Four Conversations We Keep Having With CISOs About Quantum
Four objections keep showing up in post-quantum readiness discussions: budget, tenure, technology priorities, and bureaucracy. The answer in each case is the same: run the cryptographic inventory.
Briefing mode
7 referencesRead this first
- Post-quantum work is easier to fund when it starts as discovery, not as a full migration program.
- A cryptographic inventory is finishable inside a CISO tenure window and creates evidence for boards, auditors, and successors.
- Intelligence-model security and quantum readiness converge in the same control plane because intelligence-model systems depend on cryptographic integrity and confidentiality.
Decision context
What this should trigger
- Takeaway
- Reframe PQC from a migration request into a bounded cryptographic inventory exercise.
- Proof type
- Sourced analysis
- Best for
- CISO, Board, Security Leadership
Visual evidence concept
CISO operating room: exposure, intelligence-model systems, and regulatory calendar in one control plane.
Four sentences keep showing up in CISO advisory conversations. They are not the only objections, but they are recurring enough to plan around. Across market conversations, the setting changes but the friction points are familiar. Here they are, and here is what we have learned about answering them.
Executive decision aid
Objection, Reframe, Evidence, Artifact
Use this table when the conversation moves from awareness to action. Each objection has one defensible answer and one concrete artifact.
It is not in the budget.
Reframe: Do not ask for migration first. Ask for discovery.
Evidence: UK NCSC starts with discovery, assessment, and an initial plan by 2028.
Artifact: Cryptographic inventory map
I may not be around in two years.
Reframe: Make the work finishable inside the current tenure window.
Evidence: A current inventory and risk assessment create a clean successor handoff.
Artifact: Board-ready handoff record
Model security is my priority right now.
Reframe: Model security and cryptographic resilience share a control plane.
Evidence: Model integrity, training data confidentiality, and inference authentication depend on cryptography.
Artifact: Model crypto-dependency inventory
Nothing moves in this company.
Reframe: Move PQC from opportunity language into the risk register.
Evidence: Loss-averse organizations act when exposure is documented and deferral requires ownership.
Artifact: Risk-register entry
Board-ready deck
Four CISO Conversations About Quantum
A concise deck for turning budget, tenure, technology, and bureaucracy objections into an inventory-first action plan.
Public-source briefing material. No customer-identifying proof artifacts or endorsement claims are used.
The embedded deck is deferred for performance. Open it here when you want the full slide viewer inside the article.
Conversation One: “It Is Not In The Budget.“
This is the first sentence. It is almost always the first sentence. The CISO is not wrong. Post-quantum cryptography migration is a multi-year capital program, and many enterprise security budgets are set before a new risk theme is fully operationalized. Asking for a new line item mid-cycle can read as bad planning.
The reframe is small and it changes everything. Stop asking for a migration. Ask for a discovery.
A cryptographic inventory is a 60 to 90 day operational exercise. It tells you what algorithms are running in your environment, where they live, what data depends on them, and what your real exposure looks like. It can be scoped as a discovery motion before a full migration program, and it produces something regulators and auditors are increasingly likely to ask for over the next 24 months. The UK National Cyber Security Centre published its migration timeline in March 2025, and the first phase due by 2028 is exactly this: discovery, assessment, and an initial migration plan.
You are not buying a program. You are buying a map. The CISO who walks into the next board meeting with a cryptographic bill of materials looks like a leader. The one who walks in with an estimate looks like a risk.
Conversation Two: “I May Not Be Around In Two Years.“
This one comes up more often than the industry admits. CISO tenure averages somewhere between two and four years depending on which study you read. The job is hard. People burn out, get pushed out, or move up. The honest version of this objection is, “Why should I sponsor a multi-year program when someone else will inherit it?“
Three reasons.
Resume hygiene: The CISOs who can show a completed cryptographic inventory will have a stronger answer when boards, auditors, or successors ask about post-quantum readiness. Running the discovery exercise puts a verifiable deliverable on your record.
Successor handoff: The CISO who hands the next person a current cryptographic inventory and documented risk assessment leaves the role on strong footing.
Board continuity: If you are still there in 2027, you answer. If you are not, the person who replaced you answers from the evidence you left behind.
If you really are leaving, the work pays more, not less.
Conversation Three: “Model Security Is My Priority Right Now.“
This one appears constantly in board-facing security discussions. Intelligence-model governance, model risk, model security — these are problems from this morning. Quantum sounds like a problem from 2030. But the cryptographic layer underneath every model is already at risk.
The argument that intelligence-model priorities compete with quantum for attention is backwards. Every model you deploy depends on cryptographic primitives for model integrity, training data confidentiality, and inference authentication. The pipelines that move data into your models are encrypted with the same algorithms a future quantum computer will break. If your model strategy assumes today’s cryptography will hold for the operational lifetime of those systems, you have already made a quiet bet you cannot defend.
The two workstreams are starting to converge. Model security and cryptographic resilience meet in the same control plane. Treating them as separate categories creates a documentation gap when a board, auditor, or architecture review asks which cryptographic dependencies support the model systems leadership is funding.
Run the discovery once. It gives both workstreams a shared evidence base.
Conversation Four: “Nothing Moves In This Company.“
This one appears often in organizations with federal, regulated, or highly committee-driven operating models. The conclusion is that bureaucracy is the obstacle and the obstacle is permanent.
It is not permanent. It is just framed wrong.
Bureaucracies are loss-averse, not progress-averse. They move on the things that get framed as risk, not the things that get framed as opportunity. Right now post-quantum sits in the opportunity column in most companies. New spending. New vendor selection. New training. All of that reads as discretionary, which means it gets deferred.
Move it to the risk column. Add one line to your risk register: cryptographic inventory not performed; exposure unknown; regulatory deadlines beginning 2027. Now the question changes. The question is no longer whether to spend on this. The question is who signs the document saying the company chose not to look.
The Risk Register Reframe
The same item moves from deferred to must-address by changing one column.
Opportunity column
New spending, vendor selection, training, and future readiness read as discretionary.
Decision: defer to next budget cycle
Risk column
Cryptographic inventory not performed. Exposure unknown. Regulatory deadlines beginning 2027.
Decision: who signs to defer?
Bureaucracies are loss-averse, not progress-averse. The same activity, framed as opportunity, gets deferred. Framed as risk, it gets owned.
You do not need to convince your CEO that quantum is real. You need to put the regulatory calendar in front of them and let the calendar do the work.
The federal lesson transfers cleanly. Mandates beat persuasion. CNSA 2.0 sets timelines for national security systems. NSM-10 set the federal trajectory back in 2022. The European Commission published its coordinated implementation roadmap in April 2024. The UK NCSC framework runs through 2035. You do not need to convince your CEO that quantum is real. You need to put the regulatory calendar in front of them and let the calendar do the work.
The One Move That Works In All Four Conversations
You will notice the same answer surfaced in each of these. Not because we are repeating ourselves. Because the answer is the same.
Run the inventory.
Not the migration. Not the program. The inventory. It is small enough to fit inside a quarterly operating motion. It is short enough to finish inside any tenure horizon. It can include the cryptographic dependencies that support the model systems leadership is funding. And it gives your board, your auditor, your successor, and your future self something every other path lacks: evidence.
The CISOs who run it this year will spend 2027 making decisions. The ones who do not will spend 2027 explaining why.
Pick which conversation you want to be having.
Take the framework with you
The deck version of this article, ready for your boardroom.
If you want to walk this framework into your own board meeting or executive committee, the full deck is available on the web. Includes the four conversations as standalone slides, the risk register reframe infographic, the 2026 mandate calendar, and a clean QScout starting point. Buyer-facing chrome. No watermarks.
Where To Start
If you want to start that inventory this quarter, the lowest-friction path is the QScout Free. Submit a domain. Verify a business email. Receive an initial browser-based executive snapshot after verification. It is an initial artifact for deciding whether a scoped assessment is warranted.
Devil’s Advocate
The honest counter to all of this is that quantum timelines have slipped before and could slip again. A cryptographically relevant quantum computer capable of running Shor’s algorithm at RSA-2048 scale does not exist today. The Google Quantum papers from 2025 and 2026 reduced the resource estimates dramatically, but reduced does not mean built. These estimates remain assumption-sensitive. They depend on error rates, gate fidelity, qubit connectivity, and architectural choices that have not yet been demonstrated at the scale required to break deployed cryptography.
If you run a mid-market organization with no regulated data, no long-shelf-life secrets, no government contracts, no defense supply chain exposure, and no near-term M&A activity, you can probably defer active migration spending until 2027 without career consequences. The discovery exercise still makes sense because it builds the foundation for everything that comes next. But the framing that the sky is falling in 18 months is overstated, and any CISO reading this should push back on it. The real risk in the next 24 months is regulatory and reputational, not cryptographic. Plan accordingly. The math has not changed. The deadline pressure has.
Public-to-private proof path
Start here
Submit one domain and verify a business email to receive an initial browser-safe executive snapshot. If the signal is material, a scoped assessment is available when deeper validation is warranted.
Start QScout FreeFor procurement, federal contracting, or scoping conversations: info@qtonicquantum.com
Sources
Source register
- UK National Cyber Security Centre Timelines for migration to post-quantum cryptography. March 2025.
- European Commission Recommendation (EU) 2024/1101 on a coordinated implementation roadmap for post-quantum cryptography. April 11, 2024.
- National Security Agency CNSA 2.0 future quantum-resistant algorithm requirements for National Security Systems. September 2022.
- National Security Agency Summary of NSM-10 federal quantum-resistant cryptography direction. May 2022.
- Gidney, C. How to factor 2048 bit RSA integers in less than a week with less than a million noisy qubits. 2025.
- Google Quantum Securing Elliptic Curve Cryptocurrencies against Quantum Vulnerabilities. March 2026.
- Resource estimate caveat The cited quantum resource estimates depend on architectural assumptions about error rates, gate fidelity, qubit connectivity, and circuit depth that have not been demonstrated at deployed-cryptography-breaking scale.
Informational purposes only
Use and limitations
This material is provided for informational purposes only and does not constitute legal, regulatory, compliance, investment, or professional advice. References to public agencies, standards bodies, vendors, research organizations, or other third parties reflect public-source context only and do not imply endorsement, partnership, customer relationship, or affiliation with Qtonic Quantum Corp.
Examples are representative editorial scenarios, not customer case studies or outputs from a live customer engagement.
© 2026 Qtonic Quantum Corp. All rights reserved.
Continue the briefing
Related signal briefs
Product Explainer
Board-Ready Quantum Risk Starts With One Domain
9 min read
Signal Brief
The Most Trusted Skeptic in Quantum Computing Just Told the World to Act. Who Are You Still Waiting to Hear From?
11 min read
Signal Brief
Twenty-Three Days, Eleven Signals: The Post-Quantum Window Compressed Faster Than Most Enterprise Plans Assumed
10 min read
Signal file
- Type
- Board Memo
- Published
- May 3, 2026
- Reading time
- 9 min read
- References
- 7
- Proof type
- Sourced analysis
- Audience
- CISO, Board, Security Leadership