Three excerpts from the book

If you picked up this book with one eyebrow raised, you are not the wrong reader. You are exactly the reader this section is for.

Most serious people do not come to quantum risk through a calm chain of evidence. They come to it through a headline, a vendor deck, a passing mention in a board packet, or a meeting where someone says, “We should probably watch this.” That is a bad way to develop judgment. It creates either panic or dismissal. Neither one helps you.

So let me level with you directly.

No honest person can tell you the date on which a cryptographically relevant quantum computer will arrive. No honest person can promise which vendor roadmaps will mature on schedule. No honest person can tell you that every part of the standards and implementation landscape will feel clean and settled next quarter. If someone is selling certainty here, be careful.

But uncertainty about the date is not the same thing as uncertainty about the work.

If your organization holds data that must remain confidential for seven to ten years, and your migration will take three to seven years once it starts, and the work has not started—then the planning window is already open. That is not a prediction about quantum computing. It is arithmetic about lead time.

Three things keep me up at night. First, the number of organizations that hold long-horizon data but have never classified it by confidentiality lifetime. Second, the number of trust paths—certificates, keys, machine identities—that no one has mapped or owns. Third, the number of supplier relationships where quantum readiness has never been raised, let alone required.

This book is not here to scare you. It is here to give you a decision-grade view of what is moving, what matters, and what you can do in the next twelve months that will not be wasted regardless of when a cryptographically relevant quantum computer arrives.

Delay is a decision. This book is for people who prefer to make that decision with evidence.

From: Front Matter

This book is not about quantum computing. It is about what quantum computing changes for the people responsible for protecting data, trust relationships, and operational continuity inside real institutions.

The distinction matters because most of the noise in this space comes from the wrong direction. Physics conferences produce timeline debates. Vendor marketing produces urgency theater. Neither one helps a CISO decide which trust paths to inventory first, or a board understand whether their supplier contracts address cryptographic modernization, or an architect plan a certificate migration without breaking production.

The useful question is not “When will a quantum computer break RSA?” The useful question is: “What do we need to do before that happens, how long will it take, and have we started?”

That is a security question. A governance question. A migration question. And for most organizations, the answer to the third part is no.

From: Chapter 1

Three composite scenarios illustrate what happens when organizations start post-quantum migration too late. These are not predictions. They are constructed from patterns visible across real engagements, published guidance, and documented technical constraints.

Scenario 1: The financial services firm that discovers its certificate infrastructure cannot support hybrid key exchange—six months after its primary regulator requests evidence of post-quantum planning. The firm has 14,000 internal certificates, no centralized inventory, and three certificate authorities managed by different business units. The migration timeline is measured in years. The regulatory expectation was measured in quarters.

Scenario 2: The healthcare system that learns its archival platform encrypts patient genomic data with RSA-2048 and has no re-encryption capability. The data must remain confidential for the lifetime of the patient—and beyond. The vendor’s PQC roadmap is a single slide in a quarterly business review with no dates, no dependencies, and no named owner.

Scenario 3: The critical infrastructure operator that finds its SCADA control plane authenticates field devices with ECDSA certificates baked into firmware that cannot be updated. The devices have a 15-year replacement cycle. The quantum-vulnerable authentication path is not a peripheral feature—it is the trust root for every command sent to the field.

The lesson in each case is the same: the constraint was not the threat timeline. It was the migration timeline. The organizations that started earlier had options. The organizations that waited had emergencies.

From: Composite Scenarios (between Ch 5 and Ch 6)