Operational Readiness for Post-Quantum Cryptography: Three Questions Your Board Needs to Ask
When board members interact with the risk function, the primary goal should be to increase their understanding of risk-related business processes and provide relevant guidance when necessary. In the face of the upcoming threat of quantum computing to current encryption processes, the conversation doesn’t need to go into the weeds with a technical explanation of qubits; rather, it should focus on clear guidance for maintaining architectural integrity. “Harvest Now, Decrypt Later” highlights the risk that current encryption may be vulnerable to compromise. The main business risk is not the failure itself, but the speed of recovery.
Here are three questions that board members should ask today to assess operational readiness for post-quantum cryptography.
1. The Inventory Question
Q: “If a vulnerability were discovered in our primary encryption algorithm (e.g., RSA-2048) this afternoon, can you show us an automated, real-time map of exactly which applications, databases, and third-party pipes are using it?”
The Answer You Want:
“Yes. We use an automated discovery tool that scans our code and network traffic. I can pull a report showing every instance of RSA-2048, including shadow IT and legacy systems. We know exactly where the weak points are.”
The Answer You Fear:
“We would need to quickly survey the engineering teams and review our documentation. It could take weeks to fully understand our exposure, though we adhere to industry best practices.”
2. The “Hard-Coding” Question
Q: “To upgrade our encryption, do developers have to rewrite source code and recompile applications, or can we simply update a configuration file?”
The Answer You Want:
“We have abstracted our cryptography. Our apps call a central library or service to handle encryption. We can switch the underlying algorithm in that library — say, from RSA to a NIST-approved quantum-resistant standard — and the apps will inherit the change automatically without a rewrite.”
The Answer You Fear:
“It depends on the application. For our core legacy systems, encryption is deeply embedded in the code. Addressing this would require urgent codebase reviews, comprehensive rewrites, regression testing, and rapid redeployment — all under severe time pressure.”
3. The Vendor Dependency Question
Q: “For the 40% of our infrastructure managed by third-party SaaS vendors (CRM, HRIS, Cloud Storage), what are our contractual rights if they refuse to upgrade their encryption standards?”
The Answer You Want:
“We have reviewed our SLAs. We have exit clauses tied to security non-compliance. More importantly, we manage our own keys (BYOK — Bring Your Own Key) for those platforms, so we control the encryption standard even if the data sits on their servers.”
The Answer You Fear:
“We rely on [Big Tech Vendor] to handle security; they are industry leaders, so we expect they will handle the upgrade for us. However, we lack direct control over their cryptographic decisions, which is concerning in urgent scenarios.”
It’s important for board members to work hand in hand with the risk function. Understanding business processes is much more important than trying to understand the underlying technologies.
