4 Ways to Communicate Quantum Risk to Your Board

Quantum computing is no longer just a futuristic concept. 

Quantum computing is an emerging disruptor that will reshape the foundation of digital security. While practical quantum machines aren’t mainstream yet, their future impact on cryptography is both inevitable and irreversible. That means the encryption your business relies on today could be broken tomorrow, putting sensitive data, intellectual property, and customer trust at serious risk.

You may have heard the term “Q-Day” – this refers to the point when quantum computers can break today’s encryption standards. However, it’s important to remember that cybercriminals aren’t waiting. They’re already launching “harvest now, decrypt later” attacks, stealing encrypted data today with plans to unlock it once quantum capabilities mature.

This is not just an IT issue. It’s a board-level concern that requires proactive investment and strategic oversight:

• Leading organizations are planning their transition to post-quantum security (PQC) to future-proof their operations and avoid regulatory, operational, and reputational fallout.
• The EU and other countries are issuing recommendations to businesses to address their quantum security postures.
• Actively planning for PQC keeps your business ahead of the game. It’s your job to make sure the board understands why you need to overhaul the company’s security protocols.

But how do you explain the urgency of quantum risk to non-technical executives?

This article will show you how to translate quantum security into boardroom language – framing it as a measurable business risk with real implications for compliance, continuity, and cost.

🔐 In this article, you’ll learn strategic ideas to communicate clearly to the board. The first step? Framing quantum security as a board-level concern, including what regulatory shifts (NIST, NSA, CISA) are already underway – and how to stay ahead of them. You must also address whether you’re increasing your technology debt by delaying (i.e., a lack of crypto-agility today may lead to outsized costs, risks, and outages in the near future).

Quantum Risk: 4 Ways to Communicate With Clarity

With this framework, you’ll be equipped to build a business case for PQC, educate key stakeholders, and guide your organization toward a crypto-agile, quantum-resilient future.

Frame quantum security as a board-level concern

Quantum computing presents strategic, operational, reputational, and financial risks. At the same time, your organization’s board won’t fund initiatives they don’t understand. Help the board understand how PQC planning is a key element of business resilience and continuity as technology changes. Good planning is good governance, and being proactive will keep your business ahead of evolving quantum risks.

Building cryptographic agility is vital to address quantum computing and the growing cryptographic risks as technology evolves. By properly planning and executing a shift towards PQC, your business will enjoy smarter and less costly choices down the line, better security posture against all threats, and minimal risk of exposure when quantum capabilities evolve. This may even be a competitive advantage for your organization. 

Educate your audiences and key decision-makers by focusing on business impact. Highlight what quantum computing is and what it could do to render PKI obsolete. Cyber criminals aren’t waiting for quantum computing; they’re preparing for it. We’re already seeing a rise in “harvest now, decrypt later” attacks—knowing quantum capabilities are around the corner, attackers are stealing and storing encrypted data right now with the intent to decrypt it when quantum matures. What happens to your business and confidential data when it’s decrypted even years down the line?

Governments around the globe are already suggesting a shift towards PQC, setting regulations and guidelines for organizations. If your business is already investing and planning for PQC, you’ll have much less trouble meeting and surpassing regulations as they’re set. Even just in the US, we’re already seeing a strong shift towards mandatory crypto agility:

• NIST has held five PQC standardization conferences so far and will host the sixth in late September 2025, publishing PQC standards to protect against future quantum computers.
• The NSA recently published an advisory recommending the Commercial National Security Algorithm 2.0 (CNSA 2.0) to protect against quantum computing.
• In 2024, CISA published a strategic document outlining how organizations can (and should) migrate to automated post-quantum cryptography.

The word in the cryptography and cybersecurity spaces is clear: quantum security cannot be ignored. Without a focus on PQC, your business faces quantum risks at every level. Make sure the breadth of the threat is clear to your board—and provide strategies to address it.

Avoid fear based messaging: talk strategy, not sci-fi

While quantum computing threats are undeniable, no one really knows what will happen and when. Fear mongering isn’t enough to push senior leaders to take action. Focus on risk management, operational resilience, and the strategic benefits of being PQC-ready instead. Position quantum computing as a risk you can manage now: a predictable disruption, not a catastrophic unknown threat.

Building toward PQC readiness is a modernization strategy. Your business already has cryptographic processes and procedures. Updating them to deal with upcoming quantum risks is not a simple tech upgrade, it’s a multi-year transformation project that requires phased investment over time. What does being prepared for PQC mean to your organization? Your business will need to strategize updates to inventory, prioritization, and planning across multiple years to improve overall quantum agility.

When discussing how your company should invest in PQC, maintain a calm, fact-based tone. For example, a phrase like, “While functional quantum computers capable of breaking encryption are not here yet, the required transition time is significant. Planning now avoids disruption later.” tells the board how important it is to address and control the risk without going overboard highlighting how dangerous the risk itself could be.

Translate technical risk into executive language

As someone immersed in technology and security, you understand the implications of quantum computing advances on current PKI. Business executives might not; it’s your job to educate them without overloading them with information. The goal? Help them partner with you to make sure your company is prepared to adapt to PQC. Use analogies that connect the PQC upgrade process to existing board priorities: business continuity, reputation, compliance, and cyber-resilience.

 Highlight four key concepts:

• Time-to-remediate
• Crown jewel exposure
• Compliance horizon
• Technology debt

Time-to-remediate

Depending on the existing state of your organization’s architecture and cryptographic protocols, it may take between five and twelve years to fully implement quantum-safe cryptography across your systems.

Put together an audit of your organization’s current readiness for PQC and what it will take to reach 100% quantum agility. The sooner you can get the board to approve remediation, the more likely you’ll be able to fully upgrade before quantum risks become clear.

Crown jewel exposure

What are your organization’s “crown jewels”, or the critical assets that set it apart from other organizations? Whether it’s intellectual property, PII, or patient records, failing to update to PQC exposes those crown jewels to attackers, putting your business at a severe disadvantage against competitors that took the time to improve their crypto agility.

Ensure the board knows the risks posed against the company’s crown jewels by quantum computing.

Compliance horizon

You’ve probably spent years of your life upgrading to the latest regulatory and industry standards to keep your organization safe. These standards are emerging fast to combat quantum risks. If your business falls behind these standards and regulations, you’re risking fines and other adverse action by regulatory agencies. 

The board should understand that improving security toward PQC is quickly becoming the regulatory standard for all organizations.

Technology debt

A consistent problem for many organizations is technology debt such as the future costs facing you if you choose the cheap, quick solution now. One example comes from PKI: businesses that didn’t invest in automated certificate management when they were smaller years ago are struggling to manage exponentially larger numbers of certificates with manual processes, leading to outages, data leaks, etc.

The board should understand that choosing the cheap solution right now (by not upgrading to PQC) could cost the organization many times more down the road.

Build the business case

Here’s the fourth and final step you must remember. To build your PQC business case, it’s important that you:

• Align PQC initiatives with modernization and cost optimization initiatives. Focus on digital trust, customer data protection, and long-term resilience as key pillars to keep your organization and customers secure. Embrace automation to reduce the operational overhead on today’s teams and find ways to streamline your processes.
• Outline the risks of inaction. Without upgrading your organization to PQC, you could face legal liabilities, insurance implications, reputational damage, or even completely going out of business if post-quantum breaches occur.
• Present incremental timelines. You don’t need to show the entire project all at once. Show how gradual improvements, such as discovery and crypto inventory tools, can have a big impact.
• Include milestones to show progress and ROI over time. The board and other executive leadership will want clear markers that the business is on its way to PQC. You can include something like “By next quarter, we will have completed a cryptographic inventory of all public-facing services.”
• Cite trusted third-party recommendations for credibility. Many governments and other organizations preparing for PQC have published recommendations and standards for businesses to upgrade to PQC. Look at additional resources from Keyfactor and the 360 Alliance, which aligns insights from Keyfactor, IBM Consulting, Thales, and Quantinuum.

Conclusion

It will take time and consistent effort to update today’s organizations to cryptographic standards that will stand up against quantum computing. Post-quantum cryptography is not a problem for tomorrow, it’s a requirement to plan for today. IT and security leaders can be strategic partners with their leadership. They don’t need to predict the quantum timeline to act, they only need to prepare for the inevitable cryptographic change we already know is on the way.

Communicate the quantum risk to your board, then engage vendors, auditors, and cross-functional partners to define a crypto-agility roadmap.

Would you like help getting started? Here are two great resources:

• Explore the recent PQC-themed issue of Digital Trust Digest. It’s packed with real-world survey data and actionable steps to guide your PQC readiness.
• Reach out for a demo or with any questions. Keyfactor can help you build cryptographic inventory, enable crypto-agility, and prepare for PQC migration.