Pilot packing a parachute

The Decision That Has to Be Made Before the Jump

Quantum for cybersecurity
June 05, 20264 min read

A parachute is not packed in free fall.

It is packed before the plane takes off. The canopy is checked, the straps are secured, and the reserve is inspected. The person jumping may still face risk, but they are not depending on last-minute preparation in the middle of the fall.

That is the leadership lesson behind quantum-resilient cybersecurity. And like most lessons about preparation, it is far easier to act on before urgency arrives than after.

Most of the security protections organizations depend on today are woven invisibly into the fabric of how the business operates. They sit beneath applications, financial transactions, identity systems, vendor relationships, customer data, and operational infrastructure. Leaders rarely think about them because they rarely have to. They work quietly in the background — and that invisibility creates a specific kind of risk: the assumption that changing them, when the time comes, will be relatively straightforward.

It won’t be. And the organizations that recognize it early will have a significant advantage over those that don’t.

The Window Is Open — and It Is Not Unlimited

In 2024, NIST finalized the first three post-quantum cryptography standards and encouraged system administrators to begin transitioning to them as soon as possible. Not because quantum computers are breaking systems today, but because transitions of this depth — across vendors, platforms, data flows, and infrastructure — can take years. Sometimes much longer. (NIST)

That timeline is the part most executive conversations are missing. The technical standards exist. Federal guidance has pointed organizations toward readiness planning, including quantum-readiness roadmaps, inventories, risk assessments, and vendor engagement. (CISA)

What hasn’t happened in most organizations is the leadership conversation about what this transition actually requires — who owns it, what it touches, and how much runway the business realistically has to do it well.

The organizations treating this as a future problem are quietly borrowing against a timeline they don’t fully control. And borrowed time has a way of running out faster than anyone planned.

The Real Risk Is Misplaced Confidence

Most senior leaders, if asked, would say their organizations are secure. For today’s threat environment, they may well be right. But quantum readiness asks a different question entirely: when the foundation needs to change, does the organization have the visibility, ownership, and coordination to do so without disruption?

That question exposes something most security reviews don’t surface. The protections that need to evolve aren’t housed in a single system or owned by a single team. They are distributed across the enterprise — embedded in vendor platforms, third-party integrations, legacy infrastructure, and data that needs to remain protected not just today but for years or decades to come.

Consider what that means in practice. A vendor who controls part of the infrastructure may move on their own timeline, not the organization’s. Legacy systems that haven’t been modernized may not support newer security standards without significant rework. Data encrypted years ago under current standards may be at risk if those standards become vulnerable before the data loses its value.

These are not hypothetical edge cases. They are the normal conditions of enterprise infrastructure — and they make late preparation significantly more expensive than early preparation.

This Belongs in the Executive Conversation

The instinct in most organizations is to treat cybersecurity transitions as a technical responsibility — something the security team manages, surfaces when necessary, and resolves without requiring sustained leadership attention.

That instinct is understandable. It is also precisely what makes large-scale security transitions harder than they need to be.

Transitions that affect vendor contracts, infrastructure investments, operational dependencies, and long-term data protection strategies are not resolved solely by the security team. They require budget decisions, vendor conversations, board awareness, and cross-functional coordination that only happens when senior leaders are engaged early enough to shape the approach rather than simply react to the urgency.

The question worth asking now is not whether this transition is real. It is whether the organization has the visibility to understand its own exposure, the ownership structure to drive a coordinated response, and enough runway remaining to make deliberate decisions rather than expensive ones.

Waiting Is Its Own Decision

There is no neutral position here. Organizations that begin building a readiness view now will have room to sequence carefully, manage vendor dependencies, and make deliberate tradeoffs. Organizations that wait will face the same transition under time pressure — with fewer options, higher costs, and more difficult questions from boards and stakeholders.

A parachute doesn’t eliminate the risk of the jump. It eliminates the catastrophic consequence of discovering too late that something critical wasn’t ready.

The leaders who understand that won’t wait for urgency to make the decision for them.

quantum-resilient cybersecuritypost-quantum cybersecuritypost-quantum cryptographyquantum readinesscybersecurity readinessenterprise cybersecuritycybersecurity leadershipsenior leadership cybersecurityexecutive cybersecurity strategycybersecurity risk managementcybersecurity transitionfuture cybersecurity threatsquantum computing riskquantum security standardsNIST post-quantum standardscybersecurity preparednesscybersecurity modernizationcybersecurity resilienceenterprise risk managementdigital trustdata protection strategylong-term data protectionvendor cybersecurity risklegacy system securitycybersecurity governancesecurity transformationbusiness continuityoperational resiliencetechnology riskemerging technology riskcybersecurity planningsecurity infrastructurecyber risk readinessenterprise technology leadership
Kathy Kent Toney

Kathy Kent Toney

Kathy Kent Toney is a technology advisor and consultant focused on emerging technology, AI, automation, cybersecurity, and operational strategy for modern organizations.

Back to Blog