Beyond PQC: Building adaptive security programs for the unknown

In this Help Net Security interview, Jordan Avnaim, CISO at Entrust, discusses how to communicate the quantum computing threat to executive teams using a risk-based approach. He explains why post-quantum cryptography (PQC) is an urgent and long-term priority.

Avnaim also outlines practical steps CISOs can take to build crypto agility and maintain digital trust.

From your perspective as a CISO, how do you frame the quantum computing threat to executives and the board?

Complexity can be the enemy of communication in cybersecurity. One of the tools I use when communicating to the Board is the acronym ‘KICS’ – Keep It Cybersecurity Simple. This reminds you to avoid technical jargon and speak a language that the board understands, namely, the language of risk.

This approach is crucial when framing the quantum threat. In an already highly technical space, speaking the language of post-quantum cryptography to a non-technical board member could lead to a breakdown in communication. Instead, frame the threat as something where we do not have a countdown clock: unlike previous technological advancements and threats, we can only guess at when a scaled quantum computer will arrive. Even the much-feared ‘Y2K’ had a fixed deadline. ‘Y2Q’, on the other hand, will arrive one day with no forewarning.

When it does, and if we are unprepared for it, there will be an immediate and overpowering vulnerability for all sensitive information, and this will change everything. This approach speaks directly to the board’s language of risk and positions the conversation around what you, as a technical leader, can do to defend against this threat.

Do you see post-quantum cryptography as primarily a long-term risk or a near-term operational challenge?

The lack of a timeline for a post-quantum world means that it doesn’t make sense to consider post-quantum as either a long-term or a short-term risk, but both. Practically, we can prepare for the threat of quantum technology today by deploying post-quantum cryptography to protect identities and sensitive data. This year is crucial for post-quantum preparedness, as organisations are starting to put quantum-safe infrastructure in place, and regulatory bodies are beginning to address the importance of post-quantum cryptography.

Establishing post-quantum cryptography in your organization is not just important in safeguarding against an early arrival of quantum technology; it also protects organisations against a particularly malicious threat: ‘harvest now, decrypt later’. This is where bad actors, either criminals or those acting on behalf of a nation-state, will steal encrypted information today to decrypt it later when quantum computers are available. This means some organisations could have suffered a significant cyber breach, and they don’t even know it yet. Implementing quantum-safe cryptography is the key to preventing this.

As we continue to think in the future, beyond the post-quantum challenges of today, we must recognise there will be new and unprecedented challenges we will face. Undoubtedly, in the post-post-quantum era, there will be threats to post-quantum cryptography that we must anticipate. While implementing the shorter-term solution of post-quantum cryptography solutions to secure enterprise secrets is a necessity, the best organizations will use todays PQC challenges as an opportunity to build agile, adaptive, and responsive organizational security programs that can pivot as necessary to address threats to the enterprise with agility and precision.

What does a realistic post-quantum roadmap look like for CISOs in 2025?

CISOs should take steps now to understand their current cryptographic estate. Many organisations have developed a fragmented cryptographic estate without a unified approach to protecting and managing keys, certificates, and protocols. This lack of visibility opens increased exposure to cybersecurity threats. Understanding this landscape is a prerequisite for migrating safely to post-quantum cryptography.

Another practical step you can take is to prepare your organisation for the impact of quantum computing on public key encryption. This has become more feasible with NIST’s release of quantum-resistant algorithms and the NCSC’s recently announced three-step plan for moving to quantum-safe encryption.

Even if there is no pressing threat to your business, implementing a crypto-agile strategy will also ensure a smooth transition to quantum-resistant algorithms when they become mainstream. By understanding and implementing quantum-safe cryptography where appropriate, organisations can stay ahead of regulatory requirements and technological advancements, ensuring long-term security in an evolving landscape.

How can CISOs build “crypto agility” into procurement and architecture without overhauling everything?

To enable crypto agility, it requires both a bottoms up and top down approach to be successful. That is, we must select and use products and vendors that have the ability to conform to our desired/selected internal crypto standards, and also provide the internal crypto plumbing (secrets management, PKI, etc) to enable those solutions we procure.

Do you foresee PQC adoption driving wider changes in how CISOs think about digital trust and resilience?

Simply put: The quantum computing threat puts common day digital trust and cyber resilience methods in jeopardy. Adopting PQC is the only way we can ensure we maintain digital trust and resilience in an environment where today’s cryptography is broken in seconds. Without strong PQ resistant crypto algorithms, there is no digital trust or resilience.