An executive interview on business risks, crypto discovery and the path towards quantum readiness.
Quantum computing is advancing rapidly. While practical, large-scale use may still be some years away, new risks are already emerging for organisations today. At the same time, many organisations face the challenge of assessing realistically what quantum computing could mean for their IT landscape.
This interview addresses the key questions around quantum readiness, post-quantum cryptography and quantum risk assessments. It is intended for CIOs, CISOs, enterprise architects and decision-makers who want to understand which risks already exist today and how a structured preparation can be established.
1. Why is quantum readiness already a business risk today and not just a future IT security topic?
Modern organisations rely on digital trust mechanisms such as encryption, certificates, digital identities, signatures and secure transactions. If these mechanisms become vulnerable to future quantum computers, the impact is not limited to data confidentiality. It also affects business processes, regulatory obligations and trust in digital communication.
In addition, risks may already arise today. In a “Harvest Now, Decrypt Later” scenario, encrypted data is captured and stored today so it can be decrypted later with powerful quantum computers. Information with a long-term need for protection is particularly affected.
For many organisations, the real challenge is therefore not the exact date of a possible Q-Day, but the multi-year preparation and migration effort. Companies with sensitive data, long system life cycles, critical infrastructure or regulatory requirements need to create transparency early. Otherwise, they may face unplanned migrations, higher costs, operational risks and increasing compliance pressure. The key management question is therefore: What risks arise if we prepare too late?
2. What business risks arise from “Harvest Now, Decrypt Later”?
The specific issue with “Harvest Now, Decrypt Later” is that the risk already starts today. Attackers can capture and store encrypted data or communication streams now, in order to decrypt them later when sufficiently powerful quantum computers become available. The risk therefore does not begin only with a possible Q-Day.
Information with a long-term need for protection is particularly exposed. Examples include customer and financial data, research and development information, intellectual property, health data, as well as security- or infrastructure-related information. The actual damage may only become visible years later, when confidential data is disclosed retrospectively.
For organisations, this means that technical protection alone is not enough. Data classification, retention periods, deletion concepts, risk management and regulatory consequences also need to be assessed. At the same time, encrypted data flows, TLS and VPN connections, external interfaces, partner communication and long-term archives should be identified. The decisive factor is to evaluate data value, required protection period and potential business impact in order to prioritise the further transformation.
3. Which questions should CIOs and CISOs ask at the beginning of a quantum risk assessment?
At the beginning, the focus should be less on individual technologies and more on the business relevance for the organisation. Key questions concern critical business processes, data that requires long-term protection and the systems, applications, networks, cloud services and, where relevant, OT or IoT environments that are especially important for business operations.
The organisational perspective is equally important. Preparing for post-quantum cryptography is not only an IT security topic. It also involves enterprise architecture, compliance, data protection, risk management, procurement and the business units. Therefore, it should be clarified early which stakeholders need to be involved and whether any assessment of the quantum threat or “Harvest Now, Decrypt Later” scenarios already exists.
Organisations should also define their strategic objectives. Is the primary goal risk reduction, regulatory preparation, modernisation, resilience or investment planning? It is also important to identify existing initiatives that can be used, such as cloud transformation, Zero Trust programmes, IAM, PKI or application modernisation. This transparency provides the basis for a sound risk analysis and a realistic migration roadmap.
4. Why is crypto discovery the central starting point for practical quantum readiness?
Because sound decisions can only be made on the basis of sufficient transparency. Without a clear understanding of where and how cryptography is used, risks cannot be assessed reliably and measures cannot be prioritised meaningfully.
Crypto discovery identifies cryptographic dependencies in applications, networks, cloud services, identity solutions and communication interfaces. The focus is not only on mechanisms such as RSA, ECC, TLS, VPN, SSH or digital signatures, but also on certificates, keys, cryptographic libraries and trust chains.
Hidden dependencies are especially important, for example in appliances, firmware, OT systems or products with embedded cryptography. At the same time, discovery requires collaboration between security, infrastructure, architecture and application teams, as well as business units and supplier management.
The goal is not necessarily a complete inventory of every single component. The goal is to create a reliable basis for decision-making. At the same time, discovery makes knowledge gaps visible, which can then be closed or considered in the risk assessment. This makes crypto discovery the foundation for prioritisation, roadmap development and later transformation measures.
5. Why do many organisations already struggle with the first step towards quantum readiness?
Many organisations struggle at the very first step because they lack transparency over their cryptographic landscape. It is often not fully known where cryptography is used, which systems depend on it and which trust chains are responsible for the secure operation of business-critical processes.
In many cases, there is no complete crypto inventory. Certificates, keys, digital signatures, cryptographic libraries or dependencies on applications, cloud services, suppliers and external partners are only partially documented. As a result, important risk indicators such as RSA and ECC dependencies, certificate infrastructures or central identity services often remain invisible.
Additional challenges arise from data that requires long-term protection, “Harvest Now, Decrypt Later” risks that have not yet been assessed and systems with long life cycles or limited updateability, such as OT, IoT or industrial environments. A lack of crypto agility and unclear vendor PQC roadmaps make later migrations even more difficult.
In many organisations, governance structures, responsibilities and prioritisation criteria are also missing. Therefore, preparing for post-quantum cryptography usually does not begin with new technologies, but with transparency over dependencies, risks and areas for action.
6. What is the difference between a crypto inventory and a quantum risk assessment?
They serve different purposes. A crypto inventory first creates transparency over the cryptography in use. It documents, for example, cryptographic mechanisms, certificates, keys, trust chains and technical dependencies, and answers the question of where and to what extent cryptography is used within an organisation.
A quantum risk assessment goes much further. It does not only consider the technical dependencies, but also evaluates their business relevance. Factors such as protection needs, data retention periods, “Harvest Now, Decrypt Later” risks, criticality of business processes and regulatory requirements are included in the assessment.
Not every cryptographic dependency automatically represents a high risk. What matters is the potential impact on the organisation and the ability to adapt or migrate affected systems in the future. A quantum risk assessment therefore prioritises risks and identifies areas for action in architecture, governance, supplier management and migration. The result is not just an inventory, but a risk-based roadmap for the further transformation.
7. How does a quantum risk assessment evaluate technical risks in a business context?
A quantum risk assessment does not evaluate technical risks in isolation, but always in relation to their possible business impact. Technical dependencies are therefore linked to factors such as protection needs, business relevance, regulatory requirements and system exposure.
The focus is not only on cryptographic mechanisms, but also on affected systems, data flows, trust chains, certificate infrastructures, external interfaces and dependencies on suppliers or cloud providers. The decisive question is what impact a future cryptographic risk would actually have on the organisation.
Possible consequences range from loss of confidentiality and integrity issues to identity misuse, failures of business-critical processes or regulatory violations. At the same time, organisational factors such as responsibilities, decision paths, risk appetite and investment processes are considered.
Ultimately, the goal is to bring technical urgency and business priority together. This creates a prioritised risk view that management, enterprise architecture and security can use jointly to make informed decisions on measures and investments.
8. What role do trust chains, certificates and PKI play in quantum risk considerations?
They form the foundation of modern digital communication. They secure identities, authentication, digital signatures, integrity and the establishment of trusted connections. That is why the quantum threat does not only affect data confidentiality, but trust in digital business processes as a whole.
Particularly relevant are TLS connections, internal and external certificate chains, VPNs, S/MIME, code-signing processes, machine identities and the security of APIs and other interfaces. If the underlying public-key mechanisms become vulnerable in the future, the impact on applications, partner connections and operational processes can be significant.
For this reason, PKI plays a central role in the transformation. Modernising certificate and key infrastructures can also create the basis for greater crypto agility. However, technical aspects are not enough. Responsibilities, lifecycle processes, inventory and policies also need to be reviewed. For prioritisation, it is essential to know which trust chains are business-critical, difficult to migrate or dependent on external partners and suppliers.
9. Why is crypto agility a central architecture principle for quantum readiness?
Crypto agility is a central architecture principle because it describes the ability to change or adapt cryptographic mechanisms in a controlled way and with reasonable effort. In a time of technological and regulatory change, this flexibility becomes a decisive success factor.
Technically, this means that algorithms should not be hard-coded into applications, but should be replaceable through configurable mechanisms, modular cryptographic libraries and clearly defined interfaces. Adaptable certificate and key processes are equally important. Hard-coded algorithms, proprietary cryptography, legacy systems and long release cycles are particularly problematic because they can make later migrations much more difficult.
Organisational factors also matter. Architecture principles, development guidelines, procurement requirements and change processes need to be designed so that cryptographic changes can be implemented in a planned and controlled manner.
In the end, crypto agility not only supports the introduction of post-quantum cryptography. It also improves an organisation’s general ability to respond to new standards, vulnerabilities or regulatory requirements. For enterprise architects, it is therefore a long-term target state that should be integrated into modernisation, cloud, Zero Trust, IAM and PKI initiatives.
10. What role do supplier and vendor dependencies play in the QRA evaluation?
They play a central role in quantum risk evaluation because a significant part of the cryptography in use is not directly controlled by the organisation itself. Cryptographic functions are often embedded in applications, cloud services, network components, security solutions, appliances or other third-party products.
As a result, organisations often depend on their vendors’ PQC roadmaps, update cycles and technical capabilities. Particularly relevant are software vendors, cloud providers, outsourcing partners, OT manufacturers, network equipment providers and security platform providers. If they cannot provide timely support for post-quantum cryptography, this can affect the entire transformation plan.
A quantum risk assessment therefore evaluates, among other things, product updateability, support periods, certificate and key mechanisms, vendor roadmaps and contractual commitments. These factors directly influence prioritisation, timelines, migration paths and remaining residual risks.
Preparing for post-quantum cryptography is therefore not only a technical or organisational challenge. It is also a third-party risk management topic. Procurement and contract management should include requirements for crypto agility, security updates, encryption and transparency at an early stage.
11. How should governance and responsibilities for quantum readiness be established?
Quantum readiness should be understood as an enterprise-wide transformation task, not as an isolated initiative of individual technical teams. It therefore requires clear functional and business responsibilities, as well as a governance structure that connects technical, organisational and regulatory requirements.
Typically, CIO, CISO, enterprise architecture, security management, risk management, compliance, procurement and relevant business units should be aligned and involved. Cryptographic risks should not be treated separately, but integrated into existing information security, risk management and architecture governance processes.
Clear criteria are essential for prioritisation, investment decisions, risk treatment, acceptance of residual risks and measurement of progress. At the same time, findings from discovery and risk assessment must be translated into concrete roadmaps, programmes, standards and policies.
Effective governance also considers supplier dependencies, procurement processes and regulatory developments. Without this overarching steering, there is a risk that individual technical measures will be implemented without strategic prioritisation, clear responsibilities or sustainable anchoring in the organisation.
12. What role do post-quantum cryptography and quantum key distribution play in the target architecture?
Both serve different but complementary purposes in a future target architecture. Post-quantum cryptography primarily addresses key exchange, authentication and digital signatures. It initially complements existing mechanisms and, over time, replaces vulnerable public-key mechanisms such as RSA and ECC. Symmetric mechanisms such as AES generally remain in place and continue to play a central role in protecting the actual data.
Established security architectures and protocols such as TLS also remain relevant. However, they will need to support quantum-safe key and trust mechanisms in the future. For most organisations, the initial focus is therefore on PQC capability, crypto agility and structured migration planning.
Quantum key distribution follows a different approach. By using physical properties of quantum mechanics, it can make eavesdropping attempts during key distribution detectable. QKD does not replace AES or TLS, but it can provide an additional security layer in selected high-security or specialised environments.
The role of PQC, hybrid approaches or QKD should always be assessed on a risk basis. Relevant factors include protection needs, existing architecture, cost, operating model, availability and regulatory requirements.
13. How can migration and implementation be planned realistically without overwhelming the organisation?
A successful PQC migration should not be understood as a one-time, full-scale replacement, but as a gradual and risk-based transformation process. The key is to prioritise measures according to protection needs, criticality, exposure, technical feasibility, lifecycle and existing dependencies.
In practice, it is advisable to use existing transformation programmes, such as PKI renewal, IAM initiatives, Zero Trust programmes, cloud transformation or application modernisation. This allows post-quantum cryptography to be integrated into ongoing initiatives instead of creating additional parallel projects.
Proofs of concept help validate selected scenarios under realistic conditions and provide insights into performance, compatibility, operational effort and integration risks. At the same time, technical implementation must be aligned with change management, operational processes, architecture principles and risk management.
A reliable roadmap should distinguish between short-term transparency measures, medium-term pilots and long-term architecture changes. Progress should also be measurable, for example through crypto inventory coverage, reduction of prioritised risks, supplier assessment status and implementation progress of planned measures.
14. How does a quantum risk assessment lead to a reliable roadmap?
It does so when the results of the quantum risk assessment are systematically translated into concrete areas for action. A roadmap consolidates findings from awareness, crypto discovery, risk analysis, business impact assessment and the analysis of supplier and vendor dependencies.
Measures are structured into short-, medium- and long-term priorities. In the short term, the focus is on defining the scope, involving relevant stakeholders, assessing protection needs and identifying critical cryptographic dependencies and suppliers. In the medium term, organisations improve the crypto inventory, analyse PKI and certificate processes, pilot PQC or hybrid approaches and establish appropriate governance structures. In the long term, the objective is to embed crypto agility as an architecture principle, implement migrations, synchronise supplier roadmaps and integrate regulatory requirements sustainably.
An effective roadmap connects technical feasibility with business priorities, budget cycles and operational dependencies. The decisive point is that it must not end as a one-time report, but serve as a steering instrument for a gradual transformation towards sustainable long-term protection.
15. Which concrete next steps should decision-makers initiate after the first QRA positioning?
Organisations should now move from analysis to structured implementation. The first step is to create a shared situation picture for management and security. This includes assessing the business relevance of the quantum threat, possible “Harvest Now, Decrypt Later” risks and the strategic goals of the organisation.
The scope should then be clearly defined. This includes critical business processes, data assets requiring protection, relevant systems, cloud services, locations, OT or IoT environments and external interfaces. In parallel, responsible stakeholders from IT, security, architecture, compliance, risk management, procurement and business units need to be involved.
On the technical side, crypto discovery and crypto inventory activities should be started, or existing inventories should be reviewed for their suitability for quantum readiness. It is equally important to assess protection needs, data retention periods, business impact and regulatory requirements, and to have structured discussions with vendors and suppliers about PQC roadmaps, crypto agility and updateability.
The result should be a prioritised roadmap that connects governance, piloting, budgeting and integration into existing IT and security programmes.
16. What are you currently seeing typically with customers?
Many organisations are still at an early stage of quantum readiness. The topic has arrived at management or security level, but it is often still perceived as a future topic whose concrete impact on the organisation is not yet fully understood.
In practice, a complete crypto inventory is often missing. Organisations frequently do not know exactly where cryptographic mechanisms are used, which systems are affected or which dependencies exist on certificates, keys and trust chains. At the same time, there is significant uncertainty around prioritisation. Many organisations ask which systems should be looked at first and where the greatest risks actually lie.
Another key topic is suppliers and cloud providers. Customers increasingly ask about PQC roadmaps, support periods, crypto agility and future migration paths. However, the answers are not always clear, which further increases planning uncertainty.
Overall, we are seeing a phase of growing awareness. Organisations mainly want to create transparency, better understand risks and establish a reliable basis for informed decisions.
Conclusion
Quantum readiness does not begin with an immediate migration. It begins with transparency over cryptographic dependencies, data that requires long-term protection and digital trust chains.
Only when organisations understand which systems, processes and suppliers are affected can risks be prioritised meaningfully and translated into a reliable roadmap.
The decisive point is therefore not to convert all systems to new cryptographic mechanisms today. The decisive point is to build a structured situation picture early and to treat quantum readiness as a long-term transformation task.