up:: 00 Field Guide Map

Doing the Work

Doing the Work is the governance and execution layer of the quantum transition, the place where technical understanding becomes a funded, owned, and defensible program. It answers the four questions a migration lives or dies on: who owns it, what gets fixed first, what the exposure is worth in dollars, and how you brief the people who hold the budget. It’s also where two external forces, the SEC’s cybersecurity disclosure rules and the cyber-insurance market, quietly turn cryptographic posture into a reporting and underwriting question.

Map of content

A short overview of the governance and execution work of the transition, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.

The short version:

  • Understanding the threat is the easy half. Governing the fix, assigning an owner, setting a cadence, and keeping a prioritized queue moving, is where most programs stall, per the human side.
  • Triage comes before scope. Key establishment for long-lived data is the urgent lane because of Harvest Now, Decrypt Later; signatures and PKI migrate on a slower, deliberate track.
  • A technical finding becomes a board decision when it’s expressed in money. FAIR turns “our RSA is quantum-vulnerable” into a probable-dollar loss you can weigh against the cost of the fix.
  • Boards fund a dated regulatory requirement and records at risk, not a doom prediction. The executive framing lives in Brief Your Board and Own Your Quantum Risk.
  • Two outside forces raise the stakes: the SEC disclosure rules make cryptographic risk a potential materiality question, and cyber-insurance underwriting is heading toward asking what you can prove about your encryption.

Think of it like a home renovation you finally understand needs doing. Knowing the wiring is unsafe changes nothing until someone owns the project, decides which room is dangerous enough to do first, gets a real number from a contractor, and takes that number to whoever controls the money. The quantum transition works the same way, and this section is about the second half, after the wiring diagnosis is in hand.

What does “doing the work” mean for a post-quantum migration?

It means running the transition as a governed program rather than a technical backlog item. The earlier stages of this Guide give you the raw understanding: the risk models that produce a prioritized queue, the new standards that replace what breaks, and the mandates that set the deadlines. Doing the Work is what you do with all of that. Four moves turn understanding into motion:

  1. Assign ownership. A migration with no named owner is a migration nobody drives. Cryptography usually has no single home, so the first governance act is deciding who owns the program and who reports on it.
  2. Prioritize the queue. Some systems matter far more than others, and the harvesting exposure makes some fixes genuinely urgent while others can wait. Triage is what keeps a multi-year effort from trying to boil the ocean.
  3. Quantify the exposure. A queue in technical language is a backlog. The same queue expressed in probable dollars is a business case, and that translation is what unlocks budget.
  4. Brief the funders. The people who approve the spend are usually non-technical, and they respond to a dated requirement and a number, so the last move is packaging the work in the language a board and a CFO actually read.

The rest of this page walks each move, then the two outside pressures, disclosure and insurance, that are reshaping the calculus underneath all four.

Who owns a post-quantum migration?

Whoever the organization explicitly names, which is the whole problem, because cryptography rarely has a natural owner. Encryption is spread across applications, infrastructure, identity, networking, and third-party vendors, so no single team feels accountable for the estate as a whole, and a program with diffuse ownership drifts. This is the organizational reason migrations stall, covered in depth in Why Post-Quantum Migrations Stall and the human side. Effective governance settles a few things early:

  1. A single accountable owner for the program, senior enough to move budget and resolve cross-team disputes, usually the CISO or a delegate reporting to that office.
  2. A cadence. A standing review that keeps the queue visible and moving, so the effort doesn’t decay into a document nobody reopens.
  3. A discovery foundation. Governance needs visibility first, which is why a cryptographic inventory is the substrate the whole program sits on. An inventory turns ownership of a black box into ownership of a mapped estate.
  4. A vendor posture. Much of an estate’s cryptography lives inside products the organization buys rather than builds, the vendor-controlled surfaces, so governance has to include a way to press suppliers for a migration path.

None of this is exotic. It’s the ordinary discipline of running a cross-cutting program, applied to a domain that has historically had no program at all.

How do you decide what to fix first?

You fix the exposure that’s already bleeding before the exposure that fails later. The single most useful triage rule in the whole transition comes from separating the two jobs public-key cryptography does, because they carry different clocks:

ExposureWhy it’s the priority it isWhich track
Key establishment protecting long-shelf-life data (RSA key transport, DH, ECDH)Exposed to HNDL today: traffic recorded now can be decrypted once a machine existsUrgent
Digital signatures and PKI (RSA signatures, ECDSA)Fail only once a capable quantum computer is real, so there’s time to migrate deliberatelyDeliberate
Symmetric encryption and hashing (AES-256, SHA-2, SHA-3)Survives with minor adjustments, so it’s largely out of scopeMonitor

Source: the two-job split and the HNDL-first logic follow NIST’s finalized standards and their intended use, NIST, “NIST Releases First 3 Finalized Post-Quantum Encryption Standards,” August 13, 2024, nist.gov.

On top of that lane split, two risk models sharpen the order inside each lane. Mosca’s theorem compares how long your data must stay secret plus how long the migration takes against how long until a capable machine arrives, and when the first two exceed the third, you’re already late. Blast radius ranks systems by how much depends on them, so a shared root of trust or a widely-used certificate authority outranks an isolated internal service. Together they turn a flat inventory into a ranked queue, which is the input every later step needs.

How do you quantify quantum risk in dollars?

You decompose the risk into how often a loss happens and how much it costs, estimate each as a calibrated range, and run the numbers, which is exactly what FAIR (Factor Analysis of Information Risk) is built to do. A red-amber-green heat map can tell a board that quantum risk is “red,” but “red” gives them no way to weigh a multi-million-dollar migration against a footnote. A dollar figure does three things a color can’t: it makes quantum risk comparable to every other investment competing for the same budget, it makes the fix justifiable when expected loss exceeds the cost of mitigation, and it survives an auditor’s or a regulator’s scrutiny because it rests on a published method with stated assumptions.

FAIR expresses risk as loss event frequency times loss magnitude, estimates the leaf factors as ranges rather than single guesses, and runs a Monte Carlo simulation to produce a loss-exceedance curve, the probability of losing at least a given amount. The quantum threat maps cleanly onto it: HNDL exposure and the volume of records under vulnerable cryptography set the magnitude, and the timing logic of Mosca’s theorem feeds the frequency. That’s how “our systems use RSA, which a quantum computer will break” becomes “the expected loss from this exposure is a distribution centered on a figure that sits above our stated risk tolerance,” which is the sentence that moves a migration from a backlog item to a funded program.

Source: FAIR is published by the Open Group as the O-RT risk taxonomy and O-RA analysis method, The Open Group, Open FAIR; the practitioner body is the FAIR Institute.

How do you brief the people who fund it?

You walk in with a dated requirement and records at risk, and you leave the doom prediction at the door. A board of non-technical people who hold the budget responds to two things: a deadline they’re accountable to, and a number they can weigh. The full executive framing lives in Brief Your Board, and the wider owner’s playbook in Own Your Quantum Risk, but the governance principle behind both is simple:

  1. Lead with the mandate, not the math. Authority comes from a dated federal requirement like CNSA 2.0 and the volume of exposed data, not from the internals of Shor’s algorithm, which lose a boardroom instantly.
  2. Bring the dollar figure. The FAIR-quantified exposure is what lets the board weigh the migration against the cost of doing nothing. A queue without a number reads as a technical opinion.
  3. Avoid the credibility-killers. A hard “Q-Day 2030” date presented as certain, a claim that “everything is broken today,” and an opening built on quantum-algorithm math each get a briefer dismissed as crying wolf. Sober and dated beats loud and vague.

The reward for getting this right is a governance structure the board actually oversees, which is also, as the next section shows, becoming a disclosure expectation in its own right.

How do disclosure and insurance change the calculus?

Two forces outside the security team are turning cryptographic posture into a reporting and underwriting question, and both raise the cost of ignoring the transition. They pull in the same direction: whatever you claim about your cryptography, you had better be able to prove.

ForceWhat it puts on the organizationPrimary source
SEC cyber disclosure rulesPublic companies must disclose material cyber incidents on Form 8-K within four business days of the materiality determination, and describe cyber risk-management and governance annually in the 10-K under Regulation S-K Item 106SEC Final Rule 33-11216 / 34-97989, adopted July 26, 2023
Cyber-insurance underwritingThe application has become a de facto controls audit, and written answers about encryption and other controls are binding attestations a carrier can rescind a policy overNAIC 2025 market report; Travelers v. ICS (2022)

Source: SEC, “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure,” Final Rule, Release Nos. 33-11216; 34-97989, adopted July 26, 2023, effective September 5, 2023, sec.gov press release 2023-139.

Source: NAIC, “Report on the Cybersecurity Insurance Market,” 2025 report on 2024 data, naic.org; Travelers Property Casualty Co. of America v. International Control Services, rescinded by stipulated judgment August 26, 2022, insurancejournal.com.

On the disclosure side, the SEC never names quantum cryptography anywhere in the rule. What it requires under Item 106(b)(2) is a forward-looking determination of whether cyber risk is “reasonably likely to materially affect” the company, and under the Basic precedent that’s a probability-times-magnitude analysis, exactly the shape HNDL of long-lived material data fits. Whether it crosses the materiality line is a judgment a company makes with its own securities counsel, and this Guide’s note is careful to teach the regime rather than give legal advice.

On the insurance side, applications today ask a yes-or-no “is your data encrypted” question. They don’t yet ask which algorithms, key sizes, or protocol versions, or whether the estate can swap algorithms without re-architecting. As post-quantum migration becomes a board topic, that single line is the most likely door for quantum to enter underwriting, and a truthful answer to a more detailed version of it is precisely what a CBOM produces. The through-line across both forces is the same discipline the whole program rests on: know what you can prove.

Where do the free board and practitioner resources fit?

They’re the concrete starting point once you’re ready to move. This section carries downloadable, ungated starters you can take and adapt: a board briefing deck, a one-page board memo, a board FAQ, and a cryptographic-inventory checklist. They’re generic educational starters, not the quantified, estate-specific deliverables an engagement produces, and that distinction is deliberate. The starter is the map. The version built and quantified for your own systems, defensible to your own regulator and your own board, is the work itself.

Common misconceptions

  1. “The hard part is the cryptography.” The algorithms are settled and standardized. The part that defeats most programs is organizational: ownership, prioritization, and keeping a multi-year queue moving, which is why governance is a discipline of its own.
  2. “Fix everything at once.” Triage first. Key establishment for long-lived data is urgent because of harvesting; signatures and PKI have more runway. Trying to do it all in one pass is how programs stall.
  3. “A heat map is enough for the board.” A color can triage, but it can’t carry a budget decision or survive a skeptical CFO. Boards fund dollar figures with stated assumptions, which is what quantification supplies.
  4. “The SEC requires a quantum disclosure.” It requires no specific risk. It imports the ordinary materiality standard and asks whether cyber risk is reasonably likely to be material, and whether crypto exposure crosses that line is a company-and-counsel judgment.
  5. “My cyber policy obviously covers a harvest-now-decrypt-later loss.” It depends entirely on the wording, the retroactive date, and the war and state-backed exclusions. A latent, delayed harm sits awkwardly against a discovery-based policy structure, so nobody should assume coverage either way.
  6. “Quantifying quantum risk is impossible because the timeline is unknown.” The unknown timeline is exactly why you use ranges. FAIR expresses “we don’t know the year” as a distribution over arrival times, producing an honest curve instead of a false date.

Questions people ask

Where does “doing the work” start if I’ve only just understood the threat? With ownership and inventory. Name an accountable owner, then build a cryptographic inventory so the program has something to govern. Everything downstream, triage, quantification, and the board case, needs a visible estate first.

What do I actually fix first? Key establishment protecting data that must stay secret for years, because that’s the exposure to Harvest Now, Decrypt Later. Signatures and PKI matter, but they only fail once a capable quantum computer exists, so they migrate on a deliberate track behind the harvesting lane.

How do I turn a technical finding into a budget? Quantify it in dollars with FAIR. Expressing the exposure as a probable loss distribution lets the board weigh the migration against the cost of inaction and against every other investment, which is the translation that unlocks funding.

What does a board respond to? A dated regulatory requirement and records at risk, delivered without alarmism. Lead with a mandate like CNSA 2.0 and a quantified exposure, and leave out the hard Q-Day date, the “everything is broken today” claim, and the Shor’s-algorithm math. The step-by-step is in Brief Your Board.

Does the SEC rule force me to migrate to post-quantum cryptography? No. It’s a disclosure rule, not a cryptography mandate. It governs what a public company tells investors about material cyber risk and its governance of that risk. Migration deadlines come from other authorities like CNSA 2.0 and NIST guidance, covered in the mandates.

Will quantum risk raise my cyber-insurance premium? Not in today’s market. The direction of travel is that a cryptographic inventory and crypto-agility are candidates to follow the path multi-factor authentication took, from an unasked question to a control that shapes terms, once a catalyzing loss or a regulatory deadline makes carriers treat quantum-vulnerable estates as an aggregation concern.

Is any of the disclosure or insurance material legal advice? No. Both the SEC and cyber-insurance notes teach the regime and the market in general terms. Materiality determinations belong to a company and its securities counsel, and coverage questions belong to a licensed broker and coverage counsel.

Go deeper

The executive pathways: Own Your Quantum Risk · Brief Your Board

Quantifying the exposure: Cyber Risk Quantification (FAIR)

Disclosure and risk transfer: SEC Cyber Disclosure & Materiality · Cyber Insurance Governance and the success metric: NIST Cybersecurity Framework (CSF) · Standalone Cryptography Policy · Deprecation, Not Deployment · Continuous Cryptographic Assurance (the steady-state watch that keeps a completed migration from silently regressing, standing telemetry on negotiated algorithms, permitted fallbacks, new systems, and certificate expiry)

Field notes: Why Quantum Readiness Is a Governance Problem (the org chart, not the algorithm, decides whether a finished roadmap moves, the empty owner’s seat, CSF Govern, and deprecation as the honest scoreboard).

Where the prioritized queue comes from: Quantum Risk Models MOC · Harvest Now, Decrypt Later (HNDL) · Mosca’s Theorem · Blast Radius

Why programs stall, and what stops them stalling: The Human & Organizational Side MOC · Why Post-Quantum Migrations Stall · Cryptographic Bill of Materials (CBOM) · Crypto-Agility · Vendor-Controlled Crypto Surfaces

The deadlines that make it mandatory: The Mandates MOC · NSA CNSA 2.0


Everything here is the map, given freely. When your team needs the queue owned, the exposure quantified against your own records and dollars, and the whole thing made defensible to your board and your regulator, that’s the work I do, and there’s an alignment briefing for it.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.