QIZ PQC Observatory, from inventory to cryptographic risk intelligence

On 10 March 2026, Ben Volkow, CEO and co-founder of QIZ Security, gave a webinar called “QIZ PQC Observatory: From Inventory to Cryptographic Risk Intelligence”.

His core message was simple, even if the subject is not: most organisations are not just facing a future quantum problem, they are also sitting on a very current cryptography management problem.

That matters because cryptography is the hidden plumbing of the digital world. It sits inside apps, networks, databases, cloud systems, devices, certificates and old configuration files that nobody has touched since someone still thought SHA-1 was a great idea. When that plumbing is messy, upgrading to post-quantum cryptography, or PQC, is not like changing one lock on one door. It is more like discovering that every lock, cupboard, window latch and secret tunnel in a giant office block was bought from a different shop over twenty years.

Ben’s talk was not about abstract theory. It was about what real enterprises, banks, governments, defence groups and critical infrastructure operators are running into when they try to get ready for the post-quantum era. His view was clear: the market needs to move beyond basic inventories and towards cryptographic risk intelligence, where organisations understand both what crypto they have and where the biggest risks sit, what to fix first and how to remediate at scale.

Why legacy tools are not enough

One of Ben’s sharpest points was that existing security tools were not built for cryptography posture management or PQC migration. They may spot fragments of the problem, but they often miss the wider picture.

For example, a team might detect an old TLS 1.0 connection on the network. That sounds helpful. But the real cause might be buried in an old database configuration file or some forgotten system dependency. In other words, the visible smoke is in one room, while the actual fire is in the basement.

That is why Ben argues that cryptography needs tools that can look across the whole organisation, covering data at rest and data in motion, while also understanding business context, ownership and connections between systems. Using a patchwork of old tools may deliver partial visibility, but partial visibility in cyber security is a bit like half a road map. Interesting, yes. Useful under pressure, not really.

The biggest enemy is not quantum, it is delay

A major theme in the webinar was the battle between important and urgent. CISOs already have overflowing plates, AI risk, zero trust, cloud transformation, compliance demands and plain old cyber fires. Quantum readiness can easily end up in the pile marked “important, but later”.

That is dangerous, Ben said, because PQC transition is not a weekend project. It may take six, seven or even ten years for large organisations. So delaying the start creates real risk.

He also warned about what he called analysis paralysis. Some organisations spend months building governance frameworks before taking any practical action. Meanwhile, obvious problems remain untouched. His advice was pragmatic: do not wait for the perfect process before fixing the most obvious weaknesses. If you can scan for outdated TLS and remove a large chunk of risk quickly, do it. Do not spend twelve months designing a grand programme when a few immediate actions could already reduce exposure.

It is the classic trap of polishing the steering wheel while the car is heading for a ditch.

A decade of crypto debt

Ben used a phrase that deserves to stick, crypto debt. Most organisations, in his view, have built up years of neglected cryptographic baggage.

Ask a typical security leader for their current crypto policy, and there is a fair chance it will be old, incomplete or gathering dust in a forgotten folder. Ask where TLS 1.0 still exists, or what percentage of databases are unencrypted, and many will struggle to answer with confidence.

This is the real starting point for PQC. Before organisations can become quantum safe, they often need to clean up years of weak hygiene. Ben’s point was brutally practical: trying to layer PQC on top of poor cryptographic management is like building five extra floors on a building with a shaky ground floor. Before you build upwards, you need to tidy the basement.

PQC is not owned by one team

Another challenge is ownership. PQC touches networks, software development, cloud platforms, third-party software, product security, governance teams and executive risk functions. There is rarely one single owner.

That means organisations are not dealing with one neat project. They are dealing with multiple workstreams that may need to start separately and then connect over time. One project might scan network traffic. Another might review software code. Another might check firmware or third-party images. Another may look at embedded products.

This fragmentation is both a challenge and an opportunity. The challenge is coordination. The opportunity is that firms do not need to boil the ocean on day one. They can move step by step.

The AI twist

One of the more forward-looking parts of the talk was Ben’s view that PQC and AI should be discussed together, not separately.

His argument was that crypto agility, the industry’s “North Star”, was designed to make future cryptographic changes easier. But the security world of 2026 looks different from the one people imagined in 2021. AI is now expected to increase the scale of certificates, keys, handshakes, attacks and changes across environments.

So the question is no longer only, “Can we swap algorithms more easily?” It is also, “Can the architecture cope with the speed, scale and complexity that AI may bring?” Ben did not pretend to have the final answer. He presented it as an important open discussion for the industry. That is a sensible position. When a map is still being drawn, the honest guide tells you where the fog is.

Regulation is coming, but confusion comes first

Ben also highlighted the regulatory mess many global organisations face. Different countries are moving at different speeds. Some expectations are clear, some are recommendations dressed up like requirements, and many do not yet carry obvious penalties.

That creates hesitation. Large banks and multinational firms are left asking basic but vital questions. Which regulation matters most for us? Which deadline applies? Which standards are mature enough to act on? What happens if we are late?

In short, regulation is pushing movement, but not always providing clean direction. For business leaders, that means waiting for perfect clarity may be a mistake. The safer route is to start building visibility and readiness now, even while details continue to evolve.

What CISOs actually want

The most valuable part of the webinar may have been Ben’s summary of what CISOs say they need from PQC observability platforms.

They want context. Finding weak crypto is not enough. They need to know whether it affects a trivial internal system or a crown-jewel application holding sensitive data.

They want an end-to-end platform. Not five disconnected tools, five dashboards and five contracts. One view across on-premises, cloud, network, source code and images.

They want remediation, not just rainbow-coloured dashboards. A million red lines in an inventory do not solve anything. They simply move the panic from ignorance to PowerPoint.

They want multi-stakeholder usability. Most users are not cryptographers. Tools need to make sense to CISOs, auditors, project managers, risk leaders and governance teams.

They want automation. Integration across hybrid, legacy and operational technology environments is hard. Automation can help connect, interpret, prioritise and guide remediation.

That is where Ben positions QIZ, moving from inventory to remediation and ongoing governance. Whether one agrees with every commercial claim or not, the market need he describes is credible and easy to recognise.

Key takeaways

1. PQC readiness is not a future problem alone, it exposes today’s weak cryptographic management
2. Legacy security tools often provide only partial visibility into crypto risk
3. Organisations should avoid analysis paralysis and begin with high-impact fixes
4. Crypto debt, old policies, outdated protocols and poor visibility, is a major barrier to migration
5. PQC is a cross-functional business issue, not a niche problem for mathematicians
6. AI may both help and complicate PQC transition, especially at scale
7. CISOs want context, remediation, automation and a single business-friendly platform

Why this matters to business

The business lesson is straightforward. Cryptography is moving from being an invisible technical detail to becoming a board-level resilience issue. Firms that understand their cryptographic posture early will be better placed to prioritise budgets, prove compliance, reduce operational risk and avoid rushed migrations later.

Those that wait may find themselves in a very expensive paper chase, armed with a torch, a spreadsheet and mild regret.

Market Classification

Primary market: Cyber security

Core segment: Cryptography posture management and post-quantum cryptography readiness

Sub-Markets & Adjacent Domains:

1. Crypto asset discovery
2. Certificate and key management
3. Cyber risk intelligence
4. Security posture management
5. Compliance and governance tooling
6. Cloud and hybrid security
7. Software supply chain and firmware security
8. OT and critical infrastructure security

Competitor Categories:

1. Traditional cyber asset discovery tools
2. Certificate lifecycle management platforms
3. Application security and code scanning vendors
4. Network security monitoring platforms
5. Crypto inventory and PQC readiness specialists
6. Consultancy-led PQC readiness services

Market Outlook:

The market is moving from awareness to execution. Early demand focused on discovery and inventory. The next phase is likely to centre on prioritisation, remediation workflows, governance and automation. Vendors that can connect technical findings to business risk will have a stronger position than those offering discovery alone.

Demand Drivers

1. Rising concern about future quantum threats
2. Growing regulatory and policy pressure
3. Large estates of legacy cryptography
4. Demand for better cyber resilience in banking, government and critical infrastructure
5. Complexity across cloud, on-premises and hybrid environments
6. Need to reduce manual effort through automation and AI