Classical public-key deprecated ~2030, disallowed after 2035
NSA CNSA 2.0PQC required for national-security systems — e.g. software- & firmware-signing on PQC by 2030, full adoption across systems by 2035
Sector regulatorsFinance, healthcare & critical infrastructure moving from inquiry (readiness questionnaires) toward mandates — treat “asking” as an early warning to get ahead of
“Deprecated” vs “disallowed”: these aren’t the same date twice. Deprecated (~2030) means the algorithm is still permitted but officially discouraged — you may keep using it, but you’re on notice and it’s flagged in audits. Disallowed (after 2035) is the hard stop: it may no longer be used to apply new cryptographic protection, so a system still relying on it then is out of compliance. The gap between the two dates is your intended migration window — not a grace period to start late.

The one-page exec summary

Executives read one page. Keep it jargon-free, anchored in business impact, and refresh it each cycle with the maturity score trending up.

Post-Quantum Readiness — Executive Summary

One page. Refreshed each reporting cycle.

Situation
Quantum computing will break today’s public-key cryptography; harvesting of encrypted data is happening now.
Exposure
Our highest-risk, long-shelf-life data and systems (name the top few).
Where we stand
Current maturity level (0–5) and target level.
The plan
Phased waves and their timeline (from the roadmap).
The ask
Budget and resources needed for the next phase.
Cost of inaction
Framed in risk and compliance terms (deadlines, breach exposure) — a rough figure from your breach-exposure model, not a blank “TBD”.
Translation for the board Technical crypto detail is translated into risk, cost, timeline, and compliance for executives. crypto detail Risk Cost Timeline Compliance & the board
The programme survives when detail becomes risk, cost, timeline, and compliance.
Executive sponsor
A senior leader who owns funding and unblocks the programme.
Steering group
The small body that governs decisions against the risk register.
Compliance driver
A regulation or guidance that mandates or dates the migration.
Executive summary
A one-page, jargon-free brief in business terms.
NIST (National Institute of Standards and Technology) / IR (Internal Report)
The US standards body and its report series; NIST IR 8547 sets the deprecate-~2030 / disallow-2035 timeline.
NSA (National Security Agency) / CNSA 2.0
The US agency and its Commercial National Security Algorithm suite mandating PQC for national-security systems.
PQC (Post-Quantum Cryptography)
The quantum-resistant algorithms that regulations increasingly require.

What to carry forward

That completes the field guide. ← Back to the full series — you now have the full arc from “what is a key?” to “report readiness to the board.”

Understand it in your own words

Paste into any AI assistant to check yourself:

I'm learning to govern and report a post-quantum migration. Quiz me one
question at a time, correcting me gently:

1. What governance roles and artefacts keep the programme on track?
2. What are the three lenses executives actually act on, and how do I frame
   each?
3. How does harvest-now-decrypt-later make the risk "present tense"?
4. Name two compliance drivers and why they turn migration into a mandate.
5. What six lines belong on the one-page executive summary?

References & further reading

  1. NIST, IR 8547: Transition to Post-Quantum Cryptography Standards (deprecation timeline). csrc.nist.gov/pubs/ir/8547
  2. CISA, NSA & NIST, Quantum-Readiness: Migration to PQC (governance & engagement). cisa.gov/quantum
  3. NSA, Commercial National Security Algorithm Suite 2.0. CNSA 2.0 (PDF)
  4. World Economic Forum, Transitioning to a Quantum-Secure Economy (board-level framing). weforum.org