This page consolidates some of my quantum materials.
QUANTUM SECURITY INTELLIGENCE REPORT™
Quantum Security Connection™ | Edition 1 | March 2026
Published under Chatham House Rule. Quotes reproduced with permission.
About This Report
On 30 March 2026, we held the inaugural Quantum Security Connection in Central London, hosted by Helaba Bank. This quantum-transition tabletop exercise brought together senior professionals from finance, law, defence, healthcare, government, critical national infrastructure, and FMCG: a hand-selected group, deliberately covering various sectors. Participants are united by a shared challenge: preparing their organisations for the post-quantum transition.
This report captures participant findings. It is not a technical primer on post-quantum cryptography. For that, we recommend the Practical Post-Quantum Transition Framework™, developed by Moona Ederveen-Schneider and referenced throughout the exercise. Available free of charge, it is designed for leaders and practitioners at all levels, requires no deep cryptographic expertise, and is structured to be embedded in existing risk management and governance processes rather than treated as a separate technical programme.
This report offers insights into where senior leaders and practitioners currently stand: their awareness, blockers, and the actions they are preparing to take. It is published openly, in the belief that the insights will serve the wider community and those who generated them.
The exercise was designed and facilitated by Moona Ederveen-Schneider, Founder of Resilia Connect, and supported by Alice Bromage, Principal at Quantum North, with additional table group moderation by cyber security leaders Vikas Patel and Raminder Ruprai.
Several participants shared their reflections publicly following the session. We are grateful for their permission to include them here.
Key Findings
- Quantum threat awareness exists, but it is thin and siloed. Post-quantum cryptography (PQC) is known to security teams in most organisations represented, but has not meaningfully reached leadership, procurement, legal, or operations.
- The dominant barrier is not technical but prioritisation. Five-year planning cycles, unquantified costs, and the absence of regulatory consequence make quantum readiness seemingly easy to defer.
- Quantum is not yet being treated as an organisational problem. It is discussed in isolation, rarely overlaid on existing projects, refresh cycles, or risk frameworks.
- Data estates are poorly mapped. Most organisations cannot fully articulate what sensitive data they hold, where it lives, how long it must be protected, or who is responsible for it.
- The business case should be straightforward, but must be framed in financial and regulatory terms to reach boards and chief executives.
- Immediate, high-value actions are available to every organisation in the room and beyond, regardless of sector or budget. The blocker is initiation, not capability.
“This belongs on every board agenda. Now.”Chrissy Hill, Chief Legal Officer
Exercise Outcomes
The show-of-hands scores at the start and end of the session were instructive: the majority of the room rated PQC as low priority initially, and almost everyone rated it as feeling highly unmanageable. By the close, both priority and manageability scores had shifted noticeably, suggesting that structured discussion and a clear framework move the needle even in a single session.
The Power of Community
Participants were drawn from finance, legal, military and defence, healthcare, critical national infrastructure, government, FMCG, and investment. The cross-sector composition was deliberate: quantum risk does not respect sector boundaries, and practitioners recognised a shared challenge from different angles. Peer learning across sectors shortens the learning curve. Organisations can avoid duplicating early mistakes, draw on frameworks already tested by others, and build the kind of cross-sector relationships that make coordinated response possible.
“Post-quantum readiness isn’t a future problem. Or just a crypto problem.”Participant, QSC Edition 1
Participant Insights
What Organisations Know
Awareness of post-quantum risk exists across the sectors represented, but it is thin, unevenly distributed, and rarely backed by action. Security teams are broadly familiar with the threat. Leadership, procurement, legal, and operations functions are largely not. Where awareness has surfaced, it tends to be deprioritised quickly the moment it competes with operational demands.
The picture is compounded by a data problem that predates quantum entirely. Most organisations cannot fully map their data estate with confidence: what sensitive information they hold, where it resides, how long it must be protected, and who is responsible for it. Retention policies are inconsistent and frequently exceed what is defensible. This is not a quantum-specific failure, but data security posture management is the necessary foundation on which quantum readiness must be built. The Practical Post-Quantum Transition Framework™ addresses this directly, beginning with data lifecycle management as the first structured step in reducing attack surface.
Cryptographic discovery presents a similar challenge. Tooling to identify and map cryptographic usage across an organisation is limited. Different teams manage different areas; cloud key management is often handled separately from on-premise systems. Data in transit, data at rest, authentication, and third-party dependencies are frequently bundled under a single label that obscures the reality: these are materially different systems with different risk profiles and different migration timelines.
“Quantum-enabled threats are no longer theoretical. They are a present and accelerating risk that require coordinated, intelligent and forward-leaning responses.”Bobbi Trehan-Young, Subject Matter Expert & Architect, Microsoft
What Is Stopping Them
The dominant barrier is not technical. It is prioritisation, and the structure of how organisations plan. For most organisations represented, quantum readiness competes poorly against near-term operational demands. Five-year planning horizons place the 2035 NCSC deadline outside the window entirely. The unpredictability of Q-Day compounds this: unlike a regulatory deadline, it carries no fixed date, making it structurally similar to other ignored inflection points such as Y2K or the rapid rise of AI, theoretically understood and practically deferred.
Another observation emerged across multiple participants: quantum is still being treated as an isolated problem rather than something to be overlaid on existing programmes of work. Organisations should not run a separate quantum project; they should develop the awareness to recognise where quantum risk intersects with work already under way. That reframe had not yet landed widely in the room.
When it comes to migration, the blockers are concrete: identity services, operational technology, and embedded systems that cannot be updated easily; cloud providers operating on their own timelines; legacy systems with hard-coded cryptography; and the straightforward reality of financial outlay competing against a threat that remains, for many boards, theoretical. The board-level calculation described by one table team was direct: is the risk of not acting less than the fine? Until regulatory consequence becomes concrete, this will continue to favour deferral.
What They Can Do Now
The business case is available to every organisation in the room, and it does not require a quantum computer to materialise to deliver value. Regulatory consequence, insurance exposure, and financial liability are the levers that move boards. Abstract risk arguments do not. As one table put it plainly: the CEO listens when you say there will be a financial impact.
On immediate action, the room was practical. Education within technical teams should ensure cryptographic considerations are raised earlier in development and infrastructure pipelines, consistently identified as a step available now at low cost. Several tables made a strong case for applying quantum-secure standards to all new builds from this point forward, rather than attempting to retrofit legacy systems later. Not as a quantum project, but as sound engineering practice that also builds quantum resilience.
On migration, the group largely agreed that the first steps are not primarily technical. The priority is data discovery: understanding what sensitive data the organisation holds, where it resides, and how long it must remain protected. Cryptographic discovery follows, mapping where encryption exists across systems, third parties, and infrastructure. From these activities, a credible, risk-based migration plan can be built. Additional activities are set out in the Practical Post-Quantum Transition Framework™, available free of charge at www.moona.net. Quick transition wins were identified in systems already due for refresh, greenfield projects, and newer platforms.
The legal dimension deserves particular attention. Privileged legal information with retention periods of ten years or more is already in scope for Harvest Now, Decrypt Later attacks. That is not a future risk. It is a current one.
“It’s not a dark art — but having deep specialists guide you through certainly helps.”Alice Bromage, Principal, Quantum North
Regulatory Round-Up
Participants expressed a strong preference for regulation and government guidance as a lever to demonstrate urgency. Below is a selection of key regulations and government initiatives reviewed during the session. A more detailed overview can be found in the Practical Post-Quantum Transition Framework™ and other sources online, given this is a fast-moving space.
| Region | Body | Key Detail |
|---|---|---|
| United Kingdom | National Cyber Security Centre (NCSC) | Strategic planning complete by 2028. Critical assets protected by 2031. Full migration by 2035. |
| United States | NIST / Department of Homeland Security (DHS) | RSA encryption deemed insecure by 2030. Federal agencies: inventory and migrate by 2035. |
| Germany | Federal Office for Information Security (BSI) — TR-02102 | Annually updated cryptographic recommendations. Transition of most sensitive applications to quantum-resistant methods by 2030. |
| India | National Cybersecurity Reference Framework | Critical Information Infrastructure (defence, power, telecom): full migration by 2029. Enterprise (government and private sector): full migration by 2031. |
| Australia | Australian Signals Directorate (ASD) — Information Security Manual (ISM) | Cease use of vulnerable asymmetric cryptography by 2030. Full transition to post-quantum algorithms by 2030. |
| Canada | Canadian Centre for Cyber Security (Cyber Centre) — ITSM.40.001 | High-priority systems by 2031. Full migration of all federal IT systems by 2035. |
| South Korea | PQC Master Plan | Pilots 2025–28. Nationwide by 2035. |
| Singapore | Monetary Authority of Singapore (MAS) | Financial institutions: act now (Advisory TCRS/2024/01). |
Next Steps
Future QSC Editions and Board Briefings
We are exploring how the Quantum Security Connection will continue, with further editions of the tabletop exercise and the opportunity to expand into regular workshops or to cover specific topics and breach scenarios. Sessions can be held within organisations, sector-specific, or cross-sector to build the awareness and momentum that the post-quantum transition requires. Tailored board briefings and advisory on how the Framework applies to your organisation are also available.
Hosting and Sponsorship Opportunities
If you would like to attend a future QSC edition or explore hosting or sponsorship, please get in touch with Moona Ederveen-Schneider via www.quantumsecurityconnection.com.
Peer Support
Vetted QSC participants also have the option to stay connected via the private LinkedIn group: Quantum Security Connection.
In Development
Moona Ederveen-Schneider is working on a companion paper to the transition framework for those who wish to better understand the physics behind the threats we are facing, such as Harvest Now, Decrypt Later and Trust Now, Forge Later. The Quantum Security Directory™ is also in development, to help practitioners navigate this space.
Spread the Word
We appreciate your help in sharing these findings with peers. Please engage with our LinkedIn content and that of other exercise participants, from IT & Cloud, Legal, and Military.
Further Information
- DHS Quantum Information
- Quantum Glossary (techUK)
- ISMG Quantum Video Interview with Moona Ederveen-Schneider
- Security Insights Quantum Podcast Interview with Moona Ederveen-Schneider
- InfoSecurity Magazine: Why Your Organisation Should Start Quantum Preparedness Today by Moona Ederveen-Schneider
- Sample Enterprise Cryptography Policy by Louise Davey
Quantum Security Intelligence Report™ | Edition 1 | April 2026
© 2026 Moona Ederveen-Schneider. All rights reserved.
Post-Quantum Preparedness Framework™
This paper debunks myths around post-quantum preparedness and explains why organisations need to start preparing today for a future where existing encryption methods fail against quantum computing, threatening data confidentiality and identity verification. For most, there is no need to panic but complacency is not an option.
Post-quantum preparedness as per my framework, also provides immediate benefits against these attacks and top-of mind threats such as ransomware and AI-enabled attacks. This paper is aimed at all levels and fields of practitioners and leaders and requires only basic understanding of encryption. To deepen understanding, additional references are listed at the end.
This framework is designed to make transition manageable and remove analysis-paralysis. Emergency procurement or massive dedicated project spend is not required at this point.
To be very clear, whilst many debate the exact timing of the arrival of quantum computing, attackers are harvesting sensitive data now and post-quantum security transformation takes a long time. In short, it is time to stop debating and start doing. This framework shows you how.
Practical Post-Quantum Transition Framework
Send download link to: