Post-Quantum Cryptography
The CISO's Guide to Post-Quantum Cryptography Readiness
Complete CISO guide to post-quantum cryptography readiness: crypto inventory, risk assessment, vendor management, board communication, budget planning, and regulatory alignment.
The CISO's Guide to Post Quantum Cryptography Readiness This is the guide I wish every CISO had when their board first asks about quantum readiness. It covers what PQC readiness actually requires, how to build the business case, what your board needs to know, and how to start your program this quarter with minimal disruption. For related context, see NIST PQC standards guidance. What PQC Readiness Actually Requires PQC readiness is not a tool you buy. It is a program you run. The core deliverables are: 1. A cryptographic inventory: You know where RSA, ECC, TLS certificates, and cryptographic keys are deployed across public facing and (prioritized) internal infrastructure. 2. A risk classification: Each asset is classified by quantum vulnerability, data sensitivity, and confidentiality lifetime. 3. A vendor risk register: Every third party that manages cryptography on your behalf has been assessed. 4. A migration roadmap: Prioritized, phased, with resource estimates, aligned to regulatory timelines. 5. A board ready report: One page summarizing posture, risk, timeline, and resource needs. For related context, see healthcare PQC readiness planning. You do not need to complete the migration to be "PQC ready." You need to have the program in place with measurable progress. The Business Case: How to Get Budget Frame PQC readiness as three things your board already cares about: Regulatory compliance: "NSM 10 mandates federal agencies. DORA requires operational resilience including crypto risk. Our cyber insurer asked about cryptographic posture in our last renewal. We need to be able to answer these questions with data." Risk management: "Harvest now decrypt later is a recognized threat model. Our customer data has a regulatory confidentiality requirement of 7 10 years under [regulation]. That timeline overlaps with expected quantum capability. We need to know where quantum vulnerable crypto protects long lived data." Competitive positioning: "Our enterprise customers are beginning to ask about PQC readiness in their vendor assessments. Having a program in place is becoming a competitive requirement for government, financial services, and healthcare contracts." The 90 Day CISO PQC Readiness Plan Days 1 30: Discovery and Baseline Run external cryptographic posture assessment on every domain (CipherReady automates this) Produce certificate inventory with algorithm, key size, and quantum vulnerability classification Begin vendor PQC questionnaire campaign for critical vendors Deliver initial readiness score and findings summary Deliverable: Certificate inventory spreadsheet + one page readiness summary. Days 31 60: Deepen and Classify Complete risk classification: assign Critical/High/Medium/Low tiers based on data sensitivity Audit cloud KMS keys (AWS, Azure, GCP) Compile vendor questionnaire responses Begin internal discovery planning for regulated system scope Deliverable: Risk classified crypto inventory + vendor risk register. Days 61 90: Roadmap and Report Build prioritized migration roadmap with quarterly milestones Map findings to regulatory frameworks (NSM 10, PCI DSS, HIPAA, DORA as applicable) Produce board ready executive report Establish quarterly review cadence Deliver budget recommendation for Year 1 program Deliverable: Board ready executive report + migration roadmap + budget request. What to Tell Your Board (The 5 Slide Deck) Slide 1: The Problem "We use RSA and ECC to protect our data. NIST published replacement standards in 2