Introduction

One of the most common misconceptions about post-quantum cryptography readiness is that it requires immediate, significant investment. The vendor narrative often reinforces this view, framing PQC as a technology procurement challenge that demands urgent budget allocation for new platforms, tools and services.

In reality, the most valuable steps an organisation can take today have very little to do with procurement. They are about focus, governance and planning discipline — the strategic foundations that will determine whether subsequent investment delivers genuine value or simply adds another layer of complexity to an already fragmented technology estate.

This is encouraging news for organisations that recognise the importance of the quantum transition but are navigating competing budget priorities. PQC readiness does not start with a purchase order. It starts with a clear understanding of your risk, your data and your cryptographic landscape. Here are five practical steps that lay the groundwork for a well-governed, phased approach.

1. Use Architecture Governance to Drive PQC Readiness

The most cost-effective way to build PQC readiness is to embed it into decisions your organisation is already making. Every enterprise has ongoing procurement cycles, technology refreshes and architecture reviews. By incorporating PQC considerations into these existing governance processes, organisations can make incremental progress towards quantum readiness without launching a dedicated programme.

In practical terms, this means two things. First, decoupling cryptographic functions from applications and services wherever possible. When new systems are designed or existing systems are refreshed, cryptographic operations should be abstracted into centralised services and APIs rather than embedded within individual applications. This architectural principle — which is valuable regardless of PQC — creates the foundation for cryptographic agility over time.

Second, it means ensuring that newly procured hardware is capable of supporting PQC algorithms. As servers, network equipment, HSMs and endpoint devices come up for refresh, the procurement specification should include a requirement for PQC algorithm support. Over successive refresh cycles, this approach allows the technology estate to become progressively PQC-capable without the need for a disruptive, estate-wide upgrade programme.

This is not a theoretical exercise. It is a practical change to governance processes that pays dividends immediately and compounds over time. The organisations that embed PQC into their architecture governance now will find themselves significantly better positioned when the transition accelerates.

2. Know Your Data

Effective prioritisation of PQC-related change must be grounded in a clear understanding of your data landscape. This means knowing where your data resides, what its value and sensitivity is, how it flows through business systems and how long it needs to remain protected.

This step is particularly important because not all data carries the same quantum risk. As discussed in the context of Harvest Now, Decrypt Later, data whose confidentiality value declines rapidly over time presents a very different risk profile from data that remains sensitive for decades. Understanding this distinction is essential to avoiding both over-investment in low-risk areas and under-investment in high-risk ones.

For some organisations, this insight already exists within information governance frameworks, data classification policies and regulatory compliance documentation. For others, developing it will require structured conversations between technical and business stakeholders about what data matters most, where it sits and how it moves.

This step does not require new tooling or significant expenditure. It requires leadership attention, cross-functional collaboration and a willingness to ask fundamental questions about data that may not have been asked for some time. The output — a clear, prioritised view of data sensitivity and flow — becomes a critical input into every subsequent PQC decision.

3. Employ Recognised Frameworks for Application Portfolio Management

Most enterprises manage a substantial portfolio of applications, ranging from modern cloud-native services to legacy systems that have been in operation for years or even decades. Understanding how this portfolio will evolve is essential to planning a PQC transition that is both realistic and efficient.

Recognised frameworks such as the Gartner TIME Model provide a practical way to categorise applications based on their technical fitness and business value. Applications are assessed and categorised as tolerate, invest, migrate or eliminate. This categorisation directly informs PQC planning by identifying which systems should be upgraded to support quantum-resistant algorithms, which will be retired before PQC becomes critical, and which may require interim mitigation such as architectural wrappers.

By aligning PQC planning with application portfolio management, organisations avoid two common pitfalls. The first is investing in PQC upgrades for systems that are approaching retirement — a waste of budget and effort. The second is failing to plan for legacy systems that will remain in service but cannot be upgraded, leaving gaps in the transition roadmap.

This alignment also enables organisations to synchronise PQC-related changes with natural technology refresh cycles, reducing the incremental cost and disruption of the transition. The result is a more predictable, manageable investment profile that can be planned across multiple budget periods.

4. Understand Where Cryptography Is Used Across Your Organisation

Before you can plan a cryptographic transition, you need to understand what you are transitioning from. This means building visibility of where cryptography is used across your organisation, what algorithms are in play and which systems and processes depend on cryptographic services.

For many organisations, this visibility does not currently exist in any structured form. PKI environments have evolved organically, with different teams deploying certificates for different purposes across different parts of the estate. Cryptographic functions are embedded within applications, operating systems, network devices and cloud services, often without centralised documentation or oversight.

A practical starting point is to focus on externally facing systems and services — the interfaces most exposed to network-level interception and therefore most relevant to immediate quantum risk. Alternatively, or in parallel, organisations can map cryptographic touchpoints by describing a “day in the life” of key user personas and identifying where cryptography is involved in their interactions with systems, data and services.

These initial exercises do not require specialist tooling. They require structured thinking and cross-functional input. Their value extends beyond the technical output: they create a shared understanding across the organisation of how deeply cryptography is embedded in everyday operations, and they build the stakeholder engagement needed to support subsequent investment in automated discovery and inventory management tools.

Over time, as the organisation’s understanding deepens, these initial insights can be supplemented with automated scanning and discovery tools that provide a more comprehensive, continuously updated view of the cryptographic landscape. But the human-led analysis is a valuable and necessary starting point.

5. Ground Every Decision in Risk

This is perhaps the most important step of all, and it underpins each of the four that precede it. How an organisation chooses to adopt post-quantum cryptography must be grounded in a clear, shared understanding of risk — expressed in language that business leaders understand.

The risks and opportunities introduced by quantum computing represent one of the most significant technological shifts in generations. They are not purely technical risks that can be delegated to the security team and managed through operational processes. They are strategic risks that affect data protection, business continuity, regulatory compliance, competitive positioning and national security. As such, they must be visible and actively governed at the highest levels of the organisation.

For CISOs in particular, this risk lens must extend beyond external threats. It should also encompass the protection and management of sensitive cryptographic data that underpins the organisation’s PQC transition. Cryptographic inventories, discovery findings and migration roadmaps are all high-value assets that require appropriate classification and protection. Securing this information is essential not only to reduce exposure, but to ensure that PQC adoption decisions are informed, trustworthy and resilient.

Risk should also be the lens through which competing priorities are balanced. Not every system needs to be transitioned immediately. Not every data flow carries the same quantum risk. A risk-based approach enables organisations to prioritise investment where it matters most, sequence change in a way that is operationally manageable and demonstrate to boards and regulators that the transition is being governed with appropriate rigour.

Why These Steps Matter

These five steps are not a substitute for the technical work that will eventually be required to transition to quantum-resistant algorithms. But they are the foundation on which that technical work must be built. Without them, organisations risk committing budget to technology investments that are poorly targeted, insufficiently governed or misaligned with business priorities.

Crucially, none of these steps require major investment. They require leadership attention, governance discipline and cross-functional collaboration. They can be started immediately, progressed incrementally and scaled as the organisation’s understanding of its quantum risk matures.

The organisations that take these steps now will be significantly better positioned when the PQC transition accelerates — whether that acceleration is driven by regulatory deadlines, quantum computing breakthroughs or the natural momentum of the industry.

How Unsung Can Help

Unsung works with organisations at every stage of PQC readiness. Whether you are taking the first steps towards understanding your exposure, developing architecture governance frameworks that embed PQC considerations, or building the cryptographic visibility needed to prioritise your transition, we provide independent, vendor-neutral guidance that is proportionate to your risk profile and budget.

Our role is to help you make progress that is meaningful, well-governed and sustainable — not to create urgency or drive procurement. If your organisation is ready to start the PQC conversation, we would welcome the opportunity to discuss how these five steps apply to your specific context.

‍

Want to explore this topic further?

This blog is part of a series drawn from our strategic whitepaper, Post-Quantum Cryptography: A Strategic Whitepaper for the C-Suite. It provides vendor-neutral, business-focused guidance on navigating the quantum era — covering the threats already in play, lessons from previous hype cycles, and practical steps your organisation can take today. Download your copy here: https://2f4v3l.share-eu1.hsforms.com/20qJjHSynQkuJKhI_xq9Msg