Quantum Security Governance: Building a Board-Level Framework
Quantum risk briefings are now common at board level. Governance is not. This article sets out a five-element framework using NIST CSF 2.0 as the…
Blog
Expert analysis, quantum security news, and industry developments from QSECDEF. 175 articles across insights and news.
Quantum risk briefings are now common at board level. Governance is not. This article sets out a five-element framework using NIST CSF 2.0 as the…
Every security professional has read the headlines about national quantum programmes. What most enterprise security teams have not done is translate…
Financial services institutions hold the data categories with the longest regulatory retention periods, are documented targets of nation-state cyber…
The IBM Nighthawk and Google Willow announcements attracted more executive-level attention than any quantum hardware development in years. Both…
Security teams at financial institutions, critical infrastructure operators, and defence contractors typically carry memberships with ISC(2), ISACA,…
Quantum security training is a buyer's market in the worst sense: provider marketing has converged on the same vocabulary regardless of actual…
The NSA's preferred schedule had 2025 as the target year for software and firmware signing. That date has passed. This article works through each CNSA…
NIST IR 8547 is not a threat assessment document. It is a schedule. This article provides the specific dates, specific algorithm names, and specific…
Less than the briefings suggest, but more than the sceptics acknowledge. This article works through the hardware landscape as it stands in 2026,…
Underwriter questionnaires are beginning to incorporate quantum security posture into risk assessment. This article maps what a credible answer looks…
NIST published FIPS 203, 204, and 205 in August 2024. DORA entered full enforcement in January 2025. The regulatory infrastructure exists. The CPD…
Harvest-now-decrypt-later exposure is calculable, not qualitative. An organisation that knows its network topology, data retention requirements, and…
Post-quantum cryptography readiness has a specific structure. Six areas must all advance for a migration to succeed: cryptographic discovery,…
Google's Willow chip in December 2024 confirmed below-threshold quantum error correction in hardware for the first time. Understanding what it…
On 20 March 2025 the NCSC published its first dedicated PQC migration timeline, setting milestones at 2028, 2031, and 2035. For operators of essential…
There is no single EU quantum security regulation. There is instead a cluster of four general cybersecurity instruments whose requirements for…
DORA's ICT risk management obligations are live. This article maps the specific Articles 6 and 9 obligations and their RTS implementations to…
For organisations operating in the EU, ETSI standards are not an alternative to NIST — they are the regulatory translation layer. This article maps…
The board case for PQC investment changed materially in August 2024 when NIST published final standards and opened the deprecation clock. This article…
Not all data needs migrating at the same urgency. This article applies the Mosca inequality to specific data categories with specific confidentiality…
The EU Cyber Resilience Act's main conformity obligations apply from December 2027. For manufacturers whose products use quantum-vulnerable…
The obligation to protect personal data with measures 'appropriate to the risk' under UK GDPR Article 32 includes the current threat model. That model…
Google's Willow chip and IBM's Nighthawk processor are genuine scientific milestones. Neither changes the 2033-2035 Q-Day central estimate.…
Available quantum security training clusters at opposite extremes: PhD-depth theory with no migration connection, or awareness briefings that explain…
The most common reason PQC migration programmes stall at planning is the absence of a reliable answer to one question: what cryptographic assets do we…
A cryptographic library is not a commodity procurement. Choose a library without ML-KEM support today and you face a choice between deferring…
Multi-framework PQC compliance is the problem most organisations face in 2026. NIST IR 8547, CNSA 2.0, DORA, and NIS2 share a technical foundation but…
The Harvest Now, Decrypt Later attack is not a theoretical concern for 2033. The interception is happening now. A five-component operational framework…
The PQC migration problem in operational technology environments is harder than in IT. Hardware cycles of ten to twenty years, compute-constrained…
Zero Trust Architecture removes implicit network trust. Post-quantum cryptography migration removes algorithm vulnerability to a future quantum…
Subscribe to the QSECDEF newsletter for weekly updates on quantum security, new lecture recordings, and upcoming events.
Subscribe to Newsletter