top of page

Board Briefing: Preparing for the Post-Quantum Era

  • nicolaferraritest
  • Jan 19
  • 4 min read
November 2025, Daryl Flack, Partner
Published on: Resilienceforward.com




The quantum threat is real, timelines are clear, and the opportunity to lead with resilience is now. Daryl Flack provides an essential board briefing on the immediate actions required for post-quantum cryptography.


Quantum computing is no longer a research curiosity; it’s edging closer to commercial impact. For boards, this isn’t an abstract technology story. It’s about trust, resilience, and whether your organization’s secrets will stay secret in a post-quantum world.


The calm before the cryptographic storm

For decades, cryptography has been the silent engine of digital trust. The algorithms protecting our communications, transactions, and national systems have remained remarkably stable; so stable, in fact, that most boards have never had to think about them.

That era is ending. In the first instance, boards need to protect their critical data assets from leaving their secure environments as once a quantum-relevant computer arrives, it will be able to decrypt any data that was protected by quantum-vulnerable algorithms. This is part of the ‘harvest now, decrypt later’ risk that organizations need to be aware of.


When quantum computing reaches maturity, the core cryptography that underpins today’s digital economy could be rendered obsolete. What looks solid now could dissolve overnight. And yet, across many industries, awareness remains fragmented. A few critical national infrastructure (CNI) players are mobilising, but most boards are waiting for vendors or regulators to take the first step. Waiting is a strategic blind spot.


The countdown to a quantum-safe future

The UK’s National Cyber Security Centre (NCSC) has drawn clear milestones:


  • By 2028: have a migration plan to post-quantum cryptography (PQC).

  • By 2031: prioritised systems – those protecting the most sensitive or enduring data – must be migrated.

  • By 2035: full migration across systems and supply chains should be complete.


That’s two or three board cycles away. Given the scale of discovery, design, skills, and vendor alignment needed, 2026 should be the year to start your quantum-safe journey. Quantum readiness isn’t a sprint in 2030; it’s a marathon that needs to start now.


Forward-thinking boards will no longer be asking, “What is quantum?” but “How close are we to becoming quantum-safe?”


Those that act now will define future benchmarks for digital trust. Think of PQC as replacing the locks on every digital door that your organization has. It will take time, and it will impact everything, but early leadership will determine the pace, the cost, and the outcome.


Questions every board should be asking in 2026


  1. How are we protecting our critical data assets against the harvest now, decrypt later risk?

  2. What’s our inventory of cryptographic assets and where are the blind spots?

  3. What proportion of our long-life or confidential data is quantum-protected or prioritised for protection?

  4. Are our vendors, partners, and regulators aligned on PQC timelines?

  5. Do our digital transformation and AI programmes include crypto-agility standards?

  6. Who owns PQC readiness at the executive level and are they resourced to deliver it?


Where boards can lead and where they may fall short

Boards, CISOs, and technology leaders must guide a transformation that touches governance, procurement, talent, and long-term organizational resilience:


Commission cryptographic discovery – the foundation of all planning

Action: Instruct management to conduct a comprehensive cryptographic discovery exercise to map the use of cryptography across the enterprise and supply chain.

Warning: Without an accurate map of where and how cryptography is used, planning is impossible.


Put PQC on the board agenda and embed it into risk governance

Action: Make PQC a standing board topic and embed quantum risk into the enterprise risk framework. Include measurable indicators such as inventory progress, crypto-agility adoption, and supplier readiness.

Warning: Do not treat PQC as a technical detail. It is a core resilience issue with financial, reputational, and regulatory implications.


Prioritise long-life and high-value, confidential data

Action: Identify data that must remain confidential for decades, such as legal archives, trade secrets, health records, state information, and prioritise early migration or interim protections.

Warning: Harvest now, decrypt later attacks are already underway. Adversaries can intercept and store encrypted data today, with the intention of unlocking it once quantum capabilities mature.


Demand crypto-agility by design

Action: Ensure that all new systems and contracts specify crypto-agility, which is the ability to replace algorithms without requiring major redesign.

Warning: Do not approve digital programmes without verifying adaptability. Hard-coded encryption will become future technical debt.


Align with technology refresh cycles

Action: Integrate PQC migration with natural refresh cycles for infrastructure, applications, and OT environments. This will reduce disruption and cost, and avoid parallel, isolated PQC programmes later.

Warning: Leaving PQC as an afterthought until systems are already in flight will become harder and more expensive to change.


Engage the supply chain early – don’t assume vendors are ready

Action: Demand visibility of vendor PQC roadmaps, include PQC clauses in contracts from 2026, and prioritise partners whose plans align with your own.

Warning: Do not assume suppliers are prepared. One unprepared vendor can undermine the entire value chain.


Invest in skills, testing, and assurance

Action: Build internal capability and ensure teams are trained on emerging PQC standards, validation, and crypto-agile systems. Include pilot testing, lab environments, and assurance of new PQC implementations.

Warning: Underestimating the skills gap – PQC expertise is scarce and will command a premium.


Treat PQC as a driver of trust, not just compliance

Action: Position PQC migration as part of your organization’s trust and resilience strategy. Early movers gain credibility and market confidence; laggards face scrutiny from regulators, partners, and customers.

Warning: Do not focus solely on compliance milestones rather than long-term competitive advantage.


Beyond compliance: building trust in the quantum era

The transition to PQC is not simply about meeting NCSC, NIST, or other timelines. It is about preserving trust in the digital economy.


Boards that wait for perfect clarity will end up following others’ roadmaps. Boards that act now will shape their own. Chart your course before the quantum tide sweeps in.


The author

Daryl Flack is Partner, Avella Security


Avella views its recognition as one of only a select group of PQC consultancies assured by NCSC for discovery and migration planning and advice as a responsibility as much as an achievement.

bottom of page