Business professional analyzing data on tablet

Quantum readiness conversations inside most organisations tend to start in the wrong place: “when do we need to migrate to post-quantum cryptography?” That is a reasonable eventual question. It is a bad first question, because it assumes an organisation already knows what it has, where it lives, and what it protects. Most don’t.

Before a migration timeline means anything, these five questions need real answers.

1. Where is cryptography actually being used across our environment?

Not “which systems do we think use encryption” — a verified inventory across endpoints, servers, applications, databases, PKI, HSMs, cloud environments and source code repositories. Most organisations have never built this inventory in one place, which means every subsequent answer in this list is a guess until this one is answered properly.

2. Which algorithms protect our critical systems, specifically?

Knowing that TLS is “in use” is not the same as knowing which cipher suites, key lengths, and certificate authorities are protecting which specific business services. Quantum-vulnerable algorithms (RSA, ECC-based systems, among others) are still the default in most environments — the question is which of your critical systems still depend on them, and how critical those systems actually are.

3. Which certificates and keys are nearing end of life?

Certificate expiry is normally handled as an operational nuisance — a renewal ticket, not a strategic decision. Every renewal is also an opportunity: is this the moment to move to a longer key length, or is that decision going to be deferred again for another 12 months, on a system nobody has assessed for quantum exposure?

4. Which systems rely on quantum-vulnerable cryptography, and which of those matter most?

This is where technical findings need to meet business context. A quantum-vulnerable algorithm protecting an internal test environment is a very different priority to the same algorithm protecting long-lived customer data or regulated financial records. Without this mapping, remediation effort gets spent in the wrong order — or not at all, because everything looks equally urgent.

5. Which business services should be prioritised first — and who owns that decision?

Even a perfect inventory doesn’t remediate itself. Someone has to own the prioritisation call, and that call needs to be defensible to the board, not just the security team. This is usually the question that reveals whether an organisation has a quantum readiness programme, or just a quantum readiness slide.

Why these questions, in this order

Each of these questions depends on the one before it. You cannot meaningfully assess exposure (question 4) without an inventory (question 1) and algorithm-level detail (question 2). You cannot prioritise (question 5) without understanding business impact (question 4). Skipping ahead to “what’s our migration timeline” without answering questions one through five doesn’t produce a real plan — it produces a plan built on assumptions.

You can’t prepare for tomorrow if you don’t understand today’s cryptographic exposure.

What good looks like

Organisations that answer all five questions with evidence, not estimation, are in a fundamentally different position than those that haven’t — not because they’ve necessarily migrated anything yet, but because they can now make a defensible, prioritised, resourced decision about what to migrate first and why. That is what quantum readiness actually means in practice: not a completed migration, but the ability to answer these five questions on demand.

This is the discipline Enterprise Cryptographic Exposure Management (ECEM) is built around — read the full whitepaper for a deeper look at the framework, or see how the platform puts it into practice.

Scroll to Top