An early-action checklist for GRC practitioners

 

I started writing on the challenges surrounding post-quantum cryptography in large firms during the course of 2025, and as the matter appears to be gathering momentum, at least in the cybersecurity industry, I think there are a few aspects that need clarifying or emphasizing.

Last year, I was highlighting that the worldwide economy could be heading towards a Y2K moment and I still believe that is the case: In many firms, it is going to be intrinsically difficult to mobilize the interest of senior execs towards a problem that has no clear timeframes and no clear risk pattern, until things solidify and tangible proofs of concept emerge, by which time it will be too late and mad panic will follow.

That is the clearer risk businesses are facing right now: Intrinsic business short-termism and the in-built inability of top execs to process known unknowns.

In fact, the PQC challenges are far greater that the Y2K ones have ever been:

With Y2K, there was a clear deadline (December 31, 1999), a clear problem (the way date and time had been coded), and also a problem that was shared by the entirety of the IT estate (all computers and network devices using date and time in some way).

The late 90s IT estates shared little in common with their current counterparts: In most large firms, they were either run on-premises by in-house teams or through large-scale outsourcing agreements with IT service providers.

Mobile devices and the Internet were in their infancy with regards to what they have become; the Cloud, as we know it today, did not exist.

In many ways, Y2K programmes were simple linear projects, consisting in inventorising the entire estate and testing every single component one by one; they were resource-intensive and very expensive but they did run and a number of problems were found and fixed that might have otherwise disrupted operations.

The estate inventories and process maps created at the time proved to be invaluable to business continuity programmes down the line, in particular in the aftermath of the 9/11 disaster.

The way enterprise IT operations have evolved over the past 25 years places the PQC challenge under a totally different light.

But also, beyond the unavoidable panic movement we are heading towards, there are a few considerable differences with the Y2K situation.

First of all, timeframes are not clear, at least not for now. Experts appear to be looking towards the 2030 horizon for what they call “Q-Day” (the emergence of the first tangible quantum threat to current cryptographic technologies).

The way those threats will materialize is not clear, but they are likely to emerge at the intersection of cybercrime and nation-states, given the technological complexity we anticipate.

They are likely to focus on previously harvested data in a first instance (the “Harvest-Now-Decrypt-Later” scenarios); the way processes protected by legacy encryption mechanisms could be impacted is not clear, but disruption can be expected.

The way Artificial Intelligence would have evolved in the run-up to Q-Day is not clear either, making it impossible to assess the way it may help attackers or defenders. What is clear today is that AI is assisting and accelerating quantum research, as it does across a whole range of sectors.

What should GRC practitioners do in large firms in the face of so many “known unknowns”?

 

1. First, take it seriously and have it on your threat horizon; it is going to happen, and top execs cannot be trusted to engage properly until something tangible emerges, by which it will be too late (defence industry expected perhaps). Panic will follow and will hijack your priorities. Be prepared

 

2. If you are a critical national operator, this should be already on your radar and a programme of work should already be in place across your organisation, including the right level of oversight from internal governance bodies; if that’s not the case, it needs urgent action.

 

3. If you are processing large volumes of sensitive personal data, be concerned: Most privacy regulations (GDPR and the like) regard adherence to security good practices as a fundamental pillar of adequate data protection: The cryptographic protection of sensitive data has always been one of those, so are the need to keep cryptographic algorithms up to date with technological evolutions and the need to maintain an adequate level of threat awareness. This is even tightened in NIS2 and DORA. Failure to address this in the face of quantum threats could be costly with regulators in case of a breach, and maybe even with cyber insurers.

 

4. If you handle data that has a long shelf-life, is it possible that sensitive data has already be stolen from you? Are you aware of any recent or past breach? Is your CISO monitoring the dark web for evidence around those types of events? More generally, be aware it is likely that a number of actors are already actively collecting encrypted data in transit with the view of decrypting later. HNDL scenarios will be difficult to avoid in most of those situations, but at least they can be prepared for and factored into tabletop exercises and crisis management rehearsals, should it be necessary.

 

5. If this has not started yet, talk to your IT teams and push them to build an inventory of cryptographic resources across the entire estate and their supply chain. The first question senior execs will ask is likely to be “where do we use encryption?”; if that cannot be answered, it will be hard to set anything in motion. But don’t expect miracles: Your IT people are not likely to have such inventory already in place, and this will be seen by them as a considerable extra task and as an imposition, for which they will ask for more resources, as IT people always do; resources they are not likely to get until senior execs engage with the topic ; this type of “chicken-and-egg” debate, and the internal political games that will follow, are likely to be the most obvious early roadblocks in many large firms.

 

6. Yet, a solid inventory around the way cryptography is used across the IT estate and its supply chain has to be the first port of call: Only on that basis will the firm be able to address the ongoing questions: How long will it take us to migrate to PQC technologies? How much will it cost? How are we going to govern competing priorities throughout the migration process? And at which level in the organization? What about legacy platforms that we won’t be able to upgrade?; those are the next real, tangible issues.

 

7. Mandating quantum-resistant cryptography for all new projects should be an imperative from now on; standards and products have started to emerge and this is achievable; it should be seen as an urgent and easy quick-win in firms where governance models are in place to act at this level. Think evolution, not revolution.

 

8. Equally important should be to include some form of quantum-readiness assessment in vendor risk assessments or periodic re-assessments; that is also something that should be seen as urgent and as a quick-win, again where governance allows, and something every vendor risk or procurement team should be able to accommodate easily

 

Overall, waiting for certainty would be a mistake. By the time a clear threat materialises, the scale of the remediation effort required across complex IT estates, supply chains and governance structures will make rapid action impossible.

As with many strategic risks, the organisations that will fare best are not necessarily those with the greatest technical capabilities, but those that begin preparing early, building awareness, inventories, governance mechanisms and cryptographic agility long before panic sets in.

The quantum transition may still be years away, but the window to prepare for it is already open.

 

JC Gaillard

Founder & CEO

Corix Partners

---

Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.