up:: 00 Field Guide Map
Brief Your Board
Briefing your board on quantum risk is a persuasion job, and you win it by walking in with one dated mandate, two defensible numbers, and a small reversible ask, then walking out with a funded inventory and a return date on the calendar. You already own the decision architecture underneath this. What you need now is the language that survives a room of non-technical people who hold the budget.
The briefing goes wrong two ways. Pitch it as a doom prophecy and the room tunes you out as an alarmist. Hedge every sentence and they defer it another budget cycle. This page threads that gap: the exact order to tell the story, the numbers that carry weight, every pushback answered before it’s asked, and the one-page artifact you leave on the table.
This is the upward-communication layer. The frame you present is yours; the model you build behind it is the engagement. If you want your own decision path first, the exposure, the six phases, the vendor questions, that’s Own Your Quantum Risk. This page is what you do once you have to sell it upward.
The short version:
- The board funds a dated government requirement plus records at risk, not a Q-Day forecast. Authority comes from a mandate with a deadline, not from a doom year you invent.
- Two numbers on the slide: how many sensitive records sit under quantum-vulnerable cryptography, and the earliest date that legally binds you. A speculative dollar figure you can’t defend is worse than no figure.
- Open on the story, close on the ask. Lead with Harvest Now, Decrypt Later and the Venona precedent a board can picture, never the internals of Shor’s algorithm.
- The ask is scoped and reversible: fund a time-boxed inventory and a quantification pass, name an owner, set a return date. That’s a yes a board can give without a fight.
- Leave the credibility-killers off the slide: a hard “Q-Day 2030” stated as certain, “everything is broken today,” and any opening built on the math. Each one gets you dismissed.
The 60-second brief
If you read nothing else, here’s the whole briefing arc at a glance:
- Open on the pattern, not the physics. Harvest Now, Decrypt Later: an adversary records your encrypted data today and reads it once a quantum computer exists. The Venona precedent proves the pattern already happened at national scale.
- Name the one mandate that binds you. A single dated requirement (a federal deadline, a procurement gate, or the EU Cyber Resilience Act) turns the whole thing from opinion into compliance.
- Put two numbers up: records at risk, and the deadline date. Use blast radius to say which systems move first and why.
- Answer “quantum is a decade away” with Mosca’s theorem: you aren’t betting on when the machine arrives, you’re betting on how long your data stays secret plus how long migration takes.
- Make a small, reversible ask, and set the return date. Fund a scoped inventory and a quantification pass, name an owner, and put a date on the calendar to come back with the full program. A win in the room is that budget, that name, that date, nothing vaguer.
What’s the exact order I tell the story in?
The sequence is the persuasion. Told in this order, each step earns the right to the next, and the room stays with you from the hook to the signature. Told out of order, you lose them on the math or land the ask before they feel the stakes.
- The why-now hook (the pattern, dramatized). Start with harvesting, not with quantum mechanics. An adversary is recording your encrypted traffic today to decrypt it the year a capable machine exists, so any record that has to stay secret for a decade is under attack right now. This is the one idea a non-technical director grasps in a single sentence, and it reframes “future problem” as “present decision.” The Venona story is your proof it’s real.
- The one dated mandate. Immediately ground the hook in a requirement with a date and your name on it. One real, dated obligation (CNSA 2.0, OMB M-23-02, EO 14306, or the EU CRA, whichever binds you) beats a list of nine. A government deadline is the opposite of alarmism, and it moves the conversation from “do we believe you” to “how do we comply.”
- Records at risk. Now the scale. State how many sensitive records sit under quantum-vulnerable cryptography, and use blast radius to name which systems fail hardest (“we start with the root certificate authority, because its failure spreads across the whole estate”). This is the number that makes the deadline concrete without a fabricated dollar figure.
- The scoped ask. With the stakes and the deadline established, make the request small enough to approve today: fund a time-boxed inventory and a risk-quantification pass, and name an accountable owner. You’re asking them to fund a diagnosis, not to authorize a rebuild.
- The return date. Close by putting a date on the board’s calendar to come back with the quantified program and a prioritized sequence. This turns a one-time scare into a governed program the board oversees, which is exactly the posture a director wants to be able to show they demanded.
That arc is deliberately front-loaded on story and back-loaded on ask. By the time you request budget, the room has already agreed the risk is real, dated, and measurable, so the ask reads as the obvious next move rather than a cold request for money.
What do I leave off the slide?
More briefings die on what you include than on what you leave out. Each line below reads as authority in a technical review and as crying wolf in a boardroom. Cut it, and say the credible version instead.
| Leave this off | Why it backfires in the room | Say this instead |
|---|---|---|
| A hard “Q-Day is 2030” stated as certain | Invites the board to argue the date instead of funding the fix, and one skeptic with a news article sinks you | A dated regulatory requirement you must meet regardless of the machine’s arrival, plus Mosca’s theorem: your deadline is your data’s secrecy lifetime plus migration time |
| ”Everything is broken today” | It’s false, and a director who knows it’s false discounts everything else you say | Systems aren’t failing today; the clock on your long-lived records is already running because harvesting is live now |
| An opening built on Shor’s algorithm and the math | You lose a non-technical room inside two minutes, and technical depth reads as insecurity, not command | The harvesting pattern told as the Venona story, which a board pictures instantly and can’t argue with |
| A parade of nine mandates | Dilutes urgency into a compliance survey, and no single deadline feels binding | The one mandate that names you, with its earliest gate as a hard date |
| A precise dollar figure you can’t yet defend | A CFO will probe the assumptions, and one shaky input discredits the whole case | Records at risk plus the deadline now, with the quantified dollar model named as the funded next step |
The through-line: your authority is a dated obligation and countable exposure, never a prediction. Sober and dated wins the budget; loud and speculative loses it.
What’s the one number that lands?
Records at risk, paired with the deadline date. A board weighs a countable exposure against a legal clock far more readily than it weighs a speculative loss estimate, because both of those numbers are defensible under questioning and a forecast is not.
Two moves make the number land:
- Count, don’t estimate. “Roughly N sensitive records sit under cryptography a quantum computer will break” is a statement you can source to your own inventory. “$X million in expected loss” invites a fight over every assumption behind it, and you lose the room in the weeds.
- Rank with blast radius, not with algorithm names. Say which systems move first by how far their failure spreads, a root certificate authority, a central identity provider, a code-signing key, so the board hears risk management rather than a technical wish list. Blast radius ranks on how many systems depend on a control, how much privilege it carries, and how far a failure cascades.
The full dollar model, exposure quantified against your actual estate with a defensible method like FAIR, is a specialized exercise. Name it as the output of the funded inventory, not as a number you promise cold. “We’ll return with a quantified loss figure once the scoped inventory is done” is a stronger sentence than any figure you’d invent to fill the silence.
Which mandate do I point to?
The one that names you. Pick a single dated requirement, put its earliest gate on the slide as a hard date, and let that date become your program’s spine. Here are the levers, each verified to its primary source:
| If you… | The one mandate to name | The date that binds you |
|---|---|---|
| Run or sell into U.S. national-security systems | NSA CNSA 2.0 | New NSS acquisitions support CNSA 2.0 by Jan 1, 2027; full transition by 2035 |
| Run U.S. federal civilian systems, or contract to them | OMB M-23-02 with NIST IR 8547 | Prioritized cryptographic inventories to CISA annually since 2023 (first due May 2023 under the Nov 2022 memo); classical public-key disallowed after 2035 |
| Run federal systems that use TLS | Executive Order 14306 | Support TLS 1.3 or a successor no later than Jan 2, 2030 |
| Sell into the EU market | EU Cyber Resilience Act | Reporting obligations (actively exploited vulnerabilities and severe incidents) from Sept 11, 2026; main obligations Dec 11, 2027 |
| Sell to any organization above | Procurement inheritance | Your customer’s earliest gate, often the 2027 CNSA date, becomes your effective deadline |
Sources:
Source: NSA, “CNSA 2.0 FAQ,” media.defense.gov.
Source: OMB M-23-02, “Migrating to Post-Quantum Cryptography,” Nov 18, 2022; NIST IR 8547 ipd (an Initial Public Draft, so treat its years as NIST’s stated intent), csrc.nist.gov.
Source: Executive Order 14306, June 2025, whitehouse.gov.
Source: Cyber Resilience Act, Reg (EU) 2024/2847, eur-lex.europa.eu.
Two things about these dates change how a board hears them. The headline 2035 is the outer wall, and the gates that actually constrain you land far sooner: the CNSA acquisition requirement on Jan 1, 2027, the EU’s vulnerability-handling obligations in 2026. Present 2035 as the deadline you can’t be standing behind, and the nearer gate as the one setting this year’s budget. The full set is mapped in the mandates.
How do I answer “quantum is a decade away”?
You’ll hear this in the room, and it rests on a hidden assumption worth naming out loud: that the risk starts when the machine is announced. It doesn’t. Two rebuttals, in this order, close it cleanly.
- The Mosca reframe. Say it almost verbatim: “We aren’t betting on when the computer arrives. We’re betting on how long our data has to stay secret plus how long migration takes, and for our regulated records that math is already underwater.” Mosca’s theorem (
X + Y > Z, secrecy lifetime plus migration time against time-to-machine) is also your anti-alarmist anchor, because it says plainly that some things are urgent and some can wait, and urgency depends on data lifetime, not on a hyped year. - The harvesting clock. Even a genuine decade of runway on the machine doesn’t buy time on confidentiality, because harvesting is live today. Anything an adversary records now, they read later. So the ten-years-away framing is true about the computer and false about your long-lived data.
Notice what this does. It concedes the director’s point (the machine may well be years out) and shows the point is beside the point. You don’t win by out-predicting the room on quantum timelines. You win by moving the decision off the machine’s calendar and onto your data’s, where the numbers are already against you.
What exactly am I asking them to approve?
A time-boxed cryptographic inventory and a risk-quantification pass, a named executive owner, and a date to return with the full program. That’s the entire ask, and its shape is the reason it gets approved.
A board approves scoped and reversible far more readily than open-ended and irreversible. You’re not asking them to rebuild the cryptography or commit to a multi-year spend. You’re asking them to fund a diagnosis that tells everyone the real size and cost of the program before anyone commits to it. Break it into what you’re actually requesting:
- Budget for a scoped inventory. Time-boxed, aimed at crown-jewel systems, not the whole estate. It answers one question: where is quantum-vulnerable cryptography, and on what data.
- Budget for a quantification pass. The step that turns the inventory into the dollar figure the board will want at the return meeting.
- A named accountable owner. One executive, senior enough to move budget across teams, with this in their actual objectives. Ambiguous ownership is the most common reason a program never starts.
- A return date. A specific board meeting to come back with the quantified program and a prioritized sequence.
Frame the reversibility out loud, because it’s what unlocks the yes: “This funds a diagnosis. It commits us to nothing except knowing where we stand, and we’ll bring the full number and plan back on the date we set.” A scoped, reversible first move is what a board says yes to in the room.
How do I sound urgent without crying wolf?
Anchor every urgent claim to something dated and external, and let the deadline carry the alarm so you don’t have to. A government requirement with a date reads as sober compliance; a doom year you assert reads as panic. The discipline is to source your urgency, never to perform it.
Three habits keep you on the credible side of that line:
- Cite the clock, don’t invent it. “The CNSA acquisition gate is January 1, 2027” is urgent and unarguable. “Q-Day is coming soon” is neither.
- Separate the two clocks honestly. Say plainly that signature forgery needs a real machine and has runway, while harvesting is live today. Volunteering the nuance builds the credibility that makes your urgent claim land, because the room can see you’re not inflating.
- Let the record risk speak. “These records must stay secret for fifteen years, and the migration takes several” states the danger without a single adjective. Naming the feeling deflates it; stating the fact and the deadline lets the board feel it themselves.
What do I hand them to take away?
A one-page memo, or a single slide, they can hold after you leave. The structure below is the whole thing, and you can fill it tonight. Keep it to one page; a board reads a page and skims a deck.
SUBJECT: Post-quantum cryptography, funding a scoped inventory and risk assessment
THE ASK (one sentence)
Fund a time-boxed cryptographic inventory and a risk-quantification pass,
name an accountable owner, and set a date to return with the full program.
THE TWO NUMBERS
- Records at risk: [N sensitive records under quantum-vulnerable cryptography]
- The deadline: [earliest dated gate that binds us, e.g. Jan 1, 2027]
THE MANDATE THAT BINDS US
[one dated regulation: e.g. NSA CNSA 2.0 / OMB M-23-02 / EU CRA]
THE OWNER
[named executive, with this program in their objectives]
THE RETURN DATE
[board meeting date]: return with the quantified program and the
prioritized migration sequence.
WHY THIS ASK IS SAFE
Time-boxed and reversible. We are funding a diagnosis, not committing
to a multi-year rebuild. The full number and plan come back on the date above.
If you want a single slide instead, it carries only five lines: the ask, the two numbers, the mandate, the owner, the return date. Everything else is what you say, not what you show. The starter deck, memo, and board FAQ live in Doing the Work, ready to adapt.
Has a board ever had to fund a fix before the threat was visible?
When a director asks whether harvest-now-decrypt-later is real or science fiction, you have a sourced answer, and it’s the sharpest thing you can put in front of a skeptic. The pattern already ran once, at national scale, and it decided real outcomes.
Lineage: Venona, the harvest that paid off decades later
Starting in 1943, American codebreakers quietly intercepted and stored Soviet diplomatic and intelligence cables. The traffic was protected with one-time pads, mathematically unbreakable when used correctly, so at the moment of collection the messages were genuinely unreadable, and the Soviets treated them as safe forever. Under wartime pressure, though, their pad makers duplicated pages, and a one-time pad reused even once stops being unbreakable. Beginning around 1946, Meredith Gardner and the team on what became the Venona project exploited that reuse and started reading the backlog. The work ran for decades, and the project didn’t formally close until 1980. Decrypts from 1940s traffic went on exposing agents, including the physicist Klaus Fuchs, years after the cables were sent.
That is harvest-now-decrypt-later, exactly. Ciphertext collected when nobody could read it, stored, and decrypted much later once a weakness was found and enough effort applied. Everyone whose name sat in that 1943 traffic assumed the moment of exposure had passed. It hadn’t. The only thing that changes for the quantum era is the weakness: instead of a pad-reuse mistake, it’s a quantum computer solving the math that public-key cryptography rests on.
The board-altitude point is the one a director feels: the people who needed to protect that traffic had to act years before the decryption they were guarding against ever happened, and the ones who assumed “we’ll deal with it when it’s readable” had already lost. That is the decision on your table, on a known deadline, right now.
Source: NSA, “Venona” historical release, nsa.gov; Simon Singh, The Code Book, chapter on Venona.
Used well, Venona does two jobs in the room at once. It proves harvesting is a real technique with a track record, not a hypothetical, and it dramatizes the core asymmetry of the decision: the cost of acting early is bounded, and the cost of waiting is discovered too late to fix.
How do I answer the hard questions from the board, the CFO, and the skeptic?
Every pushback below is one you should expect, and each has a crisp, defensible answer. Rehearse these, and the room never sees you improvise.
| The pushback | Your answer |
|---|---|
| ”Quantum is a decade away.” | We aren’t betting on the machine’s arrival. Per Mosca’s theorem, we’re betting on our data’s secrecy lifetime plus migration time, and for our long-lived records that math is already underwater. Harvesting is live today. |
| ”Why now, and not next budget cycle?” | The harvesting clock is running now on data we can’t un-expose, our earliest procurement gate is dated (often Jan 1, 2027), and a late migration costs more and carries more risk than a scoped one started now. |
| ”Can’t we wait for the standards to settle?” | They’re settled. NIST finalized the first three post-quantum standards on Aug 13, 2024 (ML-KEM, ML-DSA, SLH-DSA). The waiting is over; the migrating is what’s left. |
| ”What’s this going to cost?” | We size it by funding a time-boxed inventory and a quantification pass first, not by signing a blank check. Those two outputs tell us the real shape and cost before we commit to the program. |
| ”Aren’t our vendors already handling this?” | Mostly not, and we verify rather than assume. The vulnerable algorithm sits inside dozens of vendor products on timelines the vendor controls. A roadmap statement is a promise; shipped protection is what we have today. |
| ”Is this threat even real?” | Real enough that NSA, NIST, and OMB have published dated deadlines against it. And the harvest-then-decrypt pattern already ran at national scale, the Venona program did exactly this to Soviet cables. |
| ”What happens if we do nothing?” | Three things: long-lived records harvested today become readable later, we miss a dated government deadline with our name on the risk, and we get locked out of contracts that inherit a post-quantum procurement gate. |
Source: NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” Aug 13, 2024, nist.gov.
The common thread in every answer: concede nothing you’d have to walk back, and route every objection to a dated fact or a countable exposure. You’re not arguing the future. You’re pointing at obligations that already exist.
What do executives get wrong about briefing this?
These are the expensive wrong beliefs, the ones that either kill the briefing or fund the wrong thing. Name them for what they cost.
- “This is an IT problem, so it briefs like an IT project.” It’s a governance risk with a legal deadline, and it briefs like a compliance obligation the board is accountable for overseeing. Pitch it as a technical upgrade and it competes with feature work and loses.
- “Our vendors have it handled, so there’s little to fund.” Most of your cryptographic footprint lives in vendor products on timelines you don’t control, and a roadmap is a promise about the future. Verify it, and fund the inventory that tells you the truth. (vendor surfaces)
- “It’s premature, we should wait.” The standards are final, the deadlines are dated, and the harvesting clock is live. Waiting doesn’t reduce the work; it compresses the same work into a shorter, more expensive window against a fixed deadline.
- “A scary enough presentation will get the budget.” Fear gets you dismissed as an alarmist. A dated mandate and a countable exposure get you funded. The board rewards the sober case, not the loud one.
- “I need the full dollar model before I can ask for anything.” You need it to run the program, not to start it. Records at risk plus the deadline are enough to fund the inventory that produces the dollar model.
What do I present myself, and where do I bring in help?
Be honest about the line, because that honesty is itself part of a credible briefing. Everything on this page is yours to run, and a capable leader can carry the whole board conversation without outside help. The tailored, defensible model behind the ask is where a specialist earns the fee.
| Capability | You present this yourself | Bring in a specialist |
|---|---|---|
| The board narrative, the hook, and the rebuttals | Yes, straight from this page | Not required |
| The one-page memo and the single slide | Yes, fill it tonight | Not required |
| Records-at-risk count from a scoped inventory | A capable security team with the right tooling | When the estate is large, vendor-dense, or you need it audit-graded fast |
| Exposure quantified in dollars against your actual records | Beyond most in-house tooling | Yes, a specialized and defensible modeling exercise |
| A roadmap defensible to your specific regulator | Draft it | Yes, to make it audit-grade |
The split is clean: you own the story and the ask, and the estate-specific quantification (the FAIR-modeled dollar figure, the regulator-proof roadmap) is the funded next step you’re briefing the board to approve. That’s the same thing you’re asking them to pay for, so naming it as outside the room’s scope is a straight, honest line. Your own decision path for all of it is Own Your Quantum Risk.
Questions you’re probably asking
What’s the single strongest opener? The harvesting pattern told as a story a director pictures instantly, an adversary recording your encrypted data now to read it later, backed by the Venona precedent. It reframes quantum from a distant physics problem into a present decision, without a line of math.
What’s the one number that lands with a board? Records at risk, paired with a real dated regulatory deadline. Those two are defensible under questioning, and a speculative dollar figure is not, so lead with the countable pair and name the quantified model as the funded next step.
They’ll say “quantum is ten years away,” so what do I say? Use the Mosca reframe: you aren’t betting on the machine’s arrival, you’re betting on how long your data stays secret plus how long migration takes, and harvesting is live today regardless of the machine’s year.
How do I sound urgent without crying wolf? Anchor urgency to a dated government requirement and let the deadline carry the alarm. Leave the hard Q-Day year off the slide, because a made-up doom year invites the room to argue the date instead of funding the fix.
What exactly am I asking them to approve? A time-boxed cryptographic inventory and a risk-quantification pass, a named executive owner, and a date to return with the full program. It’s a diagnosis, scoped and reversible, which is what a board approves in the room.
Do I need a dollar figure to get a yes? No. Records at risk plus the deadline are enough to fund the inventory. The full quantified model is a later, deeper exercise, and the inventory you’re asking for is what produces it.
What does a win in the room actually look like? Three concrete things: approved budget for the inventory and quantification, a named accountable owner, and a scheduled return date. Steer toward those, not toward “they seemed concerned.”
Where does the free starter deck live? In Doing the Work, alongside the one-page memo and the board FAQ, all ungated and ready to adapt. They’re generic educational starters, and the version quantified against your own estate is the engagement.
Everything on this page is the map, given freely: the exact order to tell the story, the two numbers that land, the mandate that binds you, the rebuttals to every board pushback, and the one-page memo you can fill tonight. The tailored version, your exposure quantified against your actual records and dollars and a roadmap built to survive your specific regulator, is the work itself. There’s an alignment briefing for it.
Last verified 2026-07-10 · Maintained by Addie LaMarr, LaMarr Labs.