Four Conversations We Keep Having With CISOs About Quantum

Conversation One: “It is not in the budget.”

This is the first sentence. It is almost always the first sentence. The CISO is not wrong. Post-quantum cryptography migration is a multi-year capital program, and most security budgets for 2026 closed months ago. Asking for a new line item now reads as bad planning.

The reframe is small and it changes everything. Stop asking for a migration. Ask for a discovery.

A cryptographic inventory is a 60 to 90 day operational exercise. It tells you what algorithms are running in your environment, where they live, what data depends on them, and what your real exposure looks like. It can often be scoped below the cost of a broad penetration test, and it produces something regulators and auditors are increasingly likely to ask for over the next 24 months. The UK National Cyber Security Centre published its migration timeline in March 2025 and the first phase, due by 2028, is exactly this. Discovery. Assessment. An initial migration plan.^[1]

You are not buying a program. You are buying a map. The CISO who walks into the next board meeting with a cryptographic bill of materials looks like a leader. The one who walks in with an estimate looks like a risk.

Conversation Two: “I may not be around in two years.”

This one comes up more often than the industry admits. CISO tenure averages somewhere between two and four years depending on which study you read. The job is hard. People burn out, get pushed out, or move up. The honest version of this objection is, “Why should I sponsor a multi-year program when someone else will inherit it?”

We hear three reasons that change the calculation.

The first is résumé hygiene. The strongest CISO candidates in 2027 will be expected to have a serious answer on post-quantum readiness. The market for security leaders is going to bifurcate fast between those who have a story to tell and those who do not. Running the discovery exercise puts a verifiable deliverable on your record. It is the cleanest line you can add to your professional history this year.

The second is successor handoff. The CISO who hands the next person a current cryptographic inventory and a documented risk assessment leaves the role on the strongest footing imaginable. The one who hands over nothing leaves a problem with no map. Your reputation in this industry is built on what you finish, not what you start. The discovery is finishable inside any reasonable tenure window.

The third is that the question gets asked of whoever is in the chair. If you are still there in 2027, you answer. If you are not, the person who replaced you answers, and what they say about your tenure depends on what you left them. There is no version of the next 24 months in which this question goes away. The only variable is who is sitting across the table when it lands.

If you really are leaving, the work pays more, not less.

Conversation Three: “Model security is my priority right now.”

We get this one constantly. Boards across industries are asking about intelligence-model governance, model risk, model security — these are problems from this morning. Quantum sounds like a problem from 2030. But the cryptographic layer underneath every model is already at risk.

The argument that intelligence-model priorities compete with quantum for attention is backwards. Every intelligence-model system you deploy depends on cryptographic primitives for model integrity, training data confidentiality, and inference authentication. The pipelines that move data into your models are encrypted with the same algorithms a future quantum computer will break. If your intelligence-model strategy assumes today’s cryptography will hold for the operational lifetime of your models, you have already made a quiet bet you cannot defend.

The two budgets are starting to converge. Intelligence-model security and cryptographic resilience meet in the same control plane. The CISOs who treat them as separate categories are the ones who will get caught when their auditor asks for a cryptographic inventory of their intelligence-model infrastructure and they have nothing to show. That audit question is coming. It is just not here yet.

Run the discovery once. It covers both.

Conversation Four: “Nothing moves in this company.”

We hear this one most from CISOs with federal experience. They have lived inside agencies where 18 months is fast and three years is normal. They moved to the private sector expecting speed and found a different flavor of the same problem. Their conclusion is that bureaucracy is the obstacle and the obstacle is permanent.

It is not permanent. It is just framed wrong.

Bureaucracies are loss-averse, not progress-averse. They move on the things that get framed as risk, not the things that get framed as opportunity. Right now post-quantum sits in the opportunity column in most companies. New spending. New vendor selection. New training. All of that reads as discretionary, which means it gets deferred.

Move it to the risk column. Add one line to your risk register that says, “Cryptographic inventory not performed. Exposure unknown. Regulatory deadlines beginning 2027.” Now the question changes. The question is no longer “should we spend on this?” The question is “who signs the document saying we chose not to look?” Nobody signs that document. Not the CFO. Not the General Counsel. Not the CEO.

You do not need to convince your CEO that quantum is real. You need to put the regulatory calendar in front of him and let the calendar do the work.

The federal lesson transfers cleanly. Mandates beat persuasion. CNSA 2.0 sets timelines for national security systems. NSM-10 set the federal trajectory back in 2022. The European Commission Recommendation 2024/1101 published its coordinated implementation roadmap in April 2024.^[2] The UK NCSC framework runs through 2035.^[1] You do not need to convince your CEO that quantum is real. You need to put the regulatory calendar in front of him and let the calendar do the work.

The One Move That Works in All Four Conversations

You will notice the same answer surfaced in each of these. Not because we are repeating ourselves. Because the answer is the same.

Run the inventory.

Not the migration. Not the program. The inventory. It is cheap enough to fit inside a quarterly operating budget. It is short enough to finish inside any tenure horizon. It covers your intelligence-model infrastructure as a byproduct. And it gives your board, your auditor, your successor, and your future self something every other path lacks. Evidence.

The CISOs who run it this year will spend 2027 making decisions. The ones who do not will spend 2027 explaining why.

Pick which conversation you want to be having.