Most CISOs who have tried to brief a board on quantum security risk have experienced the same outcome: the board acknowledges the topic, asks when it becomes urgent, and defers. The problem is not that boards do not take security seriously. The problem is that "quantum computers could break encryption in the next decade" does not tell a board what to approve, when, or why they are the right people to approve it.
A board quantum security briefing that produces a decision looks different from one that produces awareness. This is a guide to the difference.
What the Board Actually Needs to Understand
Start by separating two things that are often conflated. Quantum computing as a technology (superposition, entanglement, qubit counts) is not what the board needs to understand. The quantum threat to cryptography is a specific, bounded problem: a cryptographically relevant quantum computer (CRQC) running Shor's algorithm can solve the mathematical problems that underpin RSA and ECDH key exchange, which means the encryption protecting most enterprise data flows will no longer hold. The board does not need to understand how quantum computing works. They need to understand what breaks, when it becomes a compliance and governance obligation, and what programme of work they are being asked to fund.
Boards are familiar with long-horizon infrastructure risk. Y2K remediation required boards to approve multi-year investment programmes for a risk that had not yet materialised. GDPR readiness (2016-2018) required the same structure. Quantum risk is structurally identical: the investment is needed before the event, and the lead time for PQC migration in a large organisation means that a board which waits for the risk to become visible may find the regulatory deadline already within a single migration cycle. NCSC guidance on post-quantum cryptography (2023) explicitly frames this for non-technical audiences.
The Five Components of a Briefing That Works
Most briefings that fail omit one of the first three. The full structure is:
The threat in board language. Not "quantum computers break RSA." Instead: current enterprise encryption relies on a mathematical problem (factoring very large integers) that classical computers cannot solve at scale. A sufficiently capable quantum computer can. The question is not whether this is physically possible (it is, in principle, and IBM's roadmap targets utility-scale fault-tolerant systems in the early 2030s) but when it arrives and how long migration takes.
The evidence of active current risk. This is where most board briefings are too cautious. HNDL (Harvest Now, Decrypt Later) means the threat is not waiting for Q-Day. The NSA stated in its 2021 advisory that adversaries may already be collecting encrypted data for future quantum decryption. The ODNI 2023 Annual Threat Assessment names China's long-term data collection for strategic objectives. The NCSC 2023 Annual Review confirms state actors are conducting data theft campaigns "for exploitation in years to come." These are official government assessments, not vendor warnings. Boards respond to named, primary sources. Use them. For the full treatment of HNDL mechanics and evidence, see our detailed analysis of the HNDL threat.
The regulatory mandate, specific to the organisation. Generic regulatory framing ("there are emerging regulations") does not give a board a decision point. The regulatory citations need to be specific to the organisation's jurisdictions and sector. DORA (Regulation (EU) 2022/2554), in force since January 2025, applies to EU banks, insurers, investment firms, payment institutions, and their critical ICT third-party providers. Its ICT risk management obligations (Art. 6-10) encompass quantum-vulnerable cryptography as a categorisable vulnerability. NIS2 (Directive 2022/2555) covers EU critical infrastructure operators. NSM-10 (National Security Memorandum 10, US Executive Office, May 2022) mandates PQC transition for US executive branch contractors. NIST IR 8547 (November 2024) sets the deprecation timeline: RSA and ECDSA deprecated for new US federal systems after 2030; disallowed entirely after 2035. For US-listed companies, the SEC's cybersecurity disclosure rule (July 2023, effective December 2023) requires disclosure of material cybersecurity risks, and quantum-vulnerable cryptography qualifies as a material risk under the rule's "known trends or uncertainties" obligation for organisations that have identified the exposure.
The cost of acting now versus later. A planned PQC migration programme has a defined scope, timeline, and budget. An unplanned emergency migration triggered by a regulatory enforcement deadline or a hardware capability announcement is substantially more expensive by any comparable IT migration precedent. The specific figure should reflect the organisation's own estimates; the general principle is established by documented patterns in comparable large-scale cryptographic transitions. Critically: a cryptographic inventory and migration programme beginning in 2026 can conclude before the 2030 NIST IR 8547 deadline with margin. Beginning in 2028 does not leave that margin.
The specific ask. This is where most board briefings are vague when they need to be precise. See the following section.
What the Board Actually Needs to Approve
A PQC migration programme requires four board-level approvals. Security teams cannot authorise these unilaterally, which is why the board is the right audience for this briefing. Not as a courtesy, but because the mandate structure requires it.
Budget for cryptographic inventory discovery. This is the first phase: cataloguing all cryptographic assets across the organisation, including algorithms in use, key management systems, certificates, protocols, and their locations in the stack. Most boards do not know this catalogue does not already exist. For a large enterprise, this phase typically takes 6-18 months. Nothing else can begin without it. NIST NCCoE SP 1800-38 provides the methodology and phasing structure.
Resource mandate for a cross-functional steering committee. PQC migration spans IT, security, legal and compliance, procurement, and business continuity. A security team acting alone cannot coordinate across these functions with the authority the programme requires. The steering committee mandate must come from the board or executive committee.
Quantum risk added to the standing risk register. This is an ongoing governance obligation, not a one-time project. Once the risk is registered, it must be tracked with specific metrics: cryptographic inventory completion percentage, migration milestone progress, third-party readiness assessments completed.
Vendor and third-party due diligence mandate. Critical ICT third-party providers (cloud providers, payment processors, messaging networks) carry their own quantum-vulnerable cryptographic exposure. The organisation's migration programme cannot close the exposure created by suppliers who have not migrated. For DORA-regulated institutions, this is an explicit Article 28 obligation. For all organisations, it is operationally necessary.
Before the briefing, run QSECDEF's Quantum Threat Exposure Assessment to establish an organisation-specific exposure baseline. The output quantifies estimated data at risk by category, regulatory obligations by jurisdiction, and migration priority score: the kind of organisation-specific evidence that converts a conceptual briefing into a decision boards can act on.
The Three Reasons Briefings Fail
Recognising these patterns in a draft briefing is worth the time before presenting.
Technical depth before context. Explaining Shor's algorithm before establishing why the board should care about it inverts the structure. The board's question is not "how does quantum computing work?" It is: "what is the risk to this organisation and what do we need to approve?" Start with the answer to that question. The technical mechanism is supporting evidence, not the argument.
Vague timelines. "Quantum computers could break encryption within a decade" gives a board no decision point. A decade is long enough to defer comfortably. The Mosca inequality (Mosca, IEEE Security & Privacy, 2018) makes the timeline concrete: for an organisation with a three-year migration programme protecting data with a 10-year confidentiality requirement, the risk window opens the moment migration begins. For data already generated and potentially intercepted, the window opened before migration started. Attach a specific decision: "To complete cryptographic inventory before the 2030 NIST IR 8547 deprecation milestone, we need board approval of the inventory budget by Q3 2026."
No quantification. Quantum risk presented as qualitatively "significant" or "severe" without connecting to financial exposure leaves the board without the information they need to prioritise it against competing investment proposals. What is the potential regulatory fine for DORA non-compliance? What percentage of the organisation's data holdings carry a confidentiality requirement of 10 years or longer? What is the estimated cost differential between planned and emergency migration? These are numbers a CISO can prepare. They are the numbers that convert a risk discussion into a budget decision.
Handling the Four Objections
"Quantum computers that can break encryption don't exist yet." Correct. The HNDL attack's collection phase does not require one. Data collected now is at risk when a CRQC arrives. The lead time for PQC migration in a large organisation is 3-7 years. Starting now is not early. It is on schedule for the 2030-2035 regulatory and risk window.
"Our technology vendors will handle this." Partially. Cloud providers and major software vendors are deploying PQC for their own infrastructure. What they are not doing: cataloguing the organisation's cryptographic assets, updating bespoke applications, managing the compliance obligation, or assessing third-party integrations. The vendor landscape handles infrastructure-layer cryptography. The organisation is responsible for its own application layer, archived data, and bespoke system cryptography.
"This is a specialist security topic: why does it need board attention?" Because the investment, timeline, and cross-functional mandate required for a PQC migration programme exceeds what a security team can authorise unilaterally. DORA non-compliance is a board-level liability. The SEC disclosure obligation for material cybersecurity risks is a board-level responsibility. The budget and steering committee mandate require board approval. This is precisely the governance structure the board exists to provide.
"We'll deal with this when quantum computers actually arrive." The Mosca inequality shows this logic fails for long-lived sensitive data. A migration programme starting when Q-Day is confirmed gives no margin for organisations that hold data with 10+ year confidentiality requirements, because that data was already at HNDL risk years before migration starts. The NIST IR 8547 2030 deprecation deadline arrives whether or not Q-Day does.
Regulatory Anchors by Sector: Quick Reference
The specific citations to include in a board briefing depend on the organisation's regulatory environment. The following applies by sector and jurisdiction.
US public companies: SEC cybersecurity disclosure rule (July 2023): material risk disclosure obligation. NSM-10 (May 2022) for executive branch contractors. CNSA 2.0 (NSA, September 2022) for defence sector and supply chain. NIST IR 8547 deprecation milestones: RSA and ECDSA deprecated for new federal systems after 2030; disallowed entirely after 2035.
EU financial sector: DORA (Regulation (EU) 2022/2554), in force January 2025. ICT risk management obligations and third-party risk assessment requirements apply. Quantum-vulnerable cryptography is a categorisable ICT vulnerability under DORA Art. 6 and 8.
EU critical infrastructure (non-financial): NIS2 Directive (2022/2555), Art. 21 cybersecurity risk management measures. Quantum risk falls within scope. Transposing member state legislation in force from October 2024.
UK-regulated organisations: NCSC post-quantum cryptography migration guidance (2023). GovAssure framework for UK government suppliers. NCSC CAF (Cyber Assessment Framework) for critical national infrastructure operators.
All sectors globally: NIST IR 8547 (November 2024) provides specific deprecation timelines that function as practical industry deadlines even for non-US organisations, because most enterprise cryptographic stacks are built on NIST-compliant algorithms.
Defining "Quantum Safe" Accurately
Boards often ask this question during the briefing, and the definition matters. "Quantum safe" does not mean unbreakable. No cryptographic system offers unconditional security. It does not mean a one-time fix, as quantum-safe standards will be reviewed as quantum computing advances. It does not mean complete retroactive protection: HNDL risk to already-captured data is not eliminated by migration.
What it does mean: the organisation's cryptographic systems use algorithms assessed to be computationally infeasible to break with known quantum algorithms, including Shor's and Grover's. These are specifically ML-KEM (NIST FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205), all published in August 2024. Post-quantum cryptography runs on classical hardware. It does not require quantum computers to operate. This is current expert consensus, recognised in NIST standards, ETSI specifications (TS 103 744), and national guidance from the NCSC, BSI (Germany, TR-02102-1), and ANSSI (France, 2022 quantum security recommendations).
PQC migration is not moving from one set of locks to another. It is replacing locks that a predictably arriving master key will open with locks that the same master key cannot.
QSECDEF members receive access to practitioner-level guides on ML-KEM implementation, regulatory mapping by jurisdiction, and board briefing templates, updated as standards evolve. Membership details and resources are available here.
