A simple, non complicated, non technical overview of Post Quantum Cryptography for executives in about 20 minutes.

How to Communicate Genuine Information Without Indulging in the Hype or Spin Around Post-Quantum Cryptography

This is my late-night effort to pen a non-technical view to help you understand the risks posed by post-quantum cryptography, particularly for those in business making budget and risk decisions.

Read or listen, or listen as you read, its up to you.

Article illustration — simple-non-complicated-technical-overview-post-quantum

A Non-Technical Overview

Cryptography serves as the software “keys” and “locks” that protect your data. These “keys” are embedded in virtually everything—spanning all layers of the OSI stack, from the physical network to the application layer. These keys and locks are everywhere.

If the word “cryptography” already makes your head spin, let’s simplify things by referring to it as “locks.”

Referring to cryptography as “locks” is, of course, a significant oversimplification. It doesn’t capture the depth and complexity of the brilliant work cryptographers do to secure your data. Cryptography involves intricate protocols, sophisticated algorithms, and ongoing innovation. However, for the sake of clarity in this discussion, we’ll stick with the term “locks.” (Sincere apologies to my technical colleagues!)

How Will These Locks Get Broken?

A new type of computing, known as quantum computing, has the theoretical potential to crack some of these locks in the future. If realized, this capability could expose sensitive data across various domains, including banking, pharmaceuticals, military operations, government, and intellectual property.

Some types of locks will be broken relatively easily, while others may remain secure—even against powerful quantum computers.

Estimates vary depending on whom you ask. The ability to crack certain types of locks, such as RSA or ECC, is projected to become possible within 7–15 years. However, this timeline is far from certain.

While advances in quantum computing continue, the timeline for building systems capable of breaking RSA/ECDHE remains unclear. Many experts suggest it could still be decades away, depending on breakthroughs in error correction and qubit scalability. Regardless of the exact timeline, there is broad consensus that it will happen eventually.

It’s also important to note that not all cryptographic algorithms are equally vulnerable. Algorithms like symmetric encryption with sufficiently large keys and one-time pads are considered quantum-resistant and are likely to remain secure for many years.

Additionally, not all data retains its value over time. Some sensitive information loses relevance within months or years. That said, certain types of data—such as military or government information—may remain critical for decades.

So what?

Hackers may already have the ability to infiltrate your infrastructure and vacuum up all your sensitive data. While they can’t break the locks on this data now, they might be able to in the future. This strategy is commonly referred to as Harvest Now, Decrypt Later (HNDL).

The concept is simple: collect all your encrypted intellectual property (IP) now and unlock it later with a super-powerful quantum computer.

These attacks are unlikely to be the work of hobbyists or teenagers in bedrooms. Instead, they are typically driven by state actors—governments, both foreign and domestic—looking to gather intellectual property and other sensitive information. These operations are highly sophisticated, hard to detect, and often conducted alongside more traditional and less complex hacking methods.

The consequences of such attacks are far-reaching. State actors could use your stolen data to:

Steal intellectual property and gain a competitive edge.
Destabilise societies by exposing financial data, personal records, or sensitive government information, potentially undermining national security or banking systems.
Impact The Battlefield - By knowing how all of your equipment works an adversary can use this to their advantage in all sorts of ways.

It is important to note that cracking this data requires significant compute resources, so its unlikely to be applied against low value data. They just want the juicy high value data.

When Will the Locks Be Broken?

The ongoing push for computational innovation in fields such as pharmaceuticals, high-frequency financial trading, military operations, and cybersecurity is driving significant investment in quantum computing. This increased investment is likely to accelerate the timeline for breaking some cryptographic locks as computational power continues to advance.

Related innovations outside of quantum computing—such as developments in artificial intelligence (AI), virtualization, and high-performance computing (HPC)—are also expected to hasten the ability to crack these locks.

Historically, most cryptography is eventually broken, and this trend is likely to continue. The one-time pad remains the rare exception. Whether it takes five years or fifteen, it is fair to say that these breakthroughs will happen.

So, Is It Urgent or Not?

The urgency depends on your organization’s size, industry, and the type of data you handle:

If you’re a company without substantial intellectual property (IP): This issue is likely a low priority for now and can sit on the back burner.
If you’re a small-to-medium business (SMB) with substantial IP: It’s likely a moderate priority. While your IP will be at risk at some point in the future, you should reasonably expect to mitigate this by using a quantum-secure cloud environment. If you haven’t done so already, companies like Veriqloud offer solutions today. You can even set up your own quantum-secure private cloud network with tools such as Blackhills Quantum’s QS Dome. A range of solutions is already available in the market.
If you’re a large organisation handling significant amounts of IP or classified/sensitive data (e.g., banks, pharmaceuticals, defence, aerospace): This is likely a high-priority, urgent issue. Here’s why:

With Complexity Comes Problems

In larger environments—let’s say 5,000 employees or more—it’s likely that your infrastructure is extremely complex. You’re dealing with multiple layers of cryptography, numerous business units, and diverse platforms, each with its unique package of intellectual property (IP). The time required to discover and remediate all this technology is likely to be at least 36 months—and probably longer.

If significant advancements in quantum computing occur within the next five years (e.g., by 2030), and your project timeline is already at least 36 months, you may find yourself operating on a very narrow timeline.

The sheer volume of cryptographic assets (locks), the variety of lock types, their layers, and their geographic distribution make a Post-Quantum Cryptography (PQC) project one of the most complex undertakings on the radar today.

And Why Is That a Problem?

Discovery tools can substantially reduce the time required to identify cryptographic assets and assess their contextual risk. However, even with these tools, there’s still a significant amount of integration work to be done. This will likely require specialized, highly skilled, and expensive resources—professionals with extensive experience and advanced qualifications.

Resources Will Be Hard to Find

This is not a problem in isolation. When every large company is scrambling for the same limited pool of resources at the last minute—as will inevitably happen—the result will be skyrocketing costs. Additionally, delays and risks will increase exponentially, making these projects harder to execute the longer you wait.

How Hard Can It Be, Really?

Make no mistake—a large-scale project to update cryptography is incredibly challenging. It’s not just about what your organization can do internally; it’s also about your supply chain.

If you rely on vendors, they too will need time to update their cryptographic systems. Additionally, their component vendors and partners will need to do the same, creating a cascading effect.

Often, the first realization after conducting a discovery process is that it’s “cryptographic turtles all the way down.” This means dealing with layers of complexity, endless calls with suppliers, updates, retesting, rediscovery, and changes to management processes and procedures. All of this is necessary to ensure you don’t accidentally reintroduce subpar cryptography into your infrastructure.

It is a big, and complex project for large organisations.

The Net-Net

It’s no surprise to any risk manager:

The larger your environment, the greater your risk.
The more complex your environment, the greater your risk.
The more critical the services you provide, the greater your risk.
The wider your geographic spread, the greater your risk.
The higher value your data, the greater your risk.
The longer you leave it, the greater your risk.

Small companies with significant intellectual property (e.g., pharmaceutical startups) but limited technological capability are also at risk. However, their mitigation strategies may be somewhat simpler, such as leveraging Quantum Secure cloud services.

Resources and Standards

I couldn’t write this article without referencing the resources available from organizations like NIST. While these resources are often highly technical and not always easily digestible for business managers, they are invaluable for those with a technical background.

NIST’s PQC standardization process

ANSII Views on PQC

European Commission Roadmap for the transition to Post-Quantum Cryptography

Who Needs to Be Most Concerned?

Central Banks Central banks face the highest risk, are a top hacking priority, and deal with significant transactional cross-system complexity and supply chain challenges. Having worked in a central banks credit team, if I worked on a central bank’s information security team today, I might be considering another job.
Defence and Aerospace This doesn’t need much explanation. These sectors handle critical services and highly sensitive technology. Combined with the enticing nature of their intellectual property (IP), these projects needed to be started—and funded—a year ago.
Banks, Exchanges, and Financial Services These are high-threat, highly complex environments. The one advantage they have is the financial resources to pay for the necessary updates, even if they act late.
Service Providers, Telcos, and ICT Services By the nature of their business, service providers are likely to inherit their customers’ problems. The only silver lining is the opportunity to generate significant revenue by securing substantial project budgets from their clients.
IP-Dependent Companies Pharmaceuticals, chemistry firms, materials companies, manufacturers, or any organization highly dependent on protecting intellectual property should have a plan in place now. Special attention must be given to the complexity of their technological infrastructure.

Project Steps

1) Organisational Training - `#QSECDEF - have an introduction to Quantum Cyber Security covering PQC at $50 a seat delivered online. ( full disclosure I am a board director at this organisation ) but companies like Qubo Quantum in Canada, Cystel in the UK, Sympulse in CZ or your local cyber security expert companies are also able to provide you with great training as well. The QSECDEF training was written by Michal Krelina and Anna Beata Kalisz Hedegaard both well known and respected experts in this field.

2) Discovery - You will need a discovery tool capable of integrating into your existing SOC (Security Operations Center) and consolidating cryptographic inventory within the context of topology and risk. Whatever tool you choose, it must be able to create a Cryptographic Bill of Materials (CBOM) and a Software Bill of Materials (SBOM), as well as allocate risk.

My position and that of our team is that Qryptocyber excels in this area. However, other solutions such as Qusecure, Thales, Isara, and Venari are also highly regarded. Each offers unique approaches and delivers value in different ways, so your choice will depend on your specific needs and environment.

View the subsequent post about Qrptocyber capabilities vs others here.

The reality is that no single tool is likely to do everything you need. You will almost certainly require a combination of tools tailored to your specific environment to generate a Cryptographic Bill of Materials (CBOM) and a Software Bill of Materials (SBOM). Reaching even a basic understanding of what cryptographic assets you have and where they are located will involve a significant amount of work—well before you can even begin planning updates.

3) Risk Assessment

Assess risks based on the sensitivity and longevity of your data. Most CISOs will have a clear understanding of where their organization’s “crown jewels” are stored. Notify any vendors with inadequate cryptographic solutions that they must become compliant within a defined timeframe—or face being replaced.

4) Plan Your Update

Begin implementing quantum-safe cryptography for your critical assets. There are numerous tools and methods available to enable cryptographic agility. Solutions from IBM, Thales, CryptoNext, and others are worth considering, though many of these can be quite expensive.

5) Transition to Quantum-Safe PQX

Secure your resources, software, project teams, and delivery schedules early to avoid spiraling costs. Start upgrading your cryptographic “locks” now by deploying tools for cryptographic agility—essentially a streamlined way to switch cryptographic algorithms without overhauling entire systems.

HAIR ON FIRE

At WizzWang, we often use Sequoia’s well-established model for product market fit, which breaks down markets into three cyclical phases:

Hard Fact: Customers have resigned themselves to living with the problem and are no longer seeking solutions.
Future Problem: Customers are either unaware of the problem or dismissive, viewing it as a distant or unrealistic challenge. This represents the majority of the market today.
Hair on Fire: Customers are actively grappling with the problem and treating it as a high priority that should have been addressed yesterday. The urgency often triggers panic and a market feeding frenzy.

The reality is that people tend to procrastinate. Large project teams are complex, take a long time to mobilise, and require budget approvals and significant planning before work can even begin.

In short, only about 30% of companies will have their act together. The rest will scramble to implement urgent solutions at the last minute, paying inflated costs for the privilege. You can likely predict, based on your organisational culture, which category your company falls into.

The forecast is that this will remain a “future problem” for the next two to three years for most organisations. However, as advancements in quantum computing bring us closer to practical implementation, the market is likely to shift en masse into the “hair on fire” phase. Exactly when this happens will depend on breakthroughs in quantum computing and its ability to deliver the compute power necessary to crack cryptographic locks.

But as sure as day is day, this market will become very urgent, very quickly and be at the rush to the top list of many CEO’s at some point in the future, especially those most at risk.

Closing and in Summary

I really appreciated Duncan Jones’s article and broadly agree with his insights, though I differ somewhat on the current scale of Harvest Now, Decrypt Later (HNDL) attacks due to the nature of the day job, my view is that these HDNL attacks occur much more frequently that most are aware. I firmly concur with his assertion that “” the narrative around the large-scale capture of encrypted data is misleading”. I would recommend the read.

I also agree that it would be a mistake to take that as a reason to defer your post-quantum migration.

That would be indeed be a terrible idea.

But let’s not succumb to hysterical panic. Instead, here are the key takeaways for business executives without in-depth technical expertise:

Cryptography acts as the digital locks protecting your data. Emerging technologies, such as quantum computing, may eventually break some types of these locks, potentially exposing sensitive information. While this is a long-term threat, it’s vital to start preparing now.
Take proactive steps today. Organisations should begin by assessing their cryptographic systems, identifying high-risk areas, and planning for a transition to quantum-resistant algorithms. This process can be complex, especially for larger organizations, so early action is essential.
Focus on informed, deliberate actions. Avoid knee-jerk reactions and instead leverage tools and guidance from industry experts and established standards bodies. The ultimate goal is to achieve cryptographic agility, ensuring your organisation can adapt to new threats as they emerge.

If you are in one of the high-risk industry sectors, you are likely already a target of HNDL attacks, especially if your intellectual property is valuable enough to justify the significant computational effort required to unlock it in the future.

Finally, seek advice from experts. There’s an active community of cybersecurity professionals specialising in quantum threats who discuss these issues regularly that are much more informed, knowledgable and experienced.

Steven Vaile

Board technology advisor and QSECDEF co-founder. Writes on AI governance, quantum security, and commercial strategy for boards and deep tech founders.