Board & Risk Reporting
How to Present Cryptographic Risk to Your Board of Directors
Learn how to present cryptographic risk and PQC readiness to your board of directors. Translate technical crypto posture into business risk, regulatory timelines, and budget justification.
How to Present Cryptographic Risk to Your Board of Directors Your board does not need to understand lattice based cryptography. They do not need to know the difference between ML KEM and ML DSA. They do need to understand why cryptographic visibility is a business risk — and what you need to address it. For related context, see crypto agility planning. This article is a practical guide for CISOs and security leaders who need to present cryptographic risk and PQC readiness to a non technical board audience. It covers the one pager that works, the questions boards actually ask, and how to get budget approval. For related context, see quantum risk assessment. What Boards Actually Care About When you present cryptographic risk, the board has four implicit questions. Answer them directly: 1. "What is the risk to our business?" Frame it in business terms: "We use cryptography to protect customer data, transactions, and intellectual property. The algorithms we rely on — RSA and ECC — will be broken by quantum computers within the next 10 15 years. Data encrypted today could be decrypted in the future. Our customers, regulators, and insurers are starting to ask about our readiness." 2. "What is the regulatory timeline?" Give concrete dates: "NIST published the replacement standards in 2024. The US federal government requires high priority systems to migrate by 2028. The EU expects member states to begin transitions by December 2026. Our cyber insurer included a cryptographic posture question in our last renewal." 3. "What do we need to do?" Keep it to three bullets: "First, inventory where cryptography is deployed across our public facing infrastructure. Second, classify each asset by risk. Third, build a migration roadmap with resource estimates. The first step — external inventory — can be done this quarter with no infrastructure changes." 4. "What resources do you need?" Be specific: "I need approval for a cryptographic discovery tool, approximately [X] hours of security team time per quarter, and a cross functional working group with IT and compliance. I will return in 90 days with a complete inventory, risk classification, and migration roadmap with budget estimates." The One Pager That Works Every board presentation should include a single page summary with: Current State: "We have [X] public facing domains. Our initial external assessment found [Y] TLS certificates, of which [Z]% use RSA 2048 or ECC P 256 — both quantum vulnerable. Our current readiness score is [score]." Risk Statement: "The primary risk is harvest now decrypt later: encrypted data collected today could be decrypted when quantum computers mature. Our regulated customer data has a 10+ year confidentiality requirement under [regulation]. This timeline overlaps with expected quantum capability." Regulatory Drivers: Table showing NSM 10, CNSA 2.0, PCI DSS 4.0, DORA, HIPAA — with deadlines that apply to your organization. Next 90 Days: Three line action plan: complete external inventory, classify by risk tier, deliver migration roadmap with budget. Ask: Specific resource request with clear deliverable and timeline. Board Questions to Prepare For "Is this real, or is this vendor hype?" Answer: "NIST finalized the replacement standards after an 8 year public competition. The White House issued a national security memorandum. The largest enterprises and government agencies have active PQC migration programs. This is not hype — it is a recognized cryptographic transition." "What