The Quantum Security Era Has Arrived: Key Insights from the ExeQuantum CISO Roundtable

Last week, ExeQuantum convened a group of Australia’s leading CISOs, technologists, and cybersecurity executives for a frank discussion about one of the most urgent security challenges of our time: quantum readiness.

Across government, enterprise, critical infrastructure, health, finance, and education, the consensus was unmistakable:

Quantum security is no longer a technical project. It is a leadership mandate. And readiness must begin now.

Below is a consolidated summary of the most important insights and actions discussed.

1. Quantum Is Not “Future Tech” - The Threat Has Already Started

A key misconception surfaced early: quantum becomes a threat not when a large-scale quantum computer is built, but the moment adversaries begin stealing encrypted data today.

This is the well-known Harvest-Now, Decrypt-Later (HNDL) threat.

Long-life data such as medical records, financial history, identity data, IP, and classified information stolen today could be decrypted the moment quantum capability arrives.

Industries at highest near-term risk include:

Government and defence
Healthcare
Financial services
Education
Identity systems
Critical infrastructure

Every organisation now must ask:
Which data, if stolen today, will still matter in 5, 10, or 20 years?
Those systems become the priority for PQC migration.

2. Visibility Is the Biggest Barrier: “You Can’t Protect What You Can’t See”

Most organisations still lack visibility into where cryptography actually lives in their environment.

This is why standards bodies such as ACSC, NIST, NSA and ENISA are urging organisations to begin producing a Cryptographic Bill of Materials (C-BOM).

Where cryptography is typically hidden:

Operating systems
Network protocols
APIs and identity systems
IoT and medical devices
Backups and storage
Messaging platforms
Hardware-level crypto
Third-party vendor systems

The panel emphasised that AI-assisted discovery will dramatically accelerate this process, reducing work that once took years to weeks.

3. You Don’t Need to “Fix Everything” – Start Small and Build Momentum

Executives often stall because the scale feels overwhelming.

Key principles:

Start with visibility by mapping keys, certificates, algorithms and protocols
Prioritise by sensitivity and lifespan
Pilot in controlled environments before going live
Design for crypto agility instead of one-off upgrades
Shorten certificate lifecycles
Treat PQC as a business and GRC risk, not an IT task

4. Hardware Is the Hardest and Often the Most Urgent

Software can be updated. Hardware cannot.

High-risk hardware includes:

Medical devices
OT and ICS systems
Telco infrastructure
Network appliances
Legacy laptops and desktops
Consumer devices with embedded crypto

This will drive a global hardware modernisation wave, and organisations with slow refresh cycles are the most exposed.

5. AI and Quantum Will Converge and the Threat Landscape Will Shift

The panel explored the dual-use realities of AI and quantum.

How AI strengthens defenders:

Automated C-BOM generation
PQC testing
Crypto-agile orchestration
Faster cryptographic modelling

How AI strengthens adversaries:

Accelerated cryptanalysis
Differential attack generation
Pattern finding against symmetric encryption
Industrialised social engineering

Quantum will also enhance AI by enabling faster training, optimisation and pattern detection.

6. Skills, Budgets and Vendors: What Leadership Needs to Know

The skills gap came up repeatedly, but it should not halt progress.

And a crucial reminder:

7. Biometrics, QKD and the Future of Identity

Audience questions highlighted growing interest in next-generation identity.

Biometrics
Useful but increasingly spoofable due to deepfakes.
The future lies in biometrics tied to PQC-backed digital signatures.

Quantum Key Distribution (QKD)
Promising for niche, high-assurance use cases but limited by distance, specialised hardware and the need for PQC to authenticate.

8. What Organisations Must Do Now

The panel aligned on a clear, practical roadmap:

Begin cryptographic discovery with a C-BOM and inventory
Update procurement requirements to include PQC and crypto agility
Modernise legacy hardware with long refresh cycles
Build a crypto-agile architecture
Engage boards early and frame this as a resilience priority
Run small pilots
Align to global standards including NIST, ACSC, NSA CNSA 2.0, ENISA and ISO 23837
Plan budgets now as transitions typically take 2 to 5 years

9. The Takeaway: Quantum Security Is Now a Leadership Responsibility

Quantum transformation will impact every sector from hospitals and banks to education and manufacturing.

Leaders who invest early will reduce risk, modernise faster and meet the regulatory requirements already emerging across the United States, European Union, United Kingdom, Singapore and Australia.

Organisations that start now will be the ones ready for what comes next.

Be audit-ready for the post-quantum era.

Instant download: executive playbook for leaders.

Download Now