The ABCs and GRCs of Post-Quantum Cryptography

Chris reframes post-quantum cryptography (PQC) not as a cryptographic curiosity, but as a governance and enterprise resilience issue.

Why PQC Matters Now

Most organisations acknowledge the need to prepare for PQC, yet policies, roadmaps, and execution are frequently absent. Chris, a leading voice in Governance, Risk, and Compliance (GRC), argues that the core problem is not mathematics but governance: a looming control and accountability gap created by quantum disruption.

What PQC Is

PQC is the next generation of cryptography designed to remain secure against both classical and known quantum attacks. This is not speculative. It is a documented and quantifiable risk that should be incorporated into current enterprise risk management.

The GRC Landscape

Regulatory and standards activity is accelerating worldwide.

United States

• NIST Cybersecurity Framework

• NIST SP 800-53

• Quantum Computing Cybersecurity Preparedness Act

• National Security Memorandum 10

• CISA PQC initiative

• IETF standardisation work

Europe

• ETSI

• ENISA

• GDPR - while not prescribing algorithms, it requires effective safeguarding of personal data, implying PQC readiness

Comparable initiatives are under way in the UK, Canada, Australia, Singapore, China, and others.

Roadmaps and Architecture

No roadmap means no readiness. Hybrid models - in which classical and post-quantum algorithms operate side by side - are already practical. Waiting for a perfect, static standard is a risk, not a strategy.

Enterprise Impact

A PQC programme affects almost every function:

• Information security

• Cryptographic governance

• Lifecycle management

• Data classification

• Third-party risk

• Change and configuration management

• Internal and external audit

PQC is not a cure for weak access control or poor segmentation, but neglecting it invites long-term, hard-to-detect compromise.

Risk Is Present Tense

Adversaries can harvest encrypted data today and decrypt it later. If data has a multi-year retention value, it is already at risk. Mosca’s theorem is a useful test: if data lifespan plus migration time exceeds the expected time to cryptographically relevant quantum computers, you face material risk.

Standards, Compliance, and Agility

Standards such as FIPS 203-205, PCI DSS, and ISO 27001 are beginning to address PQC. Expect PQC readiness to become a compliance baseline. A cryptographic bill of materials (CBOM) - a live inventory of all cryptographic assets - is essential. Manual inventories are brittle and quickly obsolete. Automated, near real-time CBOMs are the practical minimum.

Delivery Model

Traditional delivery methods struggle with PQC transitions. Programmes must span legacy estates, cloud platforms, and multiple jurisdictions. Chris proposes a tailored model for cryptographic overhaul that prioritises dependency mapping, agility, and staged risk reduction.

Assurance and Validation

Do not rely solely on vendor claims of PQC safety. Independent validation is required. Begin penetration testing now to reflect current collection threats. Insurers and lenders are still maturing their PQC clauses, so present clear risk-treatment plans and avoid overconfidence in any single algorithm or supplier.

Practical Principles

• Design for cryptographic agility - systems must support timely algorithm and parameter swaps

• Deploy hybrid cryptography where feasible - classical and PQC in tandem

• Use defence in depth - do not rely on cryptography alone

Conclusion

Perfect certainty will not arrive, but real risk is already here. The quantum timeline is advancing, regardless of readiness. Act now, refine as standards and implementations evolve.

Market Classification

Primary market
Quantum-safe security / Post-Quantum Cryptography (PQC)

Sub-markets and adjacent domains

• Data protection

• Cryptographic lifecycle management

• Governance, Risk, and Compliance (GRC)

• Zero trust architectures

• Cloud security

Competitor categories

• Quantum-resistant encryption vendors

• Cryptographic inventory and CBOM tooling

• Penetration testing firms specialising in PQC

• Risk management and GRC consultancies

Market outlook
Rapid growth through and beyond 2025 as regulatory timelines firm. Early adopters gain supply chain trust and compliance leadership.

Demand drivers

• Regulatory pressure from NIST, ISO, and GDPR

• Awareness of harvest-now-decrypt-later threats

• Board and investor accountability for cyber resilience

• Vendor assurance and digital trust requirements

• Long-retention data across finance, defence, and health sectors