Post-Quantum Cryptography: Beyond The CISO's Responsibility

Forbes

15-07-2025

Antonio Sanchez is Chief Strategy Officer at Quantum Xchange, a post-quantum crypto-agility solution provider.
The quantum computing revolution is an imminent reality that will fundamentally alter the cybersecurity landscape. As quantum computers reach sufficient scale, they will render today's cryptographic defenses obsolete, exposing decades of encrypted data to potential compromise.
This isn't just about protecting against known threats; it's about building resilient infrastructure that can withstand whatever advanced capabilities emerge from the quantum age. Organizations must act now to safeguard their most sensitive data against threats that don't yet exist but inevitably will. Data protection policy is typically owned by the chief information security officer (CISO), but the responsibility for migrating to post-quantum cryptography (PQC) extends far beyond the security department. This is a digital transformation initiative that requires coordinated leadership across all technology domains.
Every Department Gets Affected
A common misconception is that PQC is a cybersecurity concern. This comes from a view that encryption is an isolated security layer. Cryptography is the invisible foundation supporting virtually every digital business process. Consider some of the systems at risk for a given enterprise:
• Customer Relationship Management (CRM): Your sales teams rely on CRM platforms that encrypt customer data, communications and transaction histories. These systems hold years, if not decades of customer intelligence, which will become vulnerable. The CTO or vice president of sales typically owns CRM decisions, making them critical stakeholders.
• Enterprise Resource Planning (ERP): Financial data, supply chain information and operational metrics flow through ERP systems protected by current encryption standards. The CFO and COO, who traditionally govern ERP investments, must now factor quantum resilience into their technology decisions.
• Collaboration And Communication Tools: From Microsoft Teams to Slack, the platforms enabling remote work and digital collaboration rely on encryption protocols that will soon be vulnerable to quantum attacks. The decision-makers for these tools are typically CIOs or department heads. They must now evaluate quantum readiness alongside traditional features like user experience and integration capabilities.
• Payroll And Human Resources: Employee personal information, salary data and performance records stored in HR systems represent attractive targets for criminal actors. CHRO and finance leaders overseeing these systems cannot delegate quantum preparedness to the security team alone.
The Cross-Functional Challenge
The complexity of PQC implementation requires expertise that spans multiple domains. While CISOs understand the threat landscape and risk implications, they often lack the operational knowledge to assess quantum readiness across diverse business applications. Meanwhile, department leaders who understand their systems' business requirements may not grasp the cryptographic technical details.
This knowledge gap creates a dangerous blind spot. A business leader might select a new cloud platform based on performance and cost considerations without evaluating its quantum-cryptography road map. An operations leader might upgrade manufacturing systems without considering their encryption capabilities. These decisions, made in isolation from security considerations, can create long-term vulnerabilities that become exponentially more expensive to address later.
Existing Investments
Your organization has invested millions of dollars in the technology stack that runs the business. A complete rip-and-replace approach is not realistic as it would severely strain budgets, cause operational interruption and require extensive retraining. There are also some legacy applications that are so critical to the organization that they can't be replaced or upgraded.
A nuanced strategy is needed that maximizes investments while transitioning to quantum resilience. Each department stakeholder must work with their current vendors to understand upgrade paths, feature enhancements that strengthen current encryption and which systems were never designed to be upgradable. Many of the vendors are already developing cryptographic updates that can be deployed as patches, but it still requires proactive engagement from business leaders to ensure these patches go through the patching process and are not overlooked, which often happens due to shifting priorities.
The Strategic Imperative
Migrating to PQC is a digital transformation initiative, which also makes it a business transformation initiative, so it requires commitment across the entire enterprise. The CISO is a crucial contributor as they provide expertise and insights on cyber risk and the threat landscape. However, the success of your quantum transition depends on every technology leader understanding their role in this journey.
Forbes Communications Council is an invitation-only community for executives in successful public relations, media strategy, creative and advertising agencies. Do I qualify?