Quantum Insights Blog

The Quantum Security Era Has Arrived: Key Insights from the ExeQuantum CISO Roundtable

Written by | Dec 31, 2025 6:11:10 AM

Last week, ExeQuantum convened a group of Australia’s leading CISOs, technologists, and cybersecurity executives for a frank discussion about one of the most urgent security challenges of our time: quantum readiness.

Across government, enterprise, critical infrastructure, health, finance, and education, the consensus was unmistakable:

Quantum security is no longer a technical project. It is a leadership mandate. And readiness must begin now.

Below is a consolidated summary of the most important insights and actions discussed.

1. Quantum Is Not “Future Tech” - The Threat Has Already Started

A key misconception surfaced early: quantum becomes a threat not when a large-scale quantum computer is built, but the moment adversaries begin stealing encrypted data today.

This is the well-known Harvest-Now, Decrypt-Later (HNDL) threat.

Watch the on-demand CISO Quantum Security Roundtable for deeper discussion of this HNDL risk.

Long-life data such as medical records, financial history, identity data, IP, and classified information stolen today could be decrypted the moment quantum capability arrives.

Industries at highest near-term risk include:

  • Government and defence
  • Healthcare
  • Financial services
  • Education
  • Identity systems
  • Critical infrastructure

Every organisation now must ask:
Which data, if stolen today, will still matter in 5, 10, or 20 years?
Those systems become the priority for PQC migration.

2. Visibility Is the Biggest Barrier: “You Can’t Protect What You Can’t See”

Most organisations still lack visibility into where cryptography actually lives in their environment.

This is why standards bodies such as ACSC, NIST, NSA and ENISA are urging organisations to begin producing a Cryptographic Bill of Materials (C-BOM).

Where cryptography is typically hidden:

  • Operating systems
  • Network protocols
  • APIs and identity systems
  • IoT and medical devices
  • Backups and storage
  • Messaging platforms
  • Hardware-level crypto
  • Third-party vendor systems

The panel emphasised that AI-assisted discovery will dramatically accelerate this process, reducing work that once took years to weeks.

3. You Don’t Need to “Fix Everything” - Start Small and Build Momentum

Executives often stall because the scale feels overwhelming.

Key principles:

  • Start with visibility by mapping keys, certificates, algorithms and protocols
  • Prioritise by sensitivity and lifespan
  • Pilot in controlled environments before going live
  • Design for crypto agility instead of one-off upgrades
  • Shorten certificate lifecycles
  • Treat PQC as a business and GRC risk, not an IT task

4. Hardware Is the Hardest and Often the Most Urgent

Software can be updated. Hardware cannot.

High-risk hardware includes:

  • Medical devices
  • OT and ICS systems
  • Telco infrastructure
  • Network appliances
  • Legacy laptops and desktops
  • Consumer devices with embedded crypto

This will drive a global hardware modernisation wave, and organisations with slow refresh cycles are the most exposed.

5. AI and Quantum Will Converge and the Threat Landscape Will Shift

The panel explored the dual-use realities of AI and quantum.

How AI strengthens defenders:

  • Automated C-BOM generation
  • PQC testing
  • Crypto-agile orchestration
  • Faster cryptographic modelling

How AI strengthens adversaries:

  • Accelerated cryptanalysis
  • Differential attack generation
  • Pattern finding against symmetric encryption
  • Industrialised social engineering

Quantum will also enhance AI by enabling faster training, optimisation and pattern detection.

6. Skills, Budgets and Vendors: What Leadership Needs to Know

The skills gap came up repeatedly, but it should not halt progress.

And a crucial reminder:

7. Biometrics, QKD and the Future of Identity

Audience questions highlighted growing interest in next-generation identity.

Biometrics
Useful but increasingly spoofable due to deepfakes.
The future lies in biometrics tied to PQC-backed digital signatures.

Quantum Key Distribution (QKD)
Promising for niche, high-assurance use cases but limited by distance, specialised hardware and the need for PQC to authenticate.

8. What Organisations Must Do Now

The panel aligned on a clear, practical roadmap:

  • Begin cryptographic discovery with a C-BOM and inventory
  • Update procurement requirements to include PQC and crypto agility
  • Modernise legacy hardware with long refresh cycles
  • Build a crypto-agile architecture
  • Engage boards early and frame this as a resilience priority
  • Run small pilots
  • Align to global standards including NIST, ACSC, NSA CNSA 2.0, ENISA and ISO 23837
  • Plan budgets now as transitions typically take 2 to 5 years

9. The Takeaway: Quantum Security Is Now a Leadership Responsibility

Quantum transformation will impact every sector from hospitals and banks to education and manufacturing.

Leaders who invest early will reduce risk, modernise faster and meet the regulatory requirements already emerging across the United States, European Union, United Kingdom, Singapore and Australia.

Organisations that start now will be the ones ready for what comes next.
View full post