2. Awareness

1. Are your board and C-suite aware of the quantum threat and its potential impact on your organization’s data, systems, and compliance obligations?

2. Has your organization discussed or simulated the impact of a cryptographic failure due to quantum computing on business continuity, compliance, and trust?

3. Has your organization conducted awareness sessions or workshops to educate employees on the risks posed by quantum computers and the need for PQC?

4. Do stakeholders understand the concept of Store-Now-Decrypt-Later attacks and how these already put long-lived sensitive data at risk?

5. Do stakeholders recognize that PQC migration is a multi-year effort (often 5+ years) and requires early planning to avoid rushed, risky transitions similar to past migrations (e.g., SHA-1 → SHA-256)?

6. Do you provide ongoing training and upskilling on PQC migration for technical teams, risk managers, and executives?

7. Do decision-makers understand the importance of crypto-agility (ability to switch algorithms quickly) in preparing for PQC and future migrations?

8. Do architects and developers receive regular cryptography training?

9. Has your organization discussed or simulated the impact of a cryptographic failure due to quantum computing on business continuity, compliance, and trust?

10. Are there training standards & processes to deprecate outdated encryption practices?

11. Are 3rd-party vendors and SaaS providers evaluated for their cryptographic controls and PQC-Readiness training?

12. Is cryptography reviewed as part of every new project or acquisition (Mergers & Acquisitions [M&A] due diligence)?