How to brief your board on PQC without the jargon
Most PQC briefings fail. They either drown the room in acronyms or stay so vague that no one can make a decision. Here is the translation layer that actually works.
The problem
Why most board briefings on PQC fail
Post-quantum cryptography is a technical subject. Boards are not a technical audience. Most briefings resolve this tension badly — either by explaining lattice-based mathematics to people who need to approve a budget line, or by saying “quantum computers could break encryption” and expecting that to land as a business risk.
Neither gets you what you need. The first loses the room. The second doesn't give the board enough to act on.
The board's job is not to understand quantum computing. Their job is to understand the risk to the organisation, the regulatory expectation, and what a decision to act — or not act — will cost. That is a very different briefing.
“The board doesn't need to understand the cryptography. They need to understand the liability.”
The frame
What the board actually needs to decide
Strip the brief down to three questions the board can actually answer:
Is there a regulatory obligation?
Yes. The NCSC has set five milestone gates for UK financial services organisations, with the first checkpoints expected by 2028. The FCA's operational resilience framework and DORA obligations for EU-connected firms both have dependencies on cryptographic resilience.
What happens if we miss it?
Regulatory scrutiny, potential enforcement action, and — more immediately — the data you are protecting today may already be at risk. Adversaries are harvesting encrypted data now, with the intention of decrypting it once quantum hardware matures. Long-lived regulated data is already exposed.
What does it cost to act vs not act?
Early-stage work — a cryptographic asset inventory and a migration roadmap — is a contained, scoped exercise. Remediation at the point of the 2028 NCSC checkpoint, or after a breach, is orders of magnitude more expensive. The asymmetry strongly favours acting now.
Translation
Language that works vs language that doesn't
Swap technical terms for business-risk equivalents before the briefing reaches the boardroom.
| Technical term | Board-ready translation |
|---|---|
| Post-quantum cryptography | Encryption that remains secure against quantum computers |
| Harvest-now, decrypt-later | Adversaries are already collecting our encrypted data — waiting for a quantum computer to read it |
| NCSC milestone gates | The government's five-step compliance checkpoint for UK organisations |
| Cryptographic asset inventory | A complete map of where our encryption is deployed across the estate |
| ML-KEM / ML-DSA | The new encryption standards the government expects us to migrate to |
| Asymmetric encryption | The mechanism that protects data in transit — the most exposed layer |
| Migration roadmap | A phased plan for replacing vulnerable encryption in line with the NCSC migration timeline |
The goal is not to dumb it down. It is to make the risk legible to the people who are accountable for it.
The structure
A five-point briefing that fits a 10-minute slot
Board time is short. Structure the briefing so each point builds to a decision — not a deeper explanation.
The threat (2 min)
Adversaries are collecting encrypted data today, before quantum computers exist. Long-lived data — KYC files, mortgage documentation, regulated correspondence — is already at risk. This is not a future problem.
The regulatory timeline (2 min)
The NCSC has set five milestone gates for UK financial services organisations. The first checkpoints are expected by 2028. Discovery and risk prioritisation need to start now to meet them.
Where we stand today (2 min)
Our current posture: what we have inventoried, what assessments have been done, what gaps exist. Be honest — most firms are at or near zero.
What we need to do and by when (2 min)
The immediate next step is a cryptographic asset inventory — a full picture of where our encryption is deployed and which systems carry the most sensitive long-lived data.
What we are asking for today (2 min)
A decision and a budget line to commission the discovery phase. Present the cost as a range. Frame it against the cost of missing the 2028 NCSC checkpoint.
Free tool
Know where you stand before the briefing
Run the NCSC Readiness Check first. It maps your organisation against the five milestone gates — so you know what to put in point three of the briefing before you walk in.
Check my NCSC readinessThe hard questions
Three questions the board will ask — and how to answer them
"Why now if quantum computers don't exist yet?"
Because the data collection has already started. Nation-states operating on 10-to-20-year intelligence cycles are harvesting encrypted traffic today. The data we are protecting now — under current encryption — will still be valuable when quantum hardware arrives. By then, it will be too late to re-encrypt what has already been taken.
"Other firms aren't doing this — why should we?"
The NCSC's 2028 milestone gates apply to the sector, not individual firms. Firms that begin discovery now will have a two-to-three-year lead on remediation. Firms that wait will face compressed timelines, higher costs, and scrutiny from regulators who will expect evidence of planning. Being second is not a safe position in a regulatory migration.
"Can't we just upgrade when the time comes?"
No. A cryptographic migration across a mature financial services estate — touching every system that uses key exchange, every vendor, every certificate — takes years. The NCSC's 2028 gates exist precisely because the work cannot be done in a short window. Discovery needs to start now for migration to be possible on time.
The board's job is to challenge. These questions are not resistance — they are the board doing its job. Having crisp answers to each one is what converts the briefing from an information session into an approval.
Next step
Want help running this conversation internally?
Book a free 30-minute call. We can help you frame your organisation's current posture, identify the gaps to disclose, and structure the briefing for your specific board.