Background

One of the defining strategic challenges in contemporary cyber security is the emergence of cryptographically relevant quantum computers (CRQC), known as Q-Day (Chong, 2025). Once developed, they will break the traditional asymmetric cryptography which provides the basis for secure communication (CSIRO, 2025, p. ii). This creates risks for the future, systems will be vulnerable once CRQCs arrive. More urgent is the risk that sensitive data in transit today is at risk from harvest-now, decrypt-later (HNDL, spoken, handle) collection. HNDL is when data is collected today (Harvest Now) to be decrypted when a CRQC arrives (Decrypt Later) (ASD, 2025a;  Canadian Centre for Cyber Security, 2025). This is especially concerning for data with long confidentiality lifetimes.

Fortunately, this has been a known challenge since the early 1990s, and there has been active collaboration since the mid 2010s to meet it. In 2015, the U.S. National Security Agency (NSA) publicly warned of the need to transition to Post-Quantum Cryptography (PQC) algorithms. In 2017 the U.S. National Institute of Standards and Technology (NIST) began work to select new quantum-resistant public-key algorithms for PQC standardisation (LaMacchia, 2021, p.29). The result of this has been the NIST standardisation of PQC algorithms (NIST, 2025b), of which the Australian Signals Directorate (ASD) has endorsed two (ASD, 2025c, pp. 199-200). 

PQC algorithms can run on “conventional computers” and are “interoperable with existing communication protocols, software, and networks” (Canadian Centre for Cyber Security, 2025). To aid the transition to these algorithms, the ASD has provided a timeline (see Appendix A) along with a framework for PQC transition (LATICE, see Appendix B) as well as recommended reading from other government agencies, industry bodies and coalitions (ASD, 2025a). LATICE makes explicit that transition is not an implementation event but a lifecycle. It guards against the instinct to migrate the cryptography we know and instead anchors action in planning and awareness.

The Need For A Leadership Perspective

Despite the aforementioned guidance from the ASD, there is a challenge to overcome – the traditional IT-cybersecurity pressure to deliver or implement something quickly. This challenge is not surprising to anyone who has worked in tech, where decisions are often handed to practitioners who lack organisational and strategic visibility, focusing on implementation and operational impacts. This is not a criticism of practitioners, they are focused where their attention belongs. However it is a call for greater vertical alignment of decision making within organisations, because cryptographic decisions made at implementation level can outlive the systems they were intended to protect. 

This post brings together and deepens a recent LinkedIn series I shared, it will argue that PQC transition is a strategic challenge, which requires senior leadership with an organisation-wide remit.  We’ll be exploring this through the topics of: 

• PQC: A leadership responsibility
• Planning: A leadership control
• Cryptographic visibility: A decision quality enabler 
• Cryptographic agility: Preparing for uncertainty
• Before concluding with thoughts for next steps.

PQC: A leadership responsibility

Quantum computing elevates cryptography from a technical detail to a strategic risk. As mentioned previously, the issue is not when quantum computers become operational, HNDL makes them a risk to confidentiality now. The issue for leaders is whether the decisions regarding cryptography being made today will remain defensible in the future. In that sense, PQC is less about cryptography itself and more about long-term risk, accountability, and decision-making under uncertainty. 

Through this lens PQC transition is an organisational capability challenge. That shift has already been recognised by bodies such as the Australian Signals Directorate and the Australian Institute of Company Directors, which have highlighted quantum readiness as a leadership and governance concern emphasising the need for a PQC transition plan and assigning responsibility to executive and senior management (ASD, 2025b). This is supported by the ISM which mandates the development, implementation and maintenance of a PQC transition plan (ISM-2073) and requires support for ASD-approved post-quantum algorithms in development and new procurements no later than 2030 (ISM-1917). The PSPF similarly requires that quantum risk and the adoption of approved PQC algorithms be considered (PSPF 13.10.2; Requirement 0212).

Considering this, the PQC transition cannot be treated as a narrow technology refresh. It cuts across strategy, policy, risk management, procurement, supply chains, architecture, and operations. In practical terms, it represents a whole-of-organisation change that requires executive ownership and sustained board visibility.

Planning: A leadership control

As mentioned, we don’t need to start from first principles. The ASD has provided recommended transition timelines and developed the LATICE framework (Locate, Assess, Triage, Implement, Communicate, Educate: see Appendix B).

The timeline milestones set by the ASD are (ASD, 2025a), more detail in Appendix A:

• refined transition plans by end-of-2026
• commencement transition by end-of-2028
• completion of transition by end-of-2030.

In environments characterised by uncertainty, transitions without planning can become reactive. One of the most consistent messages across global guidance on PQC is that planning must come first and it must start early (ASD, 2025a; CISA, 2023, p.1; Canada, 2024, p.5; CSIRO, 2025, p. 3; ETSI, 2023, p.12; NCSC, 2025, p. 4; PQCC, 2025, p. 4). This is because the PQC transition is one of the most complex technological challenges organisations have faced (Bizri et al., 2026, p. 3260; CSIRO, 2025, p. 5; LaMacchia, 2021, p. 29).

At a leadership level, planning for PQC transition plays two important roles: it informs and enhances decision quality, and is a risk-management activity. It maintains optionality, reduces exposure to lock-in and urgency, and improves the quality of future decisions by ensuring that change occurs under governance rather than pressure.

Cryptographic visibility: A decision quality enabler

You can’t govern what you can’t see, and a persistent challenge for organisations is that cryptography has become largely invisible. Over time, as cryptographic mechanisms stabilised, they were embedded across systems, platforms, integrations, and supply chains, often without explicit documentation or ongoing oversight (CSIRO, 2025, p. 6).

For PQC, this lack of visibility has real governance implications. Leaders cannot make risk-based decisions, prioritise transition efforts, or hold vendors accountable if they aren’t aware of what cryptography is in use, where it exists or who owns it. This is compounded by cryptographic risk that is inherited through an organisation’s supply chain (Näther et al., 2024, p. 132122).

This is where a Cryptographic Bill of Materials (CBOM) becomes important. At governance level, a CBOM is not simply an inventory. It is an assurance artefact, being evidence that the organisation understands its cryptographic footprint and can make informed transition decisions (PQCC, 2024).

Without cryptographic visibility, governance intent remains disconnected from operational reality. With it, operational artefacts become decision inputs, and oversight becomes credible.

Cryptographic agility: Preparing for uncertainty

PQC is not a destination, migrating to quantum-safe algorithms will not be a one-off occurrence. This is because algorithms will evolve, standards will mature, implementations will change and vendors will move at different speeds. Hybrid environments, where classical and post-quantum cryptography coexist, are expected to be temporary, and lead to a second transition to Post Quantum Cryptographic Algorithms (NIST, 2024, p. 9). 

In this environment, the long-term challenge is not just completing the initial transition, but designing for cryptographic agility (LaMacchia, 2021, p. 30). Cryptographic agility is the practice of designing systems so that cryptographic algorithms can be changed without major disruption, through configuration rather than large-scale software or hardware rebuilds (Canadian Centre for Cyber Security, 2022). The objective isn’t speed for its own sake, but enabling resilience as the cryptographic landscape shifts. 

Organisations that treat PQC as a one-off project, risk repeating historical patterns of fragmented re-engineering and emergency remediation. Cryptographic agility is about avoiding these repeated cycles of emergency transition, reducing long-term disruption, and ensuring that decisions remain defensible as conditions change (Ahmed et al., 2025, p. 11). It is a strategic capability grounded in governance, planning, and visibility, rather than a capability that can be retrofitted once migration begins.

Conclusion

Through this blog we have explored PQC transition as a leadership challenge, how governance sets leadership intent, planning sets organisational direction, cryptographic visibility informs decisions and cryptographic agility enables resilience. The real risk in PQC transition is not delay alone, but fragmentation. Where governance is disconnected from operational reality, execution diverges from planning, and change is managed reactively rather than deliberately. When these layers are structurally aligned, leaders are better equipped to maintain decision quality under uncertainty. 

Post-quantum transition may mark an important milestone, but cryptographic agility is what sustains confidence as cryptographic change becomes a permanent condition, at least for the foreseeable future. Accepting PQC transition as a leadership challenge means using operational artefacts such as CBOM to inform decision making, and treating tactical capabilities such as cryptographic agility as long-term governance levers. These capabilities enable organisations to adapt to uncertainty and are informed by organisational alignment from strategy through to algorithm cutover.

For leaders, the enduring question is not simply when to act, but whether their approach to transition is structured to translate intent into coherent, defensible action over time.

Appendix A: PQC Transition Timeline

(ASD, 2025a)

ASD PQC Transition timeline (ASD, 2025a)

Appendix B: LATICE Framework

• Transition Design Phase: Before formal transition phases begin, a Transition Design Phase establishes ownership, scope and prioritisation criteria.
• Locate: identify cryptography and inventory the use of traditional asymmetric cryptography.
• Assess: the value and sensitivity of systems and data protected by traditional asymmetric cryptography.
• Triage: systems using traditional asymmetric cryptography and prioritise individual systems for transition.
• Implement: post-quantum cryptographic algorithms throughout systems.
• Communicate: with vendors and stakeholders
• Educate: and train relevant stakeholders on the PQC transition.

ASD LATICE Framework (ASD, 2025a)

Appendix C: ASD Approved Cryptographic Algorithms

Module Lattice Digital Signature Algorithm

The Module Lattice Digital Signature Algorithm (ML-DSA) standard contains three different parameter sets: 

• ML-DSA-44
• ML-DSA-65
• ML-DSA-87. 

The use of ML-DSA-65 and ML-DSA-87 are approved. Beyond 2030 only ML-DSA-87 will be approved (ASD, 2025c, p. 199)

Module Lattice Key Encapsulation Mechanism 

The Module Lattice Key Encapsulation Mechanism (ML-KEM) standard contains three different parameter sets: 

• ML-KEM-512
• ML-KEM-768
• ML-KEM-1024. 

The use of ML-KEM-768 and ML-KEM-1024 are approved. However, only ML-KEM-1024 is approved beyond 2030. (ASD, 2025c, p. 200)

References

Ahmed, N., Zhang, L., & Gangopadhyay, A. (2025, August 22). A survey of post-quantum cryptography support in cryptographic libraries. arXiv.Org. https://arxiv.org/abs/2508.16078

ASD. (2025a, September 20). Planning for post-quantum cryptography. Cyber.Gov.Au. https://www.cyber.gov.au/business-government/secure-design/planning-for-post-quantum-cryptography

ASD. (2025b, October 30). Cyber security priorities for boards of directors 2025-26. Cyber.Gov.Au. https://www.cyber.gov.au/business-government/protecting-business-leaders/cyber-security-for-business-leaders/cyber-security-priorities-for-boards-of-directors-2025-26

ASD. (2025c, December). Information Security Manual. Australian Government. https://www.cyber.gov.au/sites/default/files/2025-12/Information%20security%20manual%20%28December%202025%29.pdf

Bizri, M. E., El-Hajj, A. M., Sliman, L., & Haidar, A. M. (2026). Institutional approaches to post-quantum cryptography: A comparative analysis of migration frameworks. IEEE Access, 14, 3259–3283. https://doi.org/10.1109/access.2025.3650465

Canadian Centre for Cyber Security. (2022, May). Guidance on becoming cryptographically agile – ITSAP.40.018. Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/guidance-becoming-cryptographically-agile-itsap40018

Canadian Centre for Cyber Security. (2025). Preparing your organization for the quantum threat to cryptography (ITSAP.00.017). Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/preparing-your-organization-quantum-threat-cryptography-itsap00017

Chong, H. (2025, October 24). Prepare your organization for Q day. IBM. https://www.ibm.com/think/insights/prepare-your-organization-for-q-day

CSIRO. (2025, October 28). Quantum Safe Transition: Reality, Hurdles and Pathways. CSIRO. https://www.csiro.au/-/media/D61/Reports/Quantum-safe-transition/Quantum-safe-transition-report.pdf

LaMacchia, B. (2021). The long road ahead to transition to post-quantum cryptography. Communications of the ACM, 65(1), 28–30. https://doi.org/10.1145/3498706

LaMacchia, B., Campagna, M., & Gropp, W. (2024). The Post-Quantum Cryptography Transition: Making Progress, But Still a Long Road Ahead. 2024-2025 CRA Quadrennial Paper.

Näther, C., Herzinger, D., Gazdag, S.-L., Steghöfer, J.-P., Daum, S., & Loebenberger, D. (2024). Migrating software systems toward post-quantum cryptography-a systematic literature review. IEEE Access, 12, 132107–132126. https://doi.org/10.1109/access.2024.3450306

NCSC. (2025, March 20). Timelines for migration to post-quantum cryptography. National Cyber Security Centre. https://www.ncsc.gov.uk/guidance/pqc-migration-timelines

NIST. (2024). Transition to post-quantum cryptography standards. National Institute of Standards and Technology. https://doi.org/10.6028/nist.ir.8547.ipd

NIST. (2025a, June 11). What is post-quantum cryptography? NIST. https://www.nist.gov/cybersecurity/what-post-quantum-cryptography

NIST. (2025b, December 11). Post-quantum cryptography. CSRC. https://csrc.nist.gov/projects/post-quantum-cryptography

PQCC. (2024, October 1). Transitioning to Quantum-Safe Cryptography: Exploring the Role and Value for Developing and Implementing a Cryptographic Bill of Materials. Post Quantum Cryptography Coalition; The Mitre Corporation. https://pqcc.org/transitioning-to-quantum-safe-cryptography-exploring-the-role-and-value-for-developing-and-implementing-a-cryptographic-bill-of-materials/

PQCC. (2025). Post-Quantum Cryptography (PQC)  Migration Roadmap. The Post-Quantum Cryptography Coalition; The MITRE Corporation. https://pqcc.org/wp-content/uploads/2025/05/PQC-Migration-Roadmap-PQCC-2.pdf