For years, people said serious AI was not coming. They were wrong, and most boards are now scrambling to catch up. There is a second wave already forming behind AI, and almost no one is treating it with the same urgency. Quantum computing is coming, and when it arrives, it will break much of the encryption that protects the modern world. The uncomfortable part is that you do not get to wait until it arrives to act. The threat is already here.

Here is what I am telling the boards I sit on.

The threat is not the quantum computer. It is the waiting.

A quantum computer powerful enough to break today's encryption does not exist yet. That fact lulls people into thinking this is a problem for later. It is not, and the reason has a name: harvest now, decrypt later.

An adversary does not need a quantum computer today to attack you today. They can capture your encrypted data now, store it, and simply wait. When a capable quantum machine exists, they decrypt everything they collected. So the question for your board is not "will we be exposed when quantum arrives." It is "what data are we sending and storing today that still needs to be secret in ten years." Anything that does is already at risk, right now, whether or not the machine exists yet.

Why this is a board issue, not an IT issue

It is tempting to file this under "the technology team will handle it." That is the same mistake boards made with AI, and with cybersecurity before it. Quantum risk is enterprise risk. It touches the confidentiality of everything the organization protects: customer records, financial data, trade secrets, legal files, health information, anything with a long shelf life.

A board does not need to understand the physics. It needs to ask whether the organization has looked at its own exposure and has a plan. This is a governance question about long-term risk, which is squarely the board's job. No director needs to know how a quantum computer works to ask whether the company is ready for one.

The good news: the fix already exists

This is not a warning without an answer. In August 2024, the U.S. National Institute of Standards and Technology finalized its first post-quantum encryption standards, new algorithms designed to withstand a quantum computer, and it stated plainly that they are ready for immediate use. NIST is urging organizations to begin transitioning as soon as possible. There is a small irony worth noting, given the network I help govern: NIST sits within the Department of Commerce.

So the tools to protect against this threat are already published and available. The work is not invention. It is migration, and migration takes time. Finding every system that relies on vulnerable encryption, prioritizing what matters most, and moving it to the new standards is a multi-year effort for a large organization. The companies that start now will finish calmly. The companies that wait will do it in a panic, or after a breach.

The questions I put to my boards

You do not need to be technical to govern this well. You need to ask four questions and refuse vague answers.

First, what data do we hold or transmit today that must remain confidential for the next decade or longer? That is our harvest-now-decrypt-later exposure.

Second, do we know where our most sensitive data depends on encryption that a quantum computer could break? You cannot protect what you have not mapped.

Third, do we have a migration plan to the new post-quantum standards, with priorities and a timeline? Not someday. On paper, with owners.

Fourth, who is accountable for this, and when will the board see progress? If the answer is silence, that is the finding.

The lesson of the last wave

We just watched an entire market get caught flat-footed by a technology many insisted would never mature. The boards that are now behind on AI are behind because they treated a foreseeable shift as a distant one. Quantum is the next foreseeable shift, and this time the warning is explicit and the fix is already standardized.

You design for the day the system fails, not the day it works. The threat to your encryption is not waiting for the quantum computer to be built. It is being set in motion by what leaves your organization today. The boards that understand that will act now, while it is a planning exercise. The ones that do not will meet quantum the same way too many met AI: late, and explaining why no one saw it coming.